GitHub - W3lk1n/Java-Deserialization-Cheat-Sheet: The cheat sheet about Java Deserialization vulnerabilities

WePython 7 Days+

git clone https://github.com/W3lk1n/Java-Deserialization-Cheat-Sheet

Java-Deserialization-Cheat-Sheet

A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries.

Please, use #javadeser hash tag for tweets.

Table of content

  • Java Native Serialization (binary)
    • Overview
    • Main talks & presentations & docs
    • Payload generators
    • Exploits
    • Detect
    • Vulnerable apps (without public sploits/need more info)
    • Protection
    • For Android
  • XMLEncoder (XML)
  • XStream (XML/JSON/various)
  • Kryo (binary)
  • Hessian/Burlap (binary/XML)
  • Castor (XML)
  • json-io (JSON)
  • Jackson (JSON)
  • Fastjson (JSON)
  • Genson (JSON)
  • Flexjson (JSON)
  • Jodd (JSON)
  • Red5 IO AMF (AMF)
  • Apache Flex BlazeDS (AMF)
  • Flamingo AMF (AMF)
  • GraniteDS (AMF)
  • WebORB for Java (AMF)
  • SnakeYAML (YAML)
  • jYAML (YAML)
  • YamlBeans (YAML)
  • "Safe" deserialization

Java Native Serialization (binary)

Overview

  • Java Deserialization Security FAQ
  • From Foxgloves Security

Main talks & presentations & docs

Marshalling Pickles

by @frohoff & @gebl

  • Video
  • Slides
  • Other stuff
Exploiting Deserialization Vulnerabilities in Java

by @matthias_kaiser

  • Video
Serial Killer: Silently Pwning Your Java Endpoints

by @pwntester & @cschneider4711

  • Slides
  • White Paper
  • Bypass Gadget Collection
Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization

by @frohoff & @gebl

  • Slides
Surviving the Java serialization apocalypse

by @cschneider4711 & @pwntester

  • Slides
  • Video
  • PoC for Scala, Grovy
Java Deserialization Vulnerabilities - The Forgotten Bug Class

by @matthias_kaiser

  • Slides
Pwning Your Java Messaging With Deserialization Vulnerabilities

by @matthias_kaiser

  • Slides
  • White Paper
  • Tool for jms hacking
Defending against Java Deserialization Vulnerabilities

by @lucacarettoni

  • Slides
A Journey From JNDI/LDAP Manipulation To Remote Code Execution Dream Land

by @pwntester and O. Mirosh

  • Slides
  • White Paper
Fixing the Java Serialization mess

by @e_rnst

  • Slides+Source
Blind Java Deserialization

by deadcode.me

  • Part I - Commons Gadgets
  • Part II - exploitation rev 2
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (JVM)

by @joaomatosf

  • Slides
  • Examples
Automated Discovery of Deserialization Gadget Chains

by @ianhaken

  • Video
  • Slides
  • Tool
An Far Sides Of Java Remote Protocols

by @_tint0

  • Slides

Payload generators

ysoserial

https://github.com/frohoff/ysoserial

ysoserial 0.6 payloads:

payload author dependencies impact (if not RCE)
AspectJWeaver @Jang aspectjweaver:1.9.2, commons-collections:3.2.2
BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5
C3P0 @mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11
Click1 @artsploit click-nodeps:2.3.0, javax.servlet-api:3.1.0
Clojure @JackOfMostTrades clojure:1.8.0
CommonsBeanutils1 @frohoff commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
CommonsCollections1 @frohoff commons-collections:3.1
CommonsCollections2 @frohoff commons-collections4:4.0
CommonsCollections3 @frohoff commons-collections:3.1
CommonsCollections4 @frohoff commons-collections4:4.0
CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1
CommonsCollections6 @matthias_kaiser commons-collections:3.1
CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1
FileUpload1 @mbechler commons-fileupload:1.3.1, commons-io:2.4 file uploading
Groovy1 @frohoff groovy:2.3.9
Hibernate1 @mbechler
Hibernate2 @mbechler
JBossInterceptors1 @matthias_kaiser javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
JRMPClient @mbechler
JRMPListener @mbechler
JSON1 @mbechler json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
JavassistWeld1 @matthias_kaiser javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
Jdk7u21 @frohoff
Jython1 @pwntester, @cschneider4711 jython-standalone:2.5.2
MozillaRhino1 @matthias_kaiser js:1.7R2
MozillaRhino2 @_tint0 js:1.7R2
Myfaces1 @mbechler
Myfaces2 @mbechler
ROME @mbechler rome:1.0
Spring1 @frohoff spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
Spring2 @mbechler spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
URLDNS @gebl jre only vuln detect
Vaadin1 @kai_ullrich vaadin-server:7.7.14, vaadin-shared:7.7.14
Wicket1 @jacob-baines wicket-util:6.23.0, slf4j-api:1.6.4

Plugins for Burp Suite (detection, ysoserial integration ):

  • Freddy
  • JavaSerialKiller
  • Java Deserialization Scanner
  • Burp-ysoserial
  • SuperSerial
  • SuperSerial-Active

Full shell (pipes, redirects and other stuff):

  • [email protected]|sh – Or: Getting a shell environment from Runtime.exec
  • Set String[] for Runtime.exec (patch ysoserial's payloads)
  • Shell Commands Converter

How it works:

  • https://blog.srcclr.com/commons-collections-deserialization-vulnerability-research-findings/
  • http://gursevkalra.blogspot.ro/2016/01/ysoserial-commonscollections1-exploit.html
ysoserial fork with additional payloads

https://github.com/wh1t3p1g/ysoserial

  • CommonsCollection8,9,10
  • RMIRegistryExploit2,3
  • RMIRefListener,RMIRefListener2
  • PayloadHTTPServer
  • Spring3
JRE8u20_RCE_Gadget

https://github.com/pwntester/JRE8u20_RCE_Gadget

Pure JRE 8 RCE Deserialization gadget

ACEDcup

https://github.com/GrrrDog/ACEDcup

File uploading via:

  • Apache Commons FileUpload <= 1.3 (CVE-2013-2186) and Oracle JDK < 7u40
Universal billion-laughs DoS

https://gist.github.com/coekie/a27cc406fc9f3dc7a70d

Won't fix DoS via default Java classes (JRE)

Universal Heap overflows DoS using Arrays and HashMaps

https://github.com/topolik/ois-dos/

How it works:

  • Java Deserialization DoS - payloads

Won't fix DoS using default Java classes (JRE)

DoS against Serialization Filtering (JEP-290)
  • CVE-2018-2677
Tool to search gadgets in source
  • Gadget Inspector
  • Article about Gadget Inspector
Additional tools to test RMI:
  • BaRMIe
  • Barmitza
  • RMIScout
  • attackRmi
  • [Remote Method Guesser][https://github.com/qtc-de/remote-method-guesser]
Remote class detection:
  • GadgetProbe: Exploiting Deserialization to Brute-Force the Remote Classpath

  • GadgetProbe

  • Remote Java classpath enumeration with EnumJavaLibs

  • EnumJavaLibs

Exploits

no spec tool - You don't need a special tool (just Burp/ZAP + payload)

RMI
  • Protocol
  • Default - 1099/tcp for rmiregistry
  • partially patched in JRE with JEP290 (JDK 8u121, JDK 7u131, JDK 6u141)
  • Attacking Java RMI services after JEP 290
  • An Trinhs RMI Registry Bypass
  • RMIScout

ysoserial

Additional tools

JMX
  • JMX on RMI
    • CVE-2016-3427
  • partially patched in JRE with JEP290 (JDK 8u121, JDK 7u131, JDK 6u141)
  • Attacking RMI based JMX services (after JEP 290)

ysoserial

mjet

JexBoss

JMXMP
  • Special JMX protocol
  • The Curse of Old Java Libraries
JNDI/LDAP
  • When we control an address for lookup of JNDI (context.lookup(address) and can have backconnect from a server
  • Full info
  • JNDI remote code injection
  • Exploiting JNDI Injections in Java

https://github.com/zerothoughts/jndipoc

https://github.com/welk1n/JNDI-Injection-Exploit

JMS
  • Full info

JMET

JSF ViewState
  • if no encryption or good mac

no spec tool

JexBoss

vjdbc
  • JDBC via HTTP library
  • all version are vulnerable
  • Details

no spec tool

T3 of Oracle Weblogic
  • Protocol
  • Default - 7001/tcp on localhost interface
  • CVE-2015-4852
  • Blacklist bypass - CVE-2017-3248
  • Blacklist bypass - CVE-2017-3248 PoC
  • Blacklist bypass - CVE-2018-2628
  • Blacklist bypass - cve-2018-2893
  • Blacklist bypass - CVE-2018-3245
  • Blacklist bypass - CVE-2018-3191
  • CVE-2019-2725
  • CVE-2020-2555
  • CVE-2020-2883
  • CVE-2020-2963
  • CVE-2020-14625
  • CVE-2020-14644
  • CVE-2020-14645
  • CVE-2020-14756
  • CVE-2020-14825
  • CVE-2020-14841

loubia (tested on 11g and 12c, supports t3s)

JavaUnserializeExploits (doesn't work for all Weblogic versions)

WLT3Serial

CVE-2018-2628 sploit

IIOP of Oracle Weblogic
  • Protocol

  • Default - 7001/tcp on localhost interface

  • CVE-2020-2551

  • Details

CVE-2020-2551 sploit

Oracle Weblogic (1)
  • auth required
  • How it works
  • CVE-2018-3252
Oracle Weblogic (2)
  • auth required
  • CVE-2021-2109

Exploit

IBM Websphere (1)
  • wsadmin
  • Default port - 8880/tcp
  • CVE-2015-7450

JavaUnserializeExploits

serialator

CoalfireLabs/java_deserialization_exploits

IBM Websphere (2)
  • When using custom form authentication
  • WASPostParam cookie
  • Full info

no spec tool

IBM Websphere (3)
  • IBM WAS DMGR
  • special port
  • CVE-2019-4279
  • ibm10883628
  • Exploit

Metasploit

IIOP of IBM Websphere
  • Protocol
  • 2809, 9100, 9402, 9403
  • CVE-2020-4450
  • CVE-2020-4449
  • Abusing Java Remote Protocols in IBM WebSphere
  • Vuln Details
Red Hat JBoss (1)
  • http://jboss_server/invoker/JMXInvokerServlet
  • Default port - 8080/tcp
  • CVE-2015-7501

JavaUnserializeExploits

https://github.com/njfox/Java-Deserialization-Exploit

serialator

JexBoss

Red Hat JBoss 6.X
  • http://jboss_server/invoker/readonly
  • Default port - 8080/tcp
  • CVE-2017-12149
  • JBoss 6.X and EAP 5.X
  • Details

no spec tool

Red Hat JBoss 4.x
  • http://jboss_server/jbossmq-httpil/HTTPServerILServlet/
  • <= 4.x
  • CVE-2017-7504

no spec tool

Jenkins (1)
  • Jenkins CLI
  • Default port - High number/tcp
  • CVE-2015-8103
  • CVE-2015-3253

JavaUnserializeExploits

JexBoss

Jenkins (2)
  • patch "bypass" for Jenkins
  • CVE-2016-0788
  • Details of exploit

ysoserial

Jenkins (s)
  • Jenkins CLI LDAP
  • *Default port - High number/tcp
  • <= 2.32
  • <= 2.19.3 (LTS)
  • CVE-2016-9299
CloudBees Jenkins
  • <= 2.32.1
  • CVE-2017-1000353
  • Details

Sploit

JetBrains TeamCity
  • RMI

ysoserial

Restlet
  • <= 2.1.2
  • When Rest API accepts serialized objects (uses ObjectRepresentation)

no spec tool

RESTEasy
  • *When Rest API accepts serialized objects (uses @Consumes({"*/*"}) or "application/*" )
  • Details and examples

no spec tool

OpenNMS (1)
  • RMI

ysoserial

OpenNMS (2)
  • CVE-2020-12760/NMS-12673
  • JMS

JMET

Progress OpenEdge RDBMS
  • all versions
  • RMI

ysoserial

Commvault Edge Server
  • CVE-2015-7253
  • Serialized object in cookie

no spec tool

Symantec Endpoint Protection Manager
  • /servlet/ConsoleServlet?ActionType=SendStatPing
  • CVE-2015-6555

serialator

Oracle MySQL Enterprise Monitor
  • https://[target]:18443/v3/dataflow/0/0
  • CVE-2016-3461

no spec tool

serialator

PowerFolder Business Enterprise Suite
  • custom(?) protocol (1337/tcp)
  • MSA-2016-01

powerfolder-exploit-poc

Solarwinds Virtualization Manager
  • <= 6.3.1
  • RMI
  • CVE-2016-3642

ysoserial

Cisco Prime Infrastructure
  • https://[target]/xmp_data_handler_service/xmpDataOperationRequestServlet
  • <= 2.2.3 Update 4
  • <= 3.0.2
  • CVE-2016-1291

CoalfireLabs/java_deserialization_exploits

Cisco ACS
  • <= 5.8.0.32.2
  • RMI (2020 tcp)
  • CSCux34781

ysoserial

Cisco Unity Express
  • RMI (port 1099 tcp)
  • version < 9.0.6
  • CVE-2018-15381

ysoserial

Cisco Unified CVP
  • RMI (2098 and 2099)
  • Details

ysoserial

NASDAQ BWISE
  • RMI (port 81 tcp)
  • Details
  • CVE-2018-11247

ysoserial

NICE ENGAGE PLATFORM
  • JMX (port 6338 tcp)
  • Details
  • CVE-2019-7727
Apache Cassandra
  • JMX (port 7199 tcp)
  • Details
  • [CVE-2018-8016](https://www.vulners.com/search?query= CVE-2018-8016)
Cloudera Zookeeper
  • JMX (port 9010 tcp)
  • Details
Apache Olingo
  • version < 4.7.0
  • CVE-2019-17556
  • Details and examples

no spec tool

Apache Dubbo
  • CVE-2019-17564
  • Details and examples

no spec tool

Apache XML-RPC
  • all version, no fix (the project is not supported)
  • POST XML request with ex:serializable element
  • Details and examples

no spec tool

Apache Archiva
  • because it uses Apache XML-RPC
  • CVE-2016-5004
  • Details and examples

no spec tool

SAP NetWeaver
  • https://[target]/developmentserver/metadatauploader
  • CVE-2017-9844

PoC

SAP Hybris
  • /virtualjdbc/
  • CVE-2019-0344

no spec tool

Sun Java Web Console
  • admin panel for Solaris
  • < v3.1.
  • old DoS sploit

no spec tool

Apache MyFaces Trinidad
  • 1.0.0 <= version < 1.0.13
  • 1.2.1 <= version < 1.2.14
  • 2.0.0 <= version < 2.0.1
  • 2.1.0 <= version < 2.1.1
  • it does not check MAC
  • CVE-2016-5019

no spec tool

JBoss Richfaces
  • Variation of exploitation CVE-2018-12532
  • When EL Injection meets Java Deserialization
Apache Tomcat JMX
  • JMX
  • Patch bypass
  • CVE-2016-8735

JexBoss

OpenText Documentum D2
  • version 4.x
  • CVE-2017-5586

exploit

Liferay
  • /api/spring
  • /api/liferay
  • <= 7.0-ga3
  • if IP check works incorrectly
  • Details

no spec tool

ScrumWorks Pro
  • /UFC
  • <= 6.7.0
  • Details

PoC

ManageEngine Applications Manager
  • version
  • RMI
  • CVE-2016-9498

ysoserial

ManageEngine Desktop Central
  • version < 10.0.474
  • CVE-2020-10189

MSF exploit

Apache Shiro
  • SHIRO-550
  • encrypted cookie (with the hardcoded key)
  • Exploitation (in Chinese)
HP IMC (Intelligent Management Center)
  • WebDMDebugServlet
  • <= 7.3 E0504P2
  • CVE-2017-12557

Metasploit module

HP IMC (Intelligent Management Center)
  • RMI
  • <= 7.3 E0504P2
  • CVE-2017-5792

ysoserial

Apache Brooklyn
  • Non default config
  • JMXMP
Elassandra
  • Non default config
  • JMXMP
Micro Focus
  • CVE-2020-11853
  • Vulnerability analyzis Affected products:
  • Operations Bridge Manager versions: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, versions 10.6x and 10.1x and older versions
  • Application Performance Management versions: 9.51, 9.50 and 9.40 with uCMDB 10.33 CUP 3 \
  • Data Center Automation version 2019.11
  • Operations Bridge (containerized) versions: 2019.11, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05, 2018.02, 2017.11
  • Universal CMDB versions: 2020.05, 2019.11, 2019.05, 2019.02, 2018.11, 2018.08, 2018.05, 11, 10.33, 10.32, 10.31, 10.30
  • Hybrid Cloud Management version 2020.05
  • Service Management Automation versions 2020.5 and 2020.02

Metasploit Exploit

IBM Qradar (1)
  • CVE-2020-4280
  • Exploitation
IBM Qradar (2)
  • /console/remoteJavaScript
  • CVE-2020-4888

Exploit

IBM InfoSphere JReport
  • RMI
  • port 58611
  • <=8.5.0.0 (all)
  • Exploitation details
Apache Kafka
  • connect-api
  • Vulnerbility analyzis
Zoho ManageEngine ADSelfService Plus
  • CVE-2020-11518
  • Exloitation
Apache ActiveMQ - Client lib
  • JMS

JMET

Redhat/Apache HornetQ - Client lib
  • JMS

JMET

Oracle OpenMQ - Client lib
  • JMS

JMET

IBM WebSphereMQ - Client lib
  • JMS

JMET

Oracle Weblogic - Client lib
  • JMS

JMET

Pivotal RabbitMQ - Client lib
  • JMS

JMET

IBM MessageSight - Client lib
  • JMS

JMET

IIT Software SwiftMQ - Client lib
  • JMS

JMET

Apache ActiveMQ Artemis - Client lib
  • JMS

JMET

Apache QPID JMS - Client lib
  • JMS

JMET

Apache QPID - Client lib
  • JMS

JMET

Amazon SQS Java Messaging - Client lib
  • JMS

JMET

Axis/Axis2 SOAPMonitor
  • All version (this was deemed by design by project maintainer)
  • Binary
  • Default port : 5001
  • Info : https://axis.apache.org/axis2/java/core/docs/soapmonitor-module.html

java -jar ysoserial-*-all.jar CommonsCollections1 'COMMAND_HERE' | nc TARGET_SERVER 5001

ysoserial

Apache Synapse
  • <= 3.0.1
  • RMI
  • Exploit

ysoserial

Apache Jmeter
  • <= 3.0.1
  • RMI
  • When using Distributed Test only
  • Exploit

ysoserial

Jolokia
  • <= 1.4.0
  • JNDI injection
  • /jolokia/
  • Exploit
RichFaces
  • all versions
  • Poor RichFaces
  • When EL Injection meets Java Deserialization
Apache James
  • < 3.0.1
  • Analysis of CVE-2017-12628

ysoserial

Oracle DB
  • <= Oracle 12C
  • CVE-2018-3004 - Oracle Privilege Escalation via Deserialization
Zimbra Collaboration
  • < 8.7.0
  • CVE-2016-3415
  • <= 8.8.11
  • A Saga of Code Executions on Zimbra
Adobe ColdFusion (1)
  • <= 2016 Update 4
  • <= 11 update 12
  • CVE-2017-11283
  • CVE-2017-11284
Adobe ColdFusion (2)
  • RMI
  • <= 2016 Update 5
  • <= 11 update 13
  • Another ColdFusion RCE – CVE-2018-4939
  • CVE-2018-4939
Adobe ColdFusion (3) / JNBridge
  • custom protocol in JNBridge
  • port 6093 or 6095
  • <= 2016 Update ?
  • <= 2018 Update ?
  • APSB19-17
  • CVE-2019-7839: ColdFusion Code Execution Through JNBridge
Apache SOLR (1)
  • SOLR-8262
  • 5.1 <= version <=5.4
  • /stream handler uses Java serialization for RPC
Apache SOLR (2)
  • SOLR-13301
  • CVE-2019-0192
  • version: 5.0.0 to 5.5.5
  • version: 6.0.0 to 6.6.5
  • Attack via jmx.serviceUrl
  • Exploit
Adobe Experience Manager AEM
  • 5.5 - 6.1 (?)
  • /lib/dam/cloud/proxy.json parameter file
  • ExternalJobPostServlet
MySQL Connector/J
  • version < 5.1.41
  • when "autoDeserialize" is set on
  • CVE-2017-3523
Pitney Bowes Spectrum
  • RMI
  • Java RMI Server Insecure Default Configuration
SmartBear ReadyAPI
  • RMI
  • SYSS-2019-039
NEC ESMPRO Manager
  • RMI
  • CVE-2020-10917
  • ZDI-20-684
Apache OFBiz
  • RMI
  • cve-2021-26295
  • Exploit
NetMotion Mobility
  • < 11.73
  • < 12.02
  • NetMotion Mobility Server Multiple Deserialization of Untrusted Data Lead to RCE
  • CVE-2021-26914

ysoserial Metasploit Exploit: exploit/windows/http/netmotion_mobility_mvcutil_deserialization

Detect

Code review
  • ObjectInputStream.readObject
  • ObjectInputStream.readUnshared
  • Tool: Find Security Bugs
  • Tool: Serianalyzer
Traffic
  • Magic bytes 'ac ed 00 05' bytes
  • 'rO0' for Base64
  • 'application/x-java-serialized-object' for Content-Type header
Network
  • Nmap >=7.10 has more java-related probes
  • use nmap --all-version to find JMX/RMI on non-standart ports
Burp plugins
  • JavaSerialKiller
  • Java Deserialization Scanner
  • Burp-ysoserial
  • SuperSerial
  • SuperSerial-Active
  • Freddy

Vulnerable apps (without public sploits/need more info)

Spring Service Invokers (HTTP, JMS, RMI...)
  • Details
SAP P4
  • info from slides
Apache ActiveMQ (2)
  • CVE-2015-5254
  • <= 5.12.1
  • Explanation of the vuln
  • CVE-2015-7253
Atlassian Bamboo (1)
  • CVE-2015-6576
  • 2.2 <= version < 5.8.5
  • 5.9.0 <= version < 5.9.7
Atlassian Bamboo (2)
  • CVE-2015-8360
  • 2.3.1 <= version < 5.9.9
  • Bamboo JMS port (port 54663 by default)
Atlassian Jira
  • only Jira with a Data Center license
  • RMI (port 40001 by default)
  • JRA-46203
Akka
  • version < 2.4.17
  • "an ActorSystem exposed via Akka Remote over TCP"
  • Official description
Spring AMPQ
  • CVE-2016-2173
  • 1.0.0 <= version < 1.5.5
Apache Tika
  • CVE-2016-6809
  • 1.6 <= version < 1.14
  • Apache Tika’s MATLAB Parser
Apache HBase
  • HBASE-14799
Apache Camel
  • CVE-2015-5348
Apache Dubbo
  • CVE-2020-1948
  • <=2.7.7
Apache Spark
  • SPARK-20922: Unsafe deserialization in Spark LauncherConnection
Apache Spark
  • SPARK-11652: Remote code execution with InvokerTransformer
Apache Log4j (1)
  • as server
  • CVE-2017-5645
Apache Log4j (2)
  • <= 1.2.17
  • CVE-2019-17571
Apache Geode
  • CVE-2017-15692
  • CVE-2017-15693
  • Details
Apache Ignite
  • CVE-2018-1295
  • CVE-2018-8018
  • Details
Infinispan
  • CVE-2017-15089
  • Details
Hazelcast
  • CVE-2016-10750
  • Details
Gradle (gui)
  • custom(?) protocol(60024/tcp)
  • article
Oracle Hyperion
  • from slides
Oracle Application Testing Suite
  • CVE-2015-7501
Red Hat JBoss BPM Suite
  • RHSA-2016-0539
  • CVE-2016-2510
Red Hat Wildfly
  • CVE-2020-10740
VMWare vRealize Operations
  • 6.0 <= version < 6.4.0
  • REST API
  • VMSA-2016-0020
  • CVE-2016-7462
VMWare vCenter/vRealize (various)
  • CVE-2015-6934
  • VMSA-2016-0005
  • JMX
Cisco (various)
  • List of vulnerable products
  • CVE-2015-6420
Cisco Security Manager
  • CVE-2020-27131
Lexmark Markvision Enterprise
  • CVE-2016-1487
McAfee ePolicy Orchestrator
  • CVE-2015-8765
HP IMC PLAT
  • version 7.3 E0506P09 and earlier
  • several CVE-2019-x
HP iMC
  • CVE-2016-4372
HP Operations Orchestration
  • CVE-2016-1997
HP Asset Manager
  • CVE-2016-2000
HP Service Manager
  • CVE-2016-1998
HP Operations Manager
  • CVE-2016-1985
HP Release Control
  • CVE-2016-1999
HP Continuous Delivery Automation
  • CVE-2016-1986
HP P9000, XP7 Command View Advanced Edition (CVAE) Suite
  • CVE-2016-2003
HP Network Automation
  • CVE-2016-4385
Adobe Experience Manager
  • CVE-2016-0958
Unify OpenScape (various)
  • CVE-2015-8237 (CVE ID changed?)
  • RMI (30xx/tcp)
  • CVE-2015-8238 (CVE ID changed?)
  • js-soc protocol (4711/tcp)
  • Details
Apache OFBiz (1)
  • CVE-2016-2170
Apache OFBiz (2)
  • CVE-2020-9496
Apache Tomcat (1)
  • requires local access
  • CVE-2016-0714
  • Article
Apache Tomcat (2)
  • many requirements
  • Apache Tomcat Remote Code Execution via session persistence
  • CVE-2020-9484
Apache TomEE
  • CVE-2016-0779
IBM Congnos BI
  • CVE-2012-4858
IBM Maximo Asset Management
  • CVE-2020-4521
Novell NetIQ Sentinel
  • CVE-2016-1000031
ForgeRock OpenAM
  • 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0
  • 201505-01
F5 (various)
  • sol30518307
Hitachi (various)
  • HS16-010
  • 0328_acc
NetApp (various)
  • CVE-2015-8545 (CVE ID changed?)
Citrix XenMobile Server
  • port 45000
  • when Clustering is enabled
  • Won't Fix (?)
  • 10.7 and 10.8
  • Citrix advisory
  • CVE-2018-10654
IBM WebSphere (1)
  • SOAP connector
  • <= 9.0.0.9
  • <= 8.5.5.14
  • <= 8.0.0.15
  • <= 7.0.0.45
  • CVE-2018-1567
IBM WebSphere (2)
  • CVE-2015-1920
IBM WebSphere (3)
  • TCP port 11006
  • CVE-2020-4448
  • Vuln details
IBM WebSphere (4)
  • SOAP connector
  • CVE-2020-4464
  • Vuln details
IBM WebSphere (5)
  • CVE-2021-20353
IBM WebSphere (6)
  • CVE-2020-4576
IBM WebSphere (7)
  • CVE-2020-4589
Code42 CrashPlan
  • TCP port 4282
  • RMI (?)
  • 5.4.x
  • CVE-2017-9830
  • Details
Apache OpenJPA
  • CVE-2013-1768
Dell EMC VNX Monitoring and Reporting
  • CVE-2017-8012
Taoensso Nippy
  • <2.14.2
  • CVE-2020-24164
CAS
  • v4.1.x
  • v4.2.x
  • CAS Vulnerability Disclosure from Apereo
Apache Batchee
Apache JCS
Apache OpenWebBeans

Protection

  • Look-ahead Java deserialization
  • NotSoSerial
  • SerialKiller
  • ValidatingObjectInputStream
  • Name Space Layout Randomization
  • Some protection bypasses
  • Tool: Serial Whitelist Application Trainer
  • JEP 290: Filter Incoming Serialization Data in JDK 6u141, 7u131, 8u121
    • A First Look Into Java's New Serialization Filtering
  • AtomicSerial

For Android

Main talks & presentations & examples

  • One Class to Rule Them All: 0-Day Deserialization Vulnerabilities in Android
  • Android Serialization Vulnerabilities Revisited
  • A brief history of Android deserialization vulnerabilities
  • Exploiting Android trough an Intent with Reflection

Tools

  • Android Java Deserialization Vulnerability Tester

XMLEncoder (XML)

How it works:

  • http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
  • Java Unmarshaller Security

Detect

Code review
  • java.beans.XMLDecoder
  • readObject
Burp plugins
  • Freddy

Exploits

Oracle Weblogic
  • <= 10.3.6.0.0
  • <= 12.1.3.0.0
  • <= 12.2.1.2.0
  • <= 12.2.1.1.0
  • http://weblogic_server/wls-wsat/CoordinatorPortType
  • CVE-2017-3506
  • CVE-2017-10271
  • Details
  • CVE-2019-2729 Details

Exploit

Oracle RDBMS
  • priv escalation
  • Oracle Privilege Escalation via Deserialization

XStream (XML/JSON/various)

How it works:

  • http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/
  • http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
  • https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream
  • Java Unmarshaller Security

Payload generators

  • https://github.com/mbechler/marshalsec
  • CVE-2020-26217
  • CVE-2020-26258 - SSRF
  • CVE-2021-29505

Exploits

Apache Struts (S2-052)
  • <= 2.3.34
  • <= 2.5.13
  • REST plugin
  • CVE-2017-9805

Exploit

Detect

Code review
  • com.thoughtworks.xstream.XStream
  • xs.fromXML(data)
Burp plugins
  • Freddy

Vulnerable apps (without public sploits/need more info):

Atlassian Bamboo
  • CVE-2016-5229
Jenkins
  • CVE-2017-2608

Kryo (binary)

How it works:

  • https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-1-kryo
  • Java Unmarshaller Security

Payload generators

  • https://github.com/mbechler/marshalsec

Detect

Code review
  • com.esotericsoftware.kryo.io.Input
  • SomeClass object = (SomeClass)kryo.readClassAndObject(input);
  • SomeClass someObject = kryo.readObjectOrNull(input, SomeClass.class);
  • SomeClass someObject = kryo.readObject(input, SomeClass.class);
Burp plugins
  • Freddy

Hessian/Burlap (binary/XML)

How it works:

  • Java Unmarshaller Security
  • Castor and Hessian java deserialization vulnerabilities
  • Recurrence and Analysis of Hessian Deserialization RCE Vulnerability

Payload generators

  • https://github.com/mbechler/marshalsec

Detect

Code review
  • com.caucho.hessian.io
  • AbstractHessianInput
  • com.caucho.burlap.io.BurlapInput;
  • com.caucho.burlap.io.BurlapOutput;
  • BurlapInput in = new BurlapInput(is);
  • Person2 p1 = (Person2) in.readObject();
Burp plugins
  • Freddy

Vulnerable apps (without public sploits/need more info):

Apache Camel
  • CVE-2017-12634
MobileIron MDM
  • CVE-2020-15505
  • Metasploit Exploit

Castor (XML)

How it works:

  • Java Unmarshaller Security
  • Castor and Hessian java deserialization vulnerabilities

Payload generators

  • https://github.com/mbechler/marshalsec

Detect

Code review
  • org.codehaus.castor
  • org.exolab.castor.xml.Unmarshaller
  • org.springframework.oxm.Unmarshaller
  • Unmarshaller.unmarshal(Person.class, reader)
  • unmarshaller = context.createUnmarshaller();
  • unmarshaller.unmarshal(new StringReader(data));
Burp plugins
  • Freddy

Vulnerable apps (without public sploits/need more info):

OpenNMS
  • NMS-9100
Apache Camel
  • CVE-2017-12633

json-io (JSON)

How it works:

  • Java Unmarshaller Security

Exploitation examples:

  • Experiments with JSON-IO, Serialization, Mass Assignment, and General Java Object Wizardry
  • JSON Deserialization Memory Corruption Vulnerabilities on Android

Payload generators

  • https://github.com/mbechler/marshalsec

Detect

Code review
  • com.cedarsoftware.util.io.JsonReader
  • JsonReader.jsonToJava
Burp plugins
  • Freddy

Jackson (JSON)

vulnerable in specific configuration

How it works:

  • Java Unmarshaller Security
  • On Jackson CVEs: Don’t Panic — Here is what you need to know
  • Jackson Deserialization Vulnerabilities
  • The End of the Blacklist

Payload generators / gadget chains

  • https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
  • https://github.com/mbechler/marshalsec
  • blacklist bypass - CVE-2017-17485
  • blacklist bypass - CVE-2017-15095
  • CVE-2019-14540
  • Jackson gadgets - Anatomy of a vulnerability
  • JNDI Injection using Getter Based Deserialization Gadgets
  • blacklist bypass - CVE-2020-8840
  • blacklist bypass - CVE-2020-10673

Detect

Code review
  • com.fasterxml.jackson.databind.ObjectMapper
  • ObjectMapper mapper = new ObjectMapper();
  • objectMapper.enableDefaultTyping();
  • @JsonTypeInfo(use=JsonTypeInfo.Id.CLASS, include=JsonTypeInfo.As.PROPERTY, property="@class")
  • public Object message;
  • mapper.readValue(data, Object.class);
Burp plugins
  • Freddy

Exploits

FasterXML
  • CVE-2019-12384
Liferay
  • CVE-2019-16891

Vulnerable apps (without public sploits/need more info):

Apache Camel
  • CVE-2016-8749

Fastjson (JSON)

How it works:

  • https://www.secfree.com/article-590.html
  • Official advisory
  • Fastjson process analysis and RCE analysis
  • Fastjson Deserialization Vulnerability History

Detect

Code review
  • com.alibaba.fastjson.JSON
  • JSON.parseObject
Burp plugins
  • Freddy

Payload generators

  • fastjson 1.2.24 <=
  • fastjson 1.2.47 <=
  • fastjson 1.2.66 <=
  • blacklisted gadgets
  • Fastjson: exceptional deserialization vulnerabilities

Genson (JSON)

How it works:

  • Friday the 13th JSON Attacks

Detect

Code review
  • com.owlike.genson.Genson
  • useRuntimeType
  • genson.deserialize
Burp plugins
  • Freddy

Flexjson (JSON)

How it works:

  • Friday the 13th JSON Attacks

Payload generators / gadget chains

  • PoC

Detect

Code review
  • import flexjson.JSONDeserializer
  • JSONDeserializer jsonDeserializer = new JSONDeserializer()
  • jsonDeserializer.deserialize(jsonString);

Exploits

Liferay
  • Liferay Portal JSON Web Service RCE Vulnerabilities
  • CST-7111

Jodd (JSON)

vulnerable in a non-default configuration when setClassMetadataName() is set

  • issues/628

Payload generators / gadget chains

  • PoC

Detect

Code review
  • com.fasterxml.jackson.databind.ObjectMapper
  • JsonParser jsonParser = new JsonParser()
  • jsonParser.setClassMetadataName("class").parse(jsonString, ClassName.class);

Red5 IO AMF (AMF)

How it works:

  • Java Unmarshaller Security

Payload generators

  • https://github.com/mbechler/marshalsec

Detect

Code review
  • org.red5.io
  • Deserializer.deserialize(i, Object.class);
Burp plugins
  • Freddy

Vulnerable apps (without public sploits/need more info):

Apache OpenMeetings
  • CVE-2017-5878

Apache Flex BlazeDS (AMF)

How it works:

  • AMF – Another Malicious Format
  • Java Unmarshaller Security

Payload generators

  • https://github.com/mbechler/marshalsec

Detect

Code review
Burp plugins
  • Freddy

Vulnerable apps:

Oracle Business Intelligence
  • BIRemotingServlet
  • no auth
  • CVE-2020-2950
  • Details on the Oracle WebLogic Vulnerability Being Exploited in the Wild
  • CVE-2020–2950 — Turning AMF Deserialize bug to Java Deserialize bug
Adobe ColdFusion
  • CVE-2017-3066

  • <= 2016 Update 3

  • <= 11 update 11

  • <= 10 Update 22

  • Exploiting Adobe ColdFusion before CVE-2017-3066

  • PoC

Draytek VigorACS
  • /ACSServer/messagebroker/amf

  • at least 2.2.1

  • based on CVE-2017-5641

  • PoC

Apache BlazeDS
  • CVE-2017-5641
VMWare VCenter
  • based on CVE-2017-5641
HP Systems Insight Manager
  • /simsearch/messagebroker/amfsecure
  • 7.6.x
  • CVE-2020-7200
  • Metasploit Exploit

Flamingo AMF (AMF)

How it works:

  • AMF – Another Malicious Format

Detect

Burp plugins
  • Freddy

GraniteDS (AMF)

How it works:

  • AMF – Another Malicious Format

Detect

Burp plugins
  • Freddy

WebORB for Java (AMF)

How it works:

  • AMF – Another Malicious Format

Detect

Burp plugins
  • Freddy

SnakeYAML (YAML)

How it works:

  • Java Unmarshaller Security

Payload generators

  • https://github.com/mbechler/marshalsec
  • Payload Generator for the SnakeYAML deserialization gadget

Detect

Code review
  • org.yaml.snakeyaml.Yaml
  • yaml.load
Burp plugins
  • Freddy

Vulnerable apps (without public sploits/need more info):

Resteasy
  • CVE-2016-9606
Apache Camel
  • CVE-2017-3159
Apache Brooklyn
  • CVE-2016-8744
Apache ShardingSphere
  • CVE-2020-1947

jYAML (YAML)

How it works:

  • Java Unmarshaller Security

Payload generators

  • https://github.com/mbechler/marshalsec

Detect

  • org.ho.yaml.Yaml
  • Yaml.loadType(data, Object.class);
Burp plugins
  • Freddy

YamlBeans (YAML)

How it works:

  • Java Unmarshaller Security

Payload generators

  • https://github.com/mbechler/marshalsec

Detect

  • com.esotericsoftware.yamlbeans
  • YamlReader r = new YamlReader(data, yc);
Burp plugins
  • Freddy

"Safe" deserialization

Some serialization libs are safe (or almost safe) https://github.com/mbechler/marshalsec

However, it's not a recommendation, but just a list of other libs that has been researched by someone:

  • JAXB
  • XmlBeans
  • Jibx
  • Protobuf
  • GSON
  • GWT-RPC

Previous : GitHub - W3lk1n/java-sec-code: Java web common vulnerabilities and security code which is base on springboot and spring security
Next : GitHub - W3lk1n/spring-boot-upload-file-lead-to-rce-tricks: spring boot Fat Jar 任意写文件漏洞到稳定 RCE 利用技巧