Nytro Posted September 6, 2017 Report Posted September 6, 2017 Java-Deserialization-Cheat-Sheet A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries. Please, use #javadeser hash tag for tweets. Table of content Java Native Serialization (binary) Overview Main talks & presentations & docs Payload generators Exploits Detect Vulnerable apps (without public sploits/need more info) Protection For Android XMLEncoder (XML) XStream (XML/JSON/various) Kryo (binary) Hessian/Burlap (binary/XML) Castor (XML) json-io (JSON) Jackson (JSON) Red5 IO AMF (AMF) Apache Flex BlazeDS (AMF) Flamingo AMF (AMF) GraniteDS (AMF) WebORB for Java (AMF) SnakeYAML (YAML) jYAML (YAML) YamlBeans (YAML) "Safe" deserialization Java Native Serialization (binary) Overview Java Deserialization Security FAQ From Foxgloves Security Main talks & presentations & docs Marshalling Pickles by @frohoff & @gebl Video Slides Other stuff Exploiting Deserialization Vulnerabilities in Java by @matthias_kaiser Video Serial Killer: Silently Pwning Your Java Endpoints by @pwntester & @cschneider4711 Slides White Paper Bypass Gadget Collection Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization by @frohoff & @gebl Slides Surviving the Java serialization apocalypse by @cschneider4711 & @pwntester Slides Video PoC for Scala, Grovy Java Deserialization Vulnerabilities - The Forgotten Bug Class by @matthias_kaiser Slides Pwning Your Java Messaging With Deserialization Vulnerabilities by @matthias_kaiser Slides White Paper Tool for jms hacking Defending against Java Deserialization Vulnerabilities by @lucacarettoni Slides A Journey From JNDI/LDAP Manipulation To Remote Code Execution Dream Land by @pwntester and O. Mirosh Slides White Paper Fixing the Java Serialization mess by @e_rnst Slides+Source Blind Java Deserialization by deadcode.me Part I - Commons Gadgets Part II - exploitation rev 2 Payload generators ysoserial https://github.com/frohoff/ysoserial RCE (or smth else) via: Apache Commons Collections <= 3.1 Apache Commons Collections <= 4.0 Groovy <= 2.3.9 Spring Core <= 4.1.4 (?) JDK <=7u21 Apache Commons BeanUtils 1.9.2 + Commons Collections <=3.1 + Commons Logging 1.2 (?) BeanShell 2.0 Groovy 2.3.9 Jython 2.5.2 C3P0 0.9.5.2 Apache Commons Fileupload <= 1.3.1 (File uploading, DoS) ROME 1.0 MyFaces JRMPClient/JRMPListener JSON Hibernate Additional tools (integration ysoserial with Burp Suite): JavaSerialKiller Java Deserialization Scanner Burp-ysoserial Full shell (pipes, redirects and other stuff): $@|sh – Or: Getting a shell environment from Runtime.exec Set String[] for Runtime.exec (patch ysoserial's payloads) Shell Commands Converter How it works: https://blog.srcclr.com/commons-collections-deserialization-vulnerability-research-findings/ http://gursevkalra.blogspot.ro/2016/01/ysoserial-commonscollections1-exploit.html JRE8u20_RCE_Gadget https://github.com/pwntester/JRE8u20_RCE_Gadget Pure JRE 8 RCE Deserialization gadget ACEDcup https://github.com/GrrrDog/ACEDcup File uploading via: Apache Commons FileUpload <= 1.3 (CVE-2013-2186) and Oracle JDK < 7u40 Universal billion-laughs DoS https://gist.github.com/coekie/a27cc406fc9f3dc7a70d Won't fix DoS via default Java classes (JRE) Universal Heap overflows DoS using Arrays and HashMaps https://github.com/topolik/ois-dos/ How it works: Java Deserialization DoS - payloads Won't fix DoS using default Java classes (JRE) Exploits no spec tool - You don't need a special tool (just Burp/ZAP + payload) RMI Protocol Default - 1099/tcp for rmiregistry ysoserial (works only against a RMI registry service) JMX Protocol based on RMI CVE-2016-3427 partially patched in JRE ysoserial JexBoss JNDI/LDAP When we control an adrress for lookup of JNDI (context.lookup(address) and can have backconnect from a server Full info JNDI remote code injection https://github.com/zerothoughts/jndipoc JMS Full info JMET JSF ViewState if no encryption or good mac no spec tool JexBoss T3 of Oracle Weblogic Protocol Default - 7001/tcp on localhost interface CVE-2015-4852 loubia (tested on 11g and 12c, supports t3s) JavaUnserializeExploits (doesn't work for all Weblogic versions) IBM Websphere 1 wsadmin Default port - 8880/tcp CVE-2015-7450 JavaUnserializeExploits serialator IBM Websphere 2 When using custom form authentication WASPostParam cookie Full info no spec tool Red Hat JBoss http://jboss_server/invoker/JMXInvokerServlet Default port - 8080/tcp CVE-2015-7501 JavaUnserializeExploits https://github.com/njfox/Java-Deserialization-Exploit serialator JexBoss Jenkins Jenkins CLI Default port - High number/tcp CVE-2015-8103 CVE-2015-3253 JavaUnserializeExploits JexBoss Jenkins 2 patch "bypass" for Jenkins CVE-2016-0788 Details of exploit ysoserial Jenkins 3 Jenkins CLI LDAP Default port - High number/tcp <= 2.32 <= 2.19.3 (LTS) CVE-2016-9299 Metasploit Module for CVE-2016-9299 Restlet <= 2.1.2 When Rest API accepts serialized objects (uses ObjectRepresentation) no spec tool RESTEasy *When Rest API accepts serialized objects (uses @Consumes({"*/*"}) or "application/*" ) Details and examples no spec tool OpenNMS RMI ysoserial Progress OpenEdge RDBMS all versions RMI ysoserial Commvault Edge Server CVE-2015-7253 Serialized object in cookie no spec tool Symantec Endpoint Protection Manager /servlet/ConsoleServlet?ActionType=SendStatPing CVE-2015-6555 serialator Oracle MySQL Enterprise Monitor https://[target]:18443/v3/dataflow/0/0 CVE-2016-3461 no spec tool serialator PowerFolder Business Enterprise Suite custom(?) protocol (1337/tcp) MSA-2016-01 powerfolder-exploit-poc Solarwinds Virtualization Manager <= 6.3.1 RMI CVE-2016-3642 ysoserial Cisco Prime Infrastructure https://[target]/xmp_data_handler_service/xmpDataOperationRequestServlet <= 2.2.3 Update 4 <= 3.0.2 CVE-2016-1291 CoalfireLabs/java_deserialization_exploits Cisco ACS <= 5.8.0.32.2 RMI (2020 tcp) CSCux34781 ysoserial Apache XML-RPC all version, no fix (the project is not supported) POST XML request with ex:serializable element Details and examples no spec tool Apache Archiva because it uses Apache XML-RPC CVE-2016-5004 Details and examples no spec tool SAP NetWeaver https://[target]/developmentserver/metadatauploader CVE-2017-9844 PoC Sun Java Web Console admin panel for Solaris < v3.1. old DoS sploit no spec tool Apache MyFaces Trinidad 1.0.0 <= version < 1.0.13 1.2.1 <= version < 1.2.14 2.0.0 <= version < 2.0.1 2.1.0 <= version < 2.1.1 it does not check MAC CVE-2016-5004 no spec tool Apache Tomcat JMX JMX Patch bypass CVE-2016-8735 JexBoss OpenText Documentum D2 version 4.x CVE-2017-5586 exploit Apache ActiveMQ - Client lib JMS JMET Redhat/Apache HornetQ - Client lib JMS JMET Oracle OpenMQ - Client lib JMS JMET IBM WebSphereMQ - Client lib JMS JMET Oracle Weblogic - Client lib JMS JMET Pivotal RabbitMQ - Client lib JMS JMET IBM MessageSight - Client lib JMS JMET IIT Software SwiftMQ - Client lib JMS JMET Apache ActiveMQ Artemis - Client lib JMS JMET Apache QPID JMS - Client lib JMS JMET Apache QPID - Client lib JMS JMET Amazon SQS Java Messaging - Client lib JMS JMET Detect Code review ObjectInputStream.readObject ObjectInputStream.readUnshared Tool: Find Security Bugs Tool: Serianalyzer Traffic Magic bytes 'ac ed 00 05' bytes 'rO0' for Base64 'application/x-java-serialized-object' for Content-Type header Network Nmap >=7.10 has more java-related probes use nmap --all-version to find JMX/RMI on non-standart ports Burp plugins Java Deserialization Scanner SuperSerial SuperSerial-Active Vulnerable apps (without public sploits/need more info) Spring Service Invokers (HTTP, JMS, RMI...) SAP P4 info from slides Apache SOLR SOLR-8262 5.1 <= version <=5.4 /stream handler uses Java serialization for RPC Apache Shiro SHIRO-550 encrypted cookie (with the hardcoded key) Apache ActiveMQ (2) CVE-2015-5254 <= 5.12.1 Explanation of the vuln CVE-2015-7253 Atlassian Bamboo (1) CVE-2015-6576 2.2 <= version < 5.8.5 5.9.0 <= version < 5.9.7 Atlassian Bamboo (2) CVE-2015-8360 2.3.1 <= version < 5.9.9 Bamboo JMS port (port 54663 by default) Atlassian Jira only Jira with a Data Center license RMI (port 40001 by default) JRA-46203 Akka version < 2.4.17 "an ActorSystem exposed via Akka Remote over TCP" Official description Spring AMPQ CVE-2016-2173 1.0.0 <= version < 1.5.5 Apache Tika CVE-2016-6809 1.6 <= version < 1.14 Apache Tika’s MATLAB Parser Apache HBase HBASE-14799 Apache Camel CVE-2015-5348 Gradle (gui) custom(?) protocol(60024/tcp) article Oracle Hyperion from slides Oracle Application Testing Suite CVE-2015-7501 Red Hat JBoss BPM Suite RHSA-2016-0539 CVE-2016-2510 VMWare vRealize Operations 6.0 <= version < 6.4.0 REST API VMSA-2016-0020 CVE-2016-7462 VMWare vCenter/vRealize (various) CVE-2015-6934 VMSA-2016-0005 JMX Cisco (various) List of vulnerable products CVE-2015-6420 Lexmark Markvision Enterprise CVE-2016-1487 McAfee ePolicy Orchestrator CVE-2015-8765 HP iMC CVE-2016-4372 HP Operations Orchestration CVE-2016-1997 HP Asset Manager CVE-2016-2000 HP Service Manager CVE-2016-1998 HP Operations Manager CVE-2016-1985 HP Release Control CVE-2016-1999 HP Continuous Delivery Automation CVE-2016-1986 HP P9000, XP7 Command View Advanced Edition (CVAE) Suite CVE-2016-2003 HP Network Automation CVE-2016-4385 Adobe Experience Manager CVE-2016-0958 Unify OpenScape (various) CVE-2015-8237 RMI (30xx/tcp) CVE-2015-8238 js-soc protocol (4711/tcp) Apache TomEE CVE-2015-8581 CVE-2016-0779 IBM Congnos BI CVE-2012-4858 Novell NetIQ Sentinel ? ForgeRock OpenAM 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0 201505-01 F5 (various) sol30518307 Hitachi (various) HS16-010 0328_acc Apache OFBiz CVE-2016-2170 NetApp (various) CVE-2015-8545 Apache Tomcat requires local access CVE-2016-0714 Article Zimbra Collaboration version < 8.7.0 CVE-2016-3415 Apache Batchee Apache JCS Apache OpenJPA Apache OpenWebBeans Protection Look-ahead Java deserialization NotSoSerial SerialKiller ValidatingObjectInputStream Name Space Layout Randomization Some protection bypasses Tool: Serial Whitelist Application Trainer JEP 290: Filter Incoming Serialization Data in JDK 6u141, 7u131, 8u121 For Android One Class to Rule Them All: 0-Day Deserialization Vulnerabilities in Android Android Serialization Vulnerabilities Revisited XMLEncoder (XML) How it works: http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html Java Unmarshaller Security Payload generators: https://github.com/mbechler/marshalsec XStream (XML/JSON/various) How it works: http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/ http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream Java Unmarshaller Security Payload generators: https://github.com/mbechler/marshalsec Vulnerable apps (without public sploits/need more info): Atlassian Bamboo CVE-2016-5229 Jenkins CVE-2017-2608 Kryo (binary) How it works: https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-1-kryo Java Unmarshaller Security Payload generators: https://github.com/mbechler/marshalsec Hessian/Burlap (binary/XML) How it works: Java Unmarshaller Security Payload generators: https://github.com/mbechler/marshalsec Castor (XML) How it works: Java Unmarshaller Security Payload generators: https://github.com/mbechler/marshalsec Vulnerable apps (without public sploits/need more info): OpenNMS NMS-9100 json-io (JSON) How it works: Java Unmarshaller Security Payload generators: https://github.com/mbechler/marshalsec Jackson (JSON) vulnerable in some configuration How it works: Java Unmarshaller Security Payload generators: https://github.com/mbechler/marshalsec Vulnerable apps (without public sploits/need more info): Apache Camel CVE-2016-8749 Red5 IO AMF (AMF) How it works: Java Unmarshaller Security Payload generators: https://github.com/mbechler/marshalsec Vulnerable apps (without public sploits/need more info): Apache OpenMeetings CVE-2017-5878 Apache Flex BlazeDS (AMF) How it works: AMF – Another Malicious Format Java Unmarshaller Security Payload generators: https://github.com/mbechler/marshalsec Vulnerable apps (without public sploits/need more info): Adobe ColdFusion CVE-2017-3066 <= 2016 Update 3 <= 11 update 11 <= 10 Update 22 Apache BlazeDS CVE-2017-5641 VMWare VCenter CVE-2017-5641 Flamingo AMF (AMF) How it works: AMF – Another Malicious Format GraniteDS (AMF) How it works: AMF – Another Malicious Format WebORB for Java (AMF) How it works: AMF – Another Malicious Format SnakeYAML (YAML) How it works: Java Unmarshaller Security Payload generators: https://github.com/mbechler/marshalsec Vulnerable apps (without public sploits/need more info): Resteasy CVE-2016-9606 Apache Camel CVE-2017-3159 Apache Brooklyn CVE-2016-8744 jYAML (YAML) How it works: Java Unmarshaller Security Payload generators: https://github.com/mbechler/marshalsec YamlBeans (YAML) How it works: Java Unmarshaller Security Payload generators: https://github.com/mbechler/marshalsec "Safe" deserialization Some serialization libs are safe (or almost safe) https://github.com/mbechler/marshalsec However, it's not a recomendation, but just a list of other libs that has been researched by someone: JAXB XmlBeans Jibx ProtobufGSON GWT-RPC Sursa: https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet Quote
