Java-Deserialization-Cheat-Sheet

A cheat sheet for pentesters about Java Native Binary Deserialization vulnerabilities

Please, use #javadeser hash tag for tweets.

Table of content

• Overview
• Main talks & presentations & docs
• Payload generators
• Exploits
• Detect
• Vulnerable apps (without public sploits/need more info)
• Protection
• For Android
• Other serialization types

Overview

• Java Deserialization Security FAQ
• From Foxgloves Security

Main talks & presentations & docs

Marshalling Pickles

by @frohoff & @gebl

• Video
• Slides
• Other stuff

Exploiting Deserialization Vulnerabilities in Java

by @matthias_kaiser

• Video

Serial Killer: Silently Pwning Your Java Endpoints

by @pwntester & @cschneider4711

• Slides
• White Paper
• Bypass Gadget Collection

Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization

by @frohoff & @gebl

• Slides

Surviving the Java serialization apocalypse

by @cschneider4711 & @pwntester

• Slides
• Video
• PoC for Scala, Grovy

Java Deserialization Vulnerabilities - The Forgotten Bug Class

by @matthias_kaiser

• Slides

Pwning Your Java Messaging With Deserialization Vulnerabilities

by @matthias_kaiser

• Slides
• White Paper
• Tool for jms hacking

Defending against Java Deserialization Vulnerabilities

by @lucacarettoni

• Slides

A Journey From JNDI/LDAP Manipulation To Remote Code Execution Dream Land

by @pwntester and O. Mirosh

• Slides
• White Paper

Fixing the Java Serialization mess

by @e_rnst

• Slides+Source

Payload generators

ysoserial

https://github.com/frohoff/ysoserial

RCE (or smth else) via:

• Apache Commons Collections <= 3.1
• Apache Commons Collections <= 4.0
• Groovy <= 2.3.9
• Spring Core <= 4.1.4 (?)
• JDK <=7u21
• Apache Commons BeanUtils 1.9.2 + Commons Collections <=3.1 + Commons Logging 1.2 (?)
• BeanShell 2.0
• Groovy 2.3.9
• Jython 2.5.2
• C3P0 0.9.5.2
• Apache Commons Fileupload <= 1.3.1 (File uploading, DoS)
• ROME 1.0
• MyFaces
• JRMPClient/JRMPListener
• JSON
• Hibernate

Additional tools (integration ysoserial with Burp Suite):

• JavaSerialKiller
• Java Deserialization Scanner
• Burp-ysoserial

Full shell (pipes, redirects and other stuff):

• $@|sh – Or: Getting a shell environment from Runtime.exec
• Set String[] for Runtime.exec (patch ysoserial's payloads)

How it works:

• https://blog.srcclr.com/commons-collections-deserialization-vulnerability-research-findings/
• http://gursevkalra.blogspot.ro/2016/01/ysoserial-commonscollections1-exploit.html

JRE8u20_RCE_Gadget

https://github.com/pwntester/JRE8u20_RCE_Gadget

Pure JRE 8 RCE Deserialization gadget

ACEDcup

https://github.com/GrrrDog/ACEDcup

File uploading via:

• Apache Commons FileUpload <= 1.3 (CVE-2013-2186) and Oracle JDK < 7u40

Universal billion-laughs DoS

https://gist.github.com/coekie/a27cc406fc9f3dc7a70d

Won't fix DoS via default Java classes

Universal Heap overflows DoS using Arrays and HashMaps

https://github.com/topolik/ois-dos/

How it works:

• Java Deserialization DoS - payloads

Won't fix DoS using default Java classes

Exploits

no spec tool - You don't need a special tool (just Burp/ZAP + payload)

RMI

• Protocol
• Default - 1099/tcp for rmiregistry

ysoserial (works only against a RMI registry service)

JMX

• Protocol based on RMI
• • CVE-2016-3427
• partially patched in JRE

ysoserial

JNDI/LDAP

• When we control an adrress for lookup of JNDI (context.lookup(address))
• Full info
• JNDI remote code injection

https://github.com/zerothoughts/jndipoc

JMS

• Full info

JMET

JSF ViewState

• if no encryption or good mac

T3 of Oracle Weblogic

• Protocol
• Default - 7001/tcp on localhost interface
• CVE-2015-4852

loubia (tested on 11g and 12c, supports t3s)

JavaUnserializeExploits (doesn't work for all Weblogic versions)

IBM Websphere 1

• wsadmin
• Default port - 8880/tcp
• CVE-2015-7450

JavaUnserializeExploits

serialator

IBM Websphere 2

• When using custom form authentication
• WASPostParam cookie
• Full info

no spec tool

Red Hat JBoss

• http://jboss_server/invoker/JMXInvokerServlet
• Default port - 8080/tcp
• CVE-2015-7501

JavaUnserializeExploits

https://github.com/njfox/Java-Deserialization-Exploit

serialator

Jenkins

• Jenkins CLI
• Default port - High number/tcp
• CVE-2015-8103
• CVE-2015-3253

JavaUnserializeExploits

Jenkins 2

• patch "bypass" for Jenkins
• CVE-2016-0788
• Details of exploit

ysoserial

Restlet

• <= 2.1.2
• When Rest API accepts serialized objects (uses ObjectRepresentation)

no spec tool

RESTEasy

• *When Rest API accepts serialized objects (uses @Consumes({"*/*"}) or "application/*" )
• Details and examples

no spec tool

OpenNMS

• RMI

ysoserial

Progress OpenEdge RDBMS

• all versions
• RMI

ysoserial

Commvault Edge Server

• CVE-2015-7253
• Serialized object in cookie

no spec tool

Symantec Endpoint Protection Manager

• /servlet/ConsoleServlet?ActionType=SendStatPing
• CVE-2015-6555

serialator

Oracle MySQL Enterprise Monitor

• https://[target]:18443/v3/dataflow/0/0
• CVE-2016-3461

no spec tool

serialator

PowerFolder Business Enterprise Suite

• custom(?) protocol (1337/tcp)
• MSA-2016-01

powerfolder-exploit-poc

Solarwinds Virtualization Manager

• <= 6.3.1
• RMI
• CVE-2016-3642

ysoserial

Cisco Prime Infrastructure

• https://[target]/xmp_data_handler_service/xmpDataOperationRequestServlet
• <= 2.2.3 Update 4
• <= 3.0.2
• CVE-2016-1291

CoalfireLabs/java_deserialization_exploits

Cisco ACS

• <= 5.8.0.32.2
• RMI (2020 tcp)
• CSCux34781

ysoserial

Apache XML-RPC

• all version, no fix (the project is not supported)
• POST XML request with ex:serializable element
• Details and examples

no spec tool

Apache Archiva

• because it uses Apache XML-RPC
• CVE-2016-5004
• Details and examples

no spec tool

Sun Java Web Console

• admin panel for Solaris
• < v3.1.
• old DoS sploit

no spec tool

Apache ActiveMQ - Client lib

• JMS

JMET

Redhat/Apache HornetQ - Client lib

• JMS

JMET

Oracle OpenMQ - Client lib

• JMS

JMET

IBM WebSphereMQ - Client lib

• JMS

JMET

Oracle Weblogic - Client lib

• JMS

JMET

Pivotal RabbitMQ - Client lib

• JMS

JMET

IBM MessageSight - Client lib

• JMS

JMET

IIT Software SwiftMQ - Client lib

• JMS

JMET

Apache ActiveMQ Artemis - Client lib

• JMS

JMET

Apache QPID JMS - Client lib

• JMS

JMET

Apache QPID - Client lib

• JMS

JMET

Amazon SQS Java Messaging - Client lib

• JMS

JMET

Detect

Code review

• ObjectInputStream.readObject
• ObjectInputStream.readUnshared
• Tool: Find Security Bugs
• Tool: Serianalyzer

Traffic

• Magic bytes 'ac ed 00 05' bytes
• 'rO0' for Base64
• 'application/x-java-serialized-object' for Content-Type header

Network

• Nmap >=7.10 has more java-related probes
• use nmap --all-version to find JMX/RMI on non-standart ports

Burp plugins

• Java Deserialization Scanner
• SuperSerial
• SuperSerial-Active

Vulnerable apps (without public sploits/need more info)

Spring Service Invokers (HTTP, JMS, RMI...)

SAP P4

• info from slides

Apache SOLR

• SOLR-8262
• 5.1 <= version <=5.4
• /stream handler uses Java serialization for RPC

Apache Shiro

• SHIRO-550
• encrypted cookie (with the hardcoded key)

Apache ActiveMQ (2)

• CVE-2015-5254
• <= 5.12.1
• Explanation of the vuln
• CVE-2015-7253

Atlassian Bamboo (1)

• CVE-2015-6576
• 2.2 <= version < 5.8.5
• 5.9.0 <= version < 5.9.7

Atlassian Bamboo (2)

• CVE-2015-8360
• 2.3.1 <= version < 5.9.9
• Bamboo JMS port (port 54663 by default)

Spring AMPQ

• CVE-2016-2173
• 1.0.0 <= version < 1.5.5

Apache Tika

• CVE-2016-6809
• 1.6 <= version < 1.14
• Apache Tika’s MATLAB Parser

Apache HBase

• HBASE-14799

Apache Camel

• CVE-2015-5348

Gradle (gui)

• custom(?) protocol(60024/tcp)
• article

Oracle Hyperion

• from slides

Oracle Application Testing Suite

• CVE-2015-7501

Red Hat JBoss BPM Suite

• RHSA-2016-0539
• CVE-2016-2510

VMWare vRealize Operations

• 6.0 <= version < 6.4.0
• REST API
• VMSA-2016-0020
• CVE-2016-7462

VMWare vCenter/vRealize (various)

• CVE-2015-6934
• VMSA-2016-0005
• JMX

Cisco (various)

• List of vulnerable products
• CVE-2015-6420

Lexmark Markvision Enterprise

• CVE-2016-1487

McAfee ePolicy Orchestrator

• CVE-2015-8765

HP Operations Orchestration

• CVE-2016-1997

HP Asset Manager

• CVE-2016-2000

HP Service Manager

• CVE-2016-1998

HP Operations Manager

• CVE-2016-1985

HP Release Control

• CVE-2016-1999

HP Continuous Delivery Automation

• CVE-2016-1986

HP P9000, XP7 Command View Advanced Edition (CVAE) Suite

• CVE-2016-2003

Adobe Experience Manager

• CVE-2016-0958

Unify OpenScape (various)

• CVE-2015-8237
• RMI (30xx/tcp)
• CVE-2015-8238
• js-soc protocol (4711/tcp)

Apache TomEE

• CVE-2015-8581
• CVE-2016-0779

IBM Congnos BI

• CVE-2012-4858

Novell NetIQ Sentinel

• ?

ForgeRock OpenAM

• 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0
• 201505-01

F5 (various)

• sol30518307

Hitachi (various)

• HS16-010
• 0328_acc

Apache OFBiz

• CVE-2016-2170

NetApp (various)

• CVE-2015-8545

Apache Tomcat

• requires local access
• CVE-2016-0714
• Article

Apache Tomcat JMX

• JMX
• Patch bypass
• CVE-2016-8735

Apache Batchee

Apache JCS

Apache OpenJPA

Apache OpenWebBeans

Protection

• Look-ahead Java deserialization
• NotSoSerial
• SerialKiller
• ValidatingObjectInputStream
• Some protection bypasses
• Tool: Serial Whitelist Application Trainer

For Android

• One Class to Rule Them All: 0-Day Deserialization Vulnerabilities in Android
• Android Serialization Vulnerabilities Revisited

Other serialization types

XMLEncoder

• http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html

XStream

• http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/
• http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
• https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream

Kryo

• https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-1-kryo