oss-sec mailing list archives
Java Deserialization continued, Analysis Tooling and (potentially) bypassing Application Level Filtering
From: Moritz Bechler <mbechler () eenterphace org>
Date: Mon, 29 Feb 2016 20:30:52 +0100
Hi, sharing some results from my research on deserialization (vulnerabilities, or rather gadgets): - a static bytecode analyzer that traces invocations reachable from deserialization that helps (high FP rate, obviously) with finding gadget chains even when more complex interactions are involved: <https://github.com/mbechler/serianalyzer> - through it discovered a few more RCE gadgets most notably ones in Hibernate - and MyFaces (actually that's RCE via EL injection via deserialization) that one is only usable in a JSF context - but MyFaces also performs unsafe deserization when org.apache.myfaces.USE_ENCRYPTION=false (yes, also with server side state saving, and while being totally unnecessary they are unwilling to fix this: <https://issues.apache.org/jira/browse/MYFACES-4021>). - and a method for bypassing application level filtering. Basically you can open up JRMP (RMI) listeners and connections via various gadgets (in the standard library) which then again use a standard ObjectInputStream and can be used to exploit otherwise filtered gadgets. Jenkins just fixed this sepecific vector (CVE-2016-0788) but this potentially affects anybody that is using application level filters (i.e. filtering ObjectInputStreams) and either is using blacklisting or a too broad whitelist. These are all now available in my ysoserial branch <https://github.com/mbechler/ysoserial> regards Moritz
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Java Deserialization continued, Analysis Tooling and (potentially) bypassing Application Level Filtering Moritz Bechler (Feb 29)