Date: Mon, 29 Feb 2016 20:30:52 +0100 From: Moritz Bechler <mbechler@...terphace.org> To: oss-security@...ts.openwall.com Subject: Java Deserialization continued, Analysis Tooling and (potentially) bypassing Application Level Filtering Hi, sharing some results from my research on deserialization (vulnerabilities, or rather gadgets): - a static bytecode analyzer that traces invocations reachable from deserialization that helps (high FP rate, obviously) with finding gadget chains even when more complex interactions are involved: <https://github.com/mbechler/serianalyzer> - through it discovered a few more RCE gadgets most notably ones in Hibernate - and MyFaces (actually that's RCE via EL injection via deserialization) that one is only usable in a JSF context - but MyFaces also performs unsafe deserization when org.apache.myfaces.USE_ENCRYPTION=false (yes, also with server side state saving, and while being totally unnecessary they are unwilling to fix this: <https://issues.apache.org/jira/browse/MYFACES-4021>). - and a method for bypassing application level filtering. Basically you can open up JRMP (RMI) listeners and connections via various gadgets (in the standard library) which then again use a standard ObjectInputStream and can be used to exploit otherwise filtered gadgets. Jenkins just fixed this sepecific vector (CVE-2016-0788) but this potentially affects anybody that is using application level filters (i.e. filtering ObjectInputStreams) and either is using blacklisting or a too broad whitelist. These are all now available in my ysoserial branch <https://github.com/mbechler/ysoserial> regards Moritz [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ