Finding Java gadget chains with CodeQL. More information in our article
Clone the repo
$ git clone https://github.com/synacktiv/QLinspector.gitSearch for gadgets:
$ codeql database analyze log4j --format=sarif-latest --output=log4j.sarif ./QLinspector/The main CodeQL query that can be used to find gadget chains.
here is an example with the Aspectj gadget chain:
Running the above query can sometimes return a lot of false positives. To filter them the GadgetSanitizer class has been added. You can add conditions to filter out DataFlow::Node:
/**
* placeholder for adding sanitizing steps
*/
class GadgetSanitizer extends DataFlow::Node {
GadgetSanitizer() {
this.getEnclosingCallable().hasName("")
}
}Old query that was initially developped. This query do not use the taint model of CodeQL thus it could return different results.
A query that can be used to find new gadget chains based on the org.apache.naming.factory.BeanFactory. The BeanFactory class, allows to create an instance of arbitrary class with default constructor and call any public method with one String parameter.
More information in this blogpost: https://www.veracode.com/blog/research/exploiting-jndi-injections-java
A query that can be used to find alternatives to the getOutputProperties method used in the CommonsBeanutils chain.
More information here:
- https://www.praetorian.com/blog/relution-remote-code-execution-java-deserialization-vulnerability/
- https://mogwailabs.de/en/blog/2023/04/look-mama-no-templatesimpl/
A query that can be used to find alternatives to the org.apache.naming.factory.BeanFactory. This could be usefull during JNDI exploitation.
More information in this blogpost: https://www.veracode.com/blog/research/exploiting-jndi-injections-java
- https://www.synacktiv.com/publications/finding-gadgets-like-its-2015-part-1.html
- https://www.synacktiv.com/publications/finding-gadgets-like-its-2015-part-2.html
- https://www.synacktiv.com/publications/finding-gadgets-like-its-2022.html
- https://www.synacktiv.com/publications/java-deserialization-tricks
- https://www.praetorian.com/blog/relution-remote-code-execution-java-deserialization-vulnerability/
- https://www.veracode.com/blog/research/exploiting-jndi-injections-java
- https://mogwailabs.de/en/blog/2023/04/look-mama-no-templatesimpl/
- https://testbnull.medium.com/return-of-the-rhino-analysis-of-mozillarhino-gadgetchain-also-the-writeup-of-hitb-linkextractor-a2074b4ae624
- https://www.buaq.net/go-53869.html
- https://b1ue.cn/archives/529.html