Java-Deserialization-Cheat-Sheet

The cheat sheet about Java Deserialization vulnerabilities

3 years after

Java-Deserialization-Cheat-Sheet

A cheat sheet for pentesters about Java Native Binary Deserialization vulnerabilities

Please, use #javadeser hash tag for tweets.

Table of content

Overview

Main talks & presentations & docs

Marshalling Pickles

by @frohoff & @gebl

Exploiting Deserialization Vulnerabilities in Java

by @matthias_kaiser

Serial Killer: Silently Pwning Your Java Endpoints

by @pwntester & @cschneider4711

Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization

by @frohoff & @gebl

Deserialization for other languages

by @pwntester

Payload generators

yososerial

https://github.com/frohoff/ysoserial

Lastest release of ysoserial

RCE via:

  • Apache Commons Collections <= 3.1
  • Apache Commons Collections <= 4.0
  • Groovy <= 2.3.9
  • Spring Core <= 4.1.4 (?)
  • JDK <=7u21
  • Apache Commons BeanUtils 1.9.2 + Commons Collections <=3.1 + Commons Logging 1.2 (?)

Additional tools:

How it works:

ACEDcup

https://github.com/GrrrDog/ACEDcup

File uploading via:

  • Apache Commons FileUpload <= 1.3 (CVE-2013-2186) and Oracle JDK < 7u40
JNDI RCE

https://github.com/zerothoughts/jndipoc

How it works:

RCE via JNDI:

  • When we control an adrress for lookup of JNDI (context.lookup(address))
Universal billion-laughs DoS

https://gist.github.com/coekie/a27cc406fc9f3dc7a70d

Won't fix DoS via default Java classes

Universal Heap overflows DoS using Arrays and HashMaps

https://github.com/topolik/ois-dos/

How it works:

Won't fix DoS via default Java classes

Exploits

no spec tool - You don't need a special tool (just Burp/ZAP + payload)

RMI
  • Protocol
  • Default - 1099/tcp for rmiregistry

yososerial (works only against a RMI registry service)

JMX
  • Protocol based on RMI

yososerial

T3 of Oracle Weblogic
  • Protocol
  • Default - 7001/tcp on localhost interface
  • CVE-2015-4852

JavaUnserializeExploits (doesn't work for all Weblogic versions)

Websphere

JavaUnserializeExploits

serialator

JBoss

JavaUnserializeExploits

https://github.com/njfox/Java-Deserialization-Exploit

serialator

Jenkins

JavaUnserializeExploits

Restlet
  • <= 2.1.2
  • When Rest API accepts serialized objects (uses ObjectRepresentation)

no spec tool

OpenNMS
  • RMI

yososerial

Progress OpenEdge RDBMS
  • RMI

yososerial

Commvault Edge Server

no spec tool

Symantec Endpoint Protection Manager

serialator

Detect

Code review
Traffic
  • Magic bytes 'ac ed 00 05' bytes
  • 'rO0' for Base64
Burp plugins

Vulnerable apps (without public sploits/need more info)

JSF ViewState
JMS (Java Messaging System)
Spring Service Invokerts (HTTP, JMS, RMI...)
Apache SOLR
  • SOLR-8262
  • 5.1 <= version <=5.4
  • /stream handler uses Java serialization for RPC
Apache Shiro
  • SHIRO-550
  • encrypted cookie (with the hardcoded key)
ActiveMQ
Atlassian Bamboo 1
Atlassian Bamboo 2
  • CVE-2015-8360
  • 2.3.1 <= version < 5.9.9
  • Bamboo JMS port (port 54663 by default)
Jenkins 2
Apache HBase
Apache Camel
Red Hat JBoss BPM Suite
VMWare vCenter/vRealize (various)
Cisco (various)
Lexmark Markvision Enterprise
McAfee ePolicy Orchestrator
HP Operations Orchestration
HP Asset Manager
HP Service Manager
HP Operations Manager
HP Release Control
HP Continuous Delivery Automation
Adobe Experience Manager
Unify OpenScape (various)
Apache TomEE
IBM Congnos BI
ForgeRock OpenAM
  • 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0
  • 201505-01
F5 (various)
Hitachi (various)
Apache OFBiz
NetApp (various)
Apache Tomcat
Apache Batchee
Apache JCS
Apache OpenJPA
Apache OpenWebBeans

Protection

For Android

Other serialization types

XMLEncoder
XStream
Kryo

Related Repositories

awesome-pentest-cheat-sheets

awesome-pentest-cheat-sheets

Collection of the cheat sheets useful for pentesting ...

awesome-swift

awesome-swift

A collaborative list of awesome swift resources. Feel free to contribute! ...

awesome-swift

awesome-swift

A collaborative list of awesome swift resources. Feel free to contribute! ...

awesome-swift

awesome-swift

A collaborative list of awesome swift resources. Feel free to contribute! ...

awesome-swift

awesome-swift

A collaborative list of awesome swift resources. Feel free to contribute! ...


Top Contributors

GrrrDog frohoff