Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 29 Feb 2016 20:30:52 +0100
From: Moritz Bechler <>
Subject: Java Deserialization continued, Analysis Tooling and (potentially)
 bypassing Application Level Filtering


sharing some results from my research on deserialization
(vulnerabilities, or rather gadgets):

- a static bytecode analyzer that traces invocations reachable
from deserialization that helps (high FP rate, obviously) with finding
gadget chains even when more complex interactions are involved:

- through it discovered a few more RCE gadgets most notably ones in

- and MyFaces (actually that's RCE via EL injection via deserialization)
that one is only usable in a JSF context - but MyFaces also performs
unsafe deserization when org.apache.myfaces.USE_ENCRYPTION=false (yes,
also with server side state saving, and while being totally unnecessary
they are unwilling to fix this:

- and a method for bypassing application level filtering. Basically you
can open up JRMP (RMI) listeners and connections via various gadgets
(in the standard library) which then again use a standard
ObjectInputStream and can be used to exploit otherwise filtered gadgets.
Jenkins just fixed this sepecific vector (CVE-2016-0788) but this
potentially affects anybody that is using application level filters
(i.e. filtering ObjectInputStreams) and either is using blacklisting or
a too broad whitelist.

These are all now available in my ysoserial branch



Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ