Awesome
Java-Deserialization-Cheat-Sheet
A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries.
Please, use #javadeser hash tag for tweets.
Table of content
- Java Native Serialization (binary)
- XMLEncoder (XML)
- XStream (XML/JSON/various)
- Kryo (binary)
- Hessian/Burlap (binary/XML)
- Castor (XML)
- json-io (JSON)
- Jackson (JSON)
- Fastjson (JSON)
- Genson (JSON)
- Flexjson (JSON)
- Jodd (JSON)
- Red5 IO AMF (AMF)
- Apache Flex BlazeDS (AMF)
- Flamingo AMF (AMF)
- GraniteDS (AMF)
- WebORB for Java (AMF)
- SnakeYAML (YAML)
- jYAML (YAML)
- YamlBeans (YAML)
- "Safe" deserialization
Java Native Serialization (binary)
Overview
Main talks & presentations & docs
Marshalling Pickles
Exploiting Deserialization Vulnerabilities in Java
Serial Killer: Silently Pwning Your Java Endpoints
by @pwntester & @cschneider4711
Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization
Surviving the Java serialization apocalypse
by @cschneider4711 & @pwntester
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Pwning Your Java Messaging With Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
A Journey From JNDI/LDAP Manipulation To Remote Code Execution Dream Land
by @pwntester and O. Mirosh
Fixing the Java Serialization mess
by @e_rnst
Blind Java Deserialization
by deadcode.me
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (JVM)
by @joaomatosf
Automated Discovery of Deserialization Gadget Chains
by @ianhaken
An Far Sides Of Java Remote Protocols
by @_tint0
Payload generators
ysoserial
https://github.com/frohoff/ysoserial
ysoserial 0.6 payloads:
| payload | author | dependencies | impact (if not RCE) |
|---|---|---|---|
| AspectJWeaver | @Jang | aspectjweaver:1.9.2, commons-collections:3.2.2 | |
| BeanShell1 | @pwntester, @cschneider4711 | bsh:2.0b5 | |
| C3P0 | @mbechler | c3p0:0.9.5.2, mchange-commons-java:0.2.11 | |
| Click1 | @artsploit | click-nodeps:2.3.0, javax.servlet-api:3.1.0 | |
| Clojure | @JackOfMostTrades | clojure:1.8.0 | |
| CommonsBeanutils1 | @frohoff | commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2 | |
| CommonsCollections1 | @frohoff | commons-collections:3.1 | |
| CommonsCollections2 | @frohoff | commons-collections4:4.0 | |
| CommonsCollections3 | @frohoff | commons-collections:3.1 | |
| CommonsCollections4 | @frohoff | commons-collections4:4.0 | |
| CommonsCollections5 | @matthias_kaiser, @jasinner | commons-collections:3.1 | |
| CommonsCollections6 | @matthias_kaiser | commons-collections:3.1 | |
| CommonsCollections7 | @scristalli, @hanyrax, @EdoardoVignati | commons-collections:3.1 | |
| FileUpload1 | @mbechler | commons-fileupload:1.3.1, commons-io:2.4 | file uploading |
| Groovy1 | @frohoff | groovy:2.3.9 | |
| Hibernate1 | @mbechler | ||
| Hibernate2 | @mbechler | ||
| JBossInterceptors1 | @matthias_kaiser | javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 | |
| JRMPClient | @mbechler | ||
| JRMPListener | @mbechler | ||
| JSON1 | @mbechler | json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1 | |
| JavassistWeld1 | @matthias_kaiser | javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 | |
| Jdk7u21 | @frohoff | ||
| Jython1 | @pwntester, @cschneider4711 | jython-standalone:2.5.2 | |
| MozillaRhino1 | @matthias_kaiser | js:1.7R2 | |
| MozillaRhino2 | @_tint0 | js:1.7R2 | |
| Myfaces1 | @mbechler | ||
| Myfaces2 | @mbechler | ||
| ROME | @mbechler | rome:1.0 | |
| Spring1 | @frohoff | spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE | |
| Spring2 | @mbechler | spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2 | |
| URLDNS | @gebl | jre only vuln detect | |
| Vaadin1 | @kai_ullrich | vaadin-server:7.7.14, vaadin-shared:7.7.14 | |
| Wicket1 | @jacob-baines | wicket-util:6.23.0, slf4j-api:1.6.4 |
Plugins for Burp Suite (detection, ysoserial integration ):
Full shell (pipes, redirects and other stuff):
- $@|sh – Or: Getting a shell environment from Runtime.exec
- Set String[] for Runtime.exec (patch ysoserial's payloads)
- Shell Commands Converter
How it works:
- https://blog.srcclr.com/commons-collections-deserialization-vulnerability-research-findings/
- http://gursevkalra.blogspot.ro/2016/01/ysoserial-commonscollections1-exploit.html
ysoserial fork with additional payloads
https://github.com/wh1t3p1g/ysoserial
- CommonsCollection8,9,10
- RMIRegistryExploit2,3
- RMIRefListener,RMIRefListener2
- PayloadHTTPServer
- Spring3
JRE8u20_RCE_Gadget
https://github.com/pwntester/JRE8u20_RCE_Gadget
Pure JRE 8 RCE Deserialization gadget
ACEDcup
https://github.com/GrrrDog/ACEDcup
File uploading via:
- Apache Commons FileUpload <= 1.3 (CVE-2013-2186) and Oracle JDK < 7u40
Universal billion-laughs DoS
https://gist.github.com/coekie/a27cc406fc9f3dc7a70d
Won't fix DoS via default Java classes (JRE)
Universal Heap overflows DoS using Arrays and HashMaps
https://github.com/topolik/ois-dos/
How it works:
Won't fix DoS using default Java classes (JRE)
DoS against Serialization Filtering (JEP-290)
Tool to search gadgets in source
Additional tools to test RMI:
Remote class detection:
Library for creating Java serialization data
Exploits
no spec tool - You don't need a special tool (just Burp/ZAP + payload)
RMI
- Protocol
- Default - 1099/tcp for rmiregistry
- partially patched in JRE with JEP290 (JDK 8u121, JDK 7u131, JDK 6u141)
- Attacking Java RMI services after JEP 290
- An Trinhs RMI Registry Bypass
- RMIScout
JMX
- JMX on RMI
- partially patched in JRE with JEP290 (JDK 8u121, JDK 7u131, JDK 6u141)
- Attacking RMI based JMX services (after JEP 290)
JMXMP
- Special JMX protocol
- The Curse of Old Java Libraries
JNDI/LDAP
- When we control an address for lookup of JNDI (context.lookup(address) and can have backconnect from a server
- Full info
- JNDI remote code injection
- Exploiting JNDI Injections in Java
https://github.com/zerothoughts/jndipoc
https://github.com/welk1n/JNDI-Injection-Exploit
JMS
JSF ViewState
- if no encryption or good mac
no spec tool
vjdbc
- JDBC via HTTP library
- all version are vulnerable
- Details
no spec tool
T3 of Oracle Weblogic
- Protocol
- Default - 7001/tcp on localhost interface
- CVE-2015-4852
- Blacklist bypass - CVE-2017-3248
- Blacklist bypass - CVE-2017-3248 PoC
- Blacklist bypass - CVE-2018-2628
- Blacklist bypass - cve-2018-2893
- Blacklist bypass - CVE-2018-3245
- Blacklist bypass - CVE-2018-3191
- CVE-2019-2725
- CVE-2020-2555
- CVE-2020-2883
- CVE-2020-2963
- CVE-2020-14625
- CVE-2020-14644
- CVE-2020-14645
- CVE-2020-14756
- CVE-2020-14825
- CVE-2020-14841
- CVE-2021-2394
- SSRF JDBC
- CVE-2023-21931
loubia (tested on 11g and 12c, supports t3s)
JavaUnserializeExploits (doesn't work for all Weblogic versions)
IIOP of Oracle Weblogic
-
Protocol
-
Default - 7001/tcp on localhost interface
Oracle Weblogic (1)
- auth required
- How it works
- CVE-2018-3252
Oracle Weblogic (2)
- auth required
- CVE-2021-2109
Oracle Access Manager (1)
Oracle ADF Faces
- CVE-2022–21445
- /appcontext/afr/test/remote/payload/
no spec tool
IBM Websphere (1)
- wsadmin
- Default port - 8880/tcp
- CVE-2015-7450
CoalfireLabs/java_deserialization_exploits
IBM Websphere (2)
- When using custom form authentication
- WASPostParam cookie
- Full info
no spec tool
IBM Websphere (3)
- IBM WAS DMGR
- special port
- CVE-2019-4279
- ibm10883628
- Exploit
Metasploit
IIOP of IBM Websphere
- Protocol
- 2809, 9100, 9402, 9403
- CVE-2020-4450
- CVE-2020-4449
- Abusing Java Remote Protocols in IBM WebSphere
- Vuln Details
Red Hat JBoss (1)
- http://jboss_server/invoker/JMXInvokerServlet
- Default port - 8080/tcp
- CVE-2015-7501
https://github.com/njfox/Java-Deserialization-Exploit
Red Hat JBoss 6.X
- http://jboss_server/invoker/readonly
- Default port - 8080/tcp
- CVE-2017-12149
- JBoss 6.X and EAP 5.X
- Details
no spec tool
Red Hat JBoss 4.x
- http://jboss_server/jbossmq-httpil/HTTPServerILServlet/
- <= 4.x
- CVE-2017-7504
no spec tool
Jenkins (1)
- Jenkins CLI
- Default port - High number/tcp
- CVE-2015-8103
- CVE-2015-3253
Jenkins (2)
- patch "bypass" for Jenkins
- CVE-2016-0788
- Details of exploit
Jenkins (s)
- Jenkins CLI LDAP
- *Default port - High number/tcp
- <= 2.32
- <= 2.19.3 (LTS)
- CVE-2016-9299
CloudBees Jenkins
- <= 2.32.1
- CVE-2017-1000353
- Details
JetBrains TeamCity
- RMI
Restlet
- <= 2.1.2
- When Rest API accepts serialized objects (uses ObjectRepresentation)
no spec tool
RESTEasy
- *When Rest API accepts serialized objects (uses @Consumes({"*/*"}) or "application/*" )
- Details and examples
no spec tool
OpenNMS (1)
- RMI
OpenNMS (2)
Progress OpenEdge RDBMS
- all versions
- RMI
Commvault Edge Server
- CVE-2015-7253
- Serialized object in cookie
no spec tool
Symantec Endpoint Protection Manager
- /servlet/ConsoleServlet?ActionType=SendStatPing
- CVE-2015-6555
Oracle MySQL Enterprise Monitor
- https://[target]:18443/v3/dataflow/0/0
- CVE-2016-3461
no spec tool
PowerFolder Business Enterprise Suite
- custom(?) protocol (1337/tcp)
- MSA-2016-01
Solarwinds Virtualization Manager
- <= 6.3.1
- RMI
- CVE-2016-3642
Cisco Prime Infrastructure
- https://[target]/xmp_data_handler_service/xmpDataOperationRequestServlet
- <= 2.2.3 Update 4
- <= 3.0.2
- CVE-2016-1291
CoalfireLabs/java_deserialization_exploits
Cisco ACS
- <= 5.8.0.32.2
- RMI (2020 tcp)
- CSCux34781
Cisco Unity Express
- RMI (port 1099 tcp)
- version < 9.0.6
- CVE-2018-15381
Cisco Unified CVP
- RMI (2098 and 2099)
- Details
NASDAQ BWISE
- RMI (port 81 tcp)
- Details
- CVE-2018-11247
NICE ENGAGE PLATFORM
- JMX (port 6338 tcp)
- Details
- CVE-2019-7727
Apache Cassandra
- JMX (port 7199 tcp)
- Details
- [CVE-2018-8016](https://www.vulners.com/search?query= CVE-2018-8016)
Cloudera Zookeeper
- JMX (port 9010 tcp)
- Details
Apache Olingo
- version < 4.7.0
- CVE-2019-17556
- Details and examples
no spec tool
Apache Dubbo
no spec tool
Apache XML-RPC
- all version, no fix (the project is not supported)
- POST XML request with ex:serializable element
- Details and examples
no spec tool
Apache Archiva
- because it uses Apache XML-RPC
- CVE-2016-5004
- Details and examples
no spec tool
SAP NetWeaver
- https://[target]/developmentserver/metadatauploader
- CVE-2017-9844
SAP Hybris
- /virtualjdbc/
- CVE-2019-0344
no spec tool
Sun Java Web Console
- admin panel for Solaris
- < v3.1.
- old DoS sploit
no spec tool
Apache MyFaces Trinidad
- 1.0.0 <= version < 1.0.13
- 1.2.1 <= version < 1.2.14
- 2.0.0 <= version < 2.0.1
- 2.1.0 <= version < 2.1.1
- it does not check MAC
- CVE-2016-5019
no spec tool
JBoss Richfaces
- Variation of exploitation CVE-2018-12532
- When EL Injection meets Java Deserialization
Apache Tomcat JMX
OpenText Documentum D2
- version 4.x
- CVE-2017-5586
Liferay
- /api/spring
- /api/liferay
- <= 7.0-ga3
- if IP check works incorrectly
- Details
no spec tool
ScrumWorks Pro
- /UFC
- <= 6.7.0
- Details
ManageEngine Applications Manager
- version
- RMI
- CVE-2016-9498
ManageEngine OpManager
- version < 12.5.329
- Details with exploit CVE-2020-28653/CVE-2021-3287
ManageEngine Desktop Central
- version < 10.0.474
- CVE-2020-10189
Apache Shiro
- SHIRO-550
- encrypted cookie (with the hardcoded key)
- Exploitation (in Chinese)
HP IMC (Intelligent Management Center)
- WebDMDebugServlet
- <= 7.3 E0504P2
- CVE-2017-12557
HP IMC (Intelligent Management Center)
- RMI
- <= 7.3 E0504P2
- CVE-2017-5792
Apache Brooklyn
- Non default config
- JMXMP
Elassandra
- Non default config
- JMXMP
Micro Focus
- CVE-2020-11853
- Vulnerability analyzis Affected products:
- Operations Bridge Manager versions: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, versions 10.6x and 10.1x and older versions
- Application Performance Management versions: 9.51, 9.50 and 9.40 with uCMDB 10.33 CUP 3 \
- Data Center Automation version 2019.11
- Operations Bridge (containerized) versions: 2019.11, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05, 2018.02, 2017.11
- Universal CMDB versions: 2020.05, 2019.11, 2019.05, 2019.02, 2018.11, 2018.08, 2018.05, 11, 10.33, 10.32, 10.31, 10.30
- Hybrid Cloud Management version 2020.05
- Service Management Automation versions 2020.5 and 2020.02
IBM Qradar (1)
IBM Qradar (2)
- /console/remoteJavaScript
- CVE-2020-4888
IBM InfoSphere JReport
- RMI
- port 58611
- <=8.5.0.0 (all)
- Exploitation details
Apache Kafka
- connect-api
- Vulnerbility analyzis
Zoho ManageEngine ADSelfService Plus
Apache ActiveMQ - Client lib
Redhat/Apache HornetQ - Client lib
Oracle OpenMQ - Client lib
IBM WebSphereMQ - Client lib
Oracle Weblogic - Client lib
Pivotal RabbitMQ - Client lib
IBM MessageSight - Client lib
IIT Software SwiftMQ - Client lib
Apache ActiveMQ Artemis - Client lib
Apache QPID JMS - Client lib
Apache QPID - Client lib
Amazon SQS Java Messaging - Client lib
Axis/Axis2 SOAPMonitor
- All version (this was deemed by design by project maintainer)
- Binary
- Default port : 5001
- Info : https://axis.apache.org/axis2/java/core/docs/soapmonitor-module.html
java -jar ysoserial-*-all.jar CommonsCollections1 'COMMAND_HERE' | nc TARGET_SERVER 5001
Apache Synapse
- <= 3.0.1
- RMI
- Exploit
Apache Jmeter
- <= 3.0.1
- RMI
- When using Distributed Test only
- Exploit
Jolokia
- <= 1.4.0
- JNDI injection
- /jolokia/
- Exploit
RichFaces
Apache James
- < 3.0.1
- Analysis of CVE-2017-12628
Oracle DB
Zimbra Collaboration
- < 8.7.0
- CVE-2016-3415
- <= 8.8.11
- A Saga of Code Executions on Zimbra
Adobe ColdFusion (1)
- <= 2016 Update 4
- <= 11 update 12
- CVE-2017-11283
- CVE-2017-11284
Adobe ColdFusion (2)
- RMI
- <= 2016 Update 5
- <= 11 update 13
- Another ColdFusion RCE – CVE-2018-4939
- CVE-2018-4939
Adobe ColdFusion (3) / JNBridge
- custom protocol in JNBridge
- port 6093 or 6095
- <= 2016 Update ?
- <= 2018 Update ?
- APSB19-17
- CVE-2019-7839: ColdFusion Code Execution Through JNBridge
Apache SOLR (1)
- SOLR-8262
- 5.1 <= version <=5.4
- /stream handler uses Java serialization for RPC
Apache SOLR (2)
- SOLR-13301
- CVE-2019-0192
- version: 5.0.0 to 5.5.5
- version: 6.0.0 to 6.6.5
- Attack via jmx.serviceUrl
- Exploit
Adobe Experience Manager AEM
- 5.5 - 6.1 (?)
- /lib/dam/cloud/proxy.json parameter
file - ExternalJobPostServlet
MySQL Connector/J
- version < 5.1.41
- when "autoDeserialize" is set on
- CVE-2017-3523
Pitney Bowes Spectrum
SmartBear ReadyAPI
- RMI
- SYSS-2019-039
NEC ESMPRO Manager
Apache OFBiz
NetMotion Mobility
- < 11.73
- < 12.02
- NetMotion Mobility Server Multiple Deserialization of Untrusted Data Lead to RCE
- CVE-2021-26914
ysoserial Metasploit Exploit: exploit/windows/http/netmotion_mobility_mvcutil_deserialization
Bonita
- Bonita serverAPI
- /bonita/serverAPI/
Neo4j
- <= 3.4.18 (with the shell server enabled)
- RMI
- Exploit for CVE-2021-34371
Bitbucket Data Center
- port 5701 (Hazelcast)
- similar to CVE-2016-10750
- Exploit for CVE-2022-26133
Jira Data Center / Jira Service Management Data Center
- RMI of Ehcache
- CVE-2020-36239
Nomulus
- patched
- Details of exloitation
Detect
Code review
- ObjectInputStream.readObject
- ObjectInputStream.readUnshared
- Tool: Find Security Bugs
- Tool: Serianalyzer
Traffic
- Magic bytes 'ac ed 00 05' bytes
- 'rO0' for Base64
- 'application/x-java-serialized-object' for Content-Type header
Network
- Nmap >=7.10 has more java-related probes
- use nmap --all-version to find JMX/RMI on non-standart ports
Burp plugins
Vulnerable apps (without public sploits/need more info)
Spring Service Invokers (HTTP, JMS, RMI...)
SAP P4
Apache ActiveMQ (2)
Atlassian Bamboo (1)
- CVE-2015-6576
- 2.2 <= version < 5.8.5
- 5.9.0 <= version < 5.9.7
Atlassian Bamboo (2)
- CVE-2015-8360
- 2.3.1 <= version < 5.9.9
- Bamboo JMS port (port 54663 by default)
Atlassian Jira
- only Jira with a Data Center license
- RMI (port 40001 by default)
- JRA-46203
Akka
- version < 2.4.17
- "an ActorSystem exposed via Akka Remote over TCP"
- Official description
Spring AMPQ
- CVE-2016-2173
- 1.0.0 <= version < 1.5.5
Apache Tika
- CVE-2016-6809
- 1.6 <= version < 1.14
- Apache Tika’s MATLAB Parser
Apache HBase
Apache Camel
Apache Dubbo
Apache Spark
Apache Spark
Apache Log4j (1)
- as server
- CVE-2017-5645
Apache Log4j (2)
- <= 1.2.17
- CVE-2019-17571
Apache Geode
Apache Ignite
Infinispan
Hazelcast
Gradle (gui)
- custom(?) protocol(60024/tcp)
- article
Oracle Hyperion
Oracle Application Testing Suite
Red Hat JBoss BPM Suite
Red Hat Wildfly
VMWare vRealize Operations
- 6.0 <= version < 6.4.0
- REST API
- VMSA-2016-0020
- CVE-2016-7462
VMWare vCenter/vRealize (various)
Cisco (various)
Cisco Security Manager
Lexmark Markvision Enterprise
McAfee ePolicy Orchestrator
HP IMC PLAT
- version 7.3 E0506P09 and earlier
- several CVE-2019-x
HP iMC
HP Operations Orchestration
HP Asset Manager
HP Service Manager
HP Operations Manager
HP Release Control
HP Continuous Delivery Automation
HP P9000, XP7 Command View Advanced Edition (CVAE) Suite
HP Network Automation
Adobe Experience Manager
Unify OpenScape (various)
- CVE-2015-8237 (CVE ID changed?)
- RMI (30xx/tcp)
- CVE-2015-8238 (CVE ID changed?)
- js-soc protocol (4711/tcp)
- Details
Apache OFBiz (1)
Apache OFBiz (2)
Apache Tomcat (1)
- requires local access
- CVE-2016-0714
- Article
Apache Tomcat (2)
- many requirements
- Apache Tomcat Remote Code Execution via session persistence
- CVE-2020-9484
Apache TomEE
IBM Congnos BI
IBM Maximo Asset Management
Novell NetIQ Sentinel
ForgeRock OpenAM
- 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0
- 201505-01
F5 (various)
Hitachi (various)
NetApp (various)
- CVE-2015-8545 (CVE ID changed?)
Citrix XenMobile Server
- port 45000
- when Clustering is enabled
- Won't Fix (?)
- 10.7 and 10.8
- Citrix advisory
- CVE-2018-10654
IBM WebSphere (1)
- SOAP connector
- <= 9.0.0.9
- <= 8.5.5.14
- <= 8.0.0.15
- <= 7.0.0.45
- CVE-2018-1567
IBM WebSphere (2)
IBM WebSphere (3)
- TCP port 11006
- CVE-2020-4448
- Vuln details
IBM WebSphere (4)
- SOAP connector
- CVE-2020-4464
- Vuln details
IBM WebSphere (5)
IBM WebSphere (6)
IBM WebSphere (7)
Code42 CrashPlan
- TCP port 4282
- RMI (?)
- 5.4.x
- CVE-2017-9830
- Details
Apache OpenJPA
Dell EMC VNX Monitoring and Reporting
Taoensso Nippy
- <2.14.2
- CVE-2020-24164
CAS
- v4.1.x
- v4.2.x
- CAS Vulnerability Disclosure from Apereo
SolarWinds Network Performance Monitor
Apache Batchee
Apache JCS
Apache OpenWebBeans
Protection
- Look-ahead Java deserialization
- NotSoSerial
- SerialKiller
- ValidatingObjectInputStream
- Name Space Layout Randomization
- Some protection bypasses
- Tool: Serial Whitelist Application Trainer
- JEP 290: Filter Incoming Serialization Data in JDK 6u141, 7u131, 8u121
- AtomicSerial
For Android
Main talks & presentations & examples
- One Class to Rule Them All: 0-Day Deserialization Vulnerabilities in Android
- Android Serialization Vulnerabilities Revisited
- A brief history of Android deserialization vulnerabilities
- Exploiting Android trough an Intent with Reflection
Tools
XMLEncoder (XML)
How it works:
- https://web.archive.org/web/20191007233559/http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
- Java Unmarshaller Security
Detect
Code review
- java.beans.XMLDecoder
- readObject
Burp plugins
Exploits
Oracle Weblogic
- <= 10.3.6.0.0
- <= 12.1.3.0.0
- <= 12.2.1.2.0
- <= 12.2.1.1.0
- http://weblogic_server/wls-wsat/CoordinatorPortType
- CVE-2017-3506
- CVE-2017-10271
- Details
- CVE-2019-2729 Details
Oracle RDBMS
- priv escalation
- Oracle Privilege Escalation via Deserialization
XStream (XML/JSON/various)
How it works:
- http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/
- http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
- https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream
- Java Unmarshaller Security
Payload generators
- https://github.com/mbechler/marshalsec
- https://github.com/chudyPB/XStream-Gadgets
- CVE-2020-26217
- CVE-2020-26258 - SSRF
- CVE-2021-29505
- CVE-2021-39144
Exploits
Apache Struts (S2-052)
- <= 2.3.34
- <= 2.5.13
- REST plugin
- CVE-2017-9805
Detect
Code review
- com.thoughtworks.xstream.XStream
- xs.fromXML(data)
Burp plugins
Vulnerable apps (without public sploits/need more info):
Atlassian Bamboo
Jenkins
Kryo (binary)
How it works:
- https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-1-kryo
- Java Unmarshaller Security
Payload generators
Detect
Code review
- com.esotericsoftware.kryo.io.Input
- SomeClass object = (SomeClass)kryo.readClassAndObject(input);
- SomeClass someObject = kryo.readObjectOrNull(input, SomeClass.class);
- SomeClass someObject = kryo.readObject(input, SomeClass.class);
Burp plugins
Hessian/Burlap (binary/XML)
How it works:
- Java Unmarshaller Security
- Castor and Hessian java deserialization vulnerabilities
- Recurrence and Analysis of Hessian Deserialization RCE Vulnerability
Payload generators
Detect
Code review
- com.caucho.hessian.io
- AbstractHessianInput
- com.caucho.burlap.io.BurlapInput;
- com.caucho.burlap.io.BurlapOutput;
- BurlapInput in = new BurlapInput(is);
- Person2 p1 = (Person2) in.readObject();
Burp plugins
Vulnerable apps (without public sploits/need more info):
Apache Camel
MobileIron MDM
Apache Dubbo
Castor (XML)
How it works:
Payload generators
Detect
Code review
- org.codehaus.castor
- org.exolab.castor.xml.Unmarshaller
- org.springframework.oxm.Unmarshaller
- Unmarshaller.unmarshal(Person.class, reader)
- unmarshaller = context.createUnmarshaller();
- unmarshaller.unmarshal(new StringReader(data));
Burp plugins
Vulnerable apps (without public sploits/need more info):
OpenNMS
Apache Camel
json-io (JSON)
How it works:
Exploitation examples:
- Experiments with JSON-IO, Serialization, Mass Assignment, and General Java Object Wizardry
- JSON Deserialization Memory Corruption Vulnerabilities on Android
Payload generators
Detect
Code review
- com.cedarsoftware.util.io.JsonReader
- JsonReader.jsonToJava
Burp plugins
Jackson (JSON)
vulnerable in specific configuration
How it works:
- Java Unmarshaller Security
- On Jackson CVEs: Don’t Panic — Here is what you need to know
- Jackson Deserialization Vulnerabilities
- The End of the Blacklist
Payload generators / gadget chains
- https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
- https://github.com/mbechler/marshalsec
- blacklist bypass - CVE-2017-17485
- blacklist bypass - CVE-2017-15095
- CVE-2019-14540
- Jackson gadgets - Anatomy of a vulnerability
- JNDI Injection using Getter Based Deserialization Gadgets
- blacklist bypass - CVE-2020-8840
- blacklist bypass - CVE-2020-10673
Detect
Code review
- com.fasterxml.jackson.databind.ObjectMapper
- ObjectMapper mapper = new ObjectMapper();
- objectMapper.enableDefaultTyping();
- @JsonTypeInfo(use=JsonTypeInfo.Id.CLASS, include=JsonTypeInfo.As.PROPERTY, property="@class")
- public Object message;
- mapper.readValue(data, Object.class);
Burp plugins
Exploits
FasterXML
Liferay
Vulnerable apps (without public sploits/need more info):
Apache Camel
Fastjson (JSON)
How it works:
- https://www.secfree.com/article-590.html
- Official advisory
- Fastjson process analysis and RCE analysis
- Fastjson Deserialization Vulnerability History
- Hao Xing Zekai Wu - How I use a JSON Deserialization 0day to Steal Your Money On The Blockchain.pdf
Detect
Code review
- com.alibaba.fastjson.JSON
- JSON.parseObject
Burp plugins
Payload generators
- fastjson 1.2.24 <=
- fastjson 1.2.47 <=
- fastjson 1.2.66 <=
- blacklisted gadgets
- Fastjson: exceptional deserialization vulnerabilities
- Hao Xing Zekai Wu - How I use a JSON Deserialization 0day to Steal Your Money On The Blockchain.pdf
Genson (JSON)
How it works:
Detect
Code review
- com.owlike.genson.Genson
- useRuntimeType
- genson.deserialize
Burp plugins
Flexjson (JSON)
How it works:
Payload generators / gadget chains
Detect
Code review
- import flexjson.JSONDeserializer
- JSONDeserializer jsonDeserializer = new JSONDeserializer()
- jsonDeserializer.deserialize(jsonString);
Exploits
Liferay
Jodd (JSON)
vulnerable in a non-default configuration when setClassMetadataName() is set
Payload generators / gadget chains
Detect
Code review
- com.fasterxml.jackson.databind.ObjectMapper
- JsonParser jsonParser = new JsonParser()
- jsonParser.setClassMetadataName("class").parse(jsonString, ClassName.class);
Red5 IO AMF (AMF)
How it works:
Payload generators
Detect
Code review
- org.red5.io
- Deserializer.deserialize(i, Object.class);
Burp plugins
Vulnerable apps (without public sploits/need more info):
Apache OpenMeetings
Apache Flex BlazeDS (AMF)
How it works:
Payload generators
Detect
Code review
Burp plugins
Vulnerable apps:
Oracle Business Intelligence
- BIRemotingServlet
- no auth
- CVE-2020-2950
- Details on the Oracle WebLogic Vulnerability Being Exploited in the Wild
- CVE-2020–2950 — Turning AMF Deserialize bug to Java Deserialize bug
Adobe ColdFusion
-
<= 2016 Update 3
-
<= 11 update 11
-
<= 10 Update 22
Draytek VigorACS
-
/ACSServer/messagebroker/amf
-
at least 2.2.1
-
based on CVE-2017-5641
Apache BlazeDS
VMWare VCenter
- based on CVE-2017-5641
HP Systems Insight Manager
- /simsearch/messagebroker/amfsecure
- 7.6.x
- CVE-2020-7200
- Metasploit Exploit
TIBCO Data Virtualization
- < 8.3
- /monitor/messagebroker/amf
- Details
Flamingo AMF (AMF)
How it works:
Detect
Burp plugins
GraniteDS (AMF)
How it works:
Detect
Burp plugins
WebORB for Java (AMF)
How it works:
Detect
Burp plugins
SnakeYAML (YAML)
How it works:
Payload generators
Detect
Code review
- org.yaml.snakeyaml.Yaml
- yaml.load
Burp plugins
Vulnerable apps (without public sploits/need more info):
Resteasy
Apache Camel
Apache Brooklyn
Apache ShardingSphere
jYAML (YAML)
How it works:
Payload generators
Detect
- org.ho.yaml.Yaml
- Yaml.loadType(data, Object.class);
Burp plugins
YamlBeans (YAML)
How it works:
Payload generators
Detect
- com.esotericsoftware.yamlbeans
- YamlReader r = new YamlReader(data, yc);
Burp plugins
"Safe" deserialization
Some serialization libs are safe (or almost safe) https://github.com/mbechler/marshalsec
However, it's not a recommendation, but just a list of other libs that has been researched by someone:
- JAXB
- XmlBeans
- Jibx
- Protobuf
- GSON
- GWT-RPC