Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 29 Feb 2016 20:30:52 +0100
From: Moritz Bechler <mbechler@...terphace.org>
To: oss-security@...ts.openwall.com
Subject: Java Deserialization continued, Analysis Tooling and (potentially)
 bypassing Application Level Filtering

Hi,

sharing some results from my research on deserialization
(vulnerabilities, or rather gadgets):

- a static bytecode analyzer that traces invocations reachable
from deserialization that helps (high FP rate, obviously) with finding
gadget chains even when more complex interactions are involved:
<https://github.com/mbechler/serianalyzer>

- through it discovered a few more RCE gadgets most notably ones in
Hibernate

- and MyFaces (actually that's RCE via EL injection via deserialization)
that one is only usable in a JSF context - but MyFaces also performs
unsafe deserization when org.apache.myfaces.USE_ENCRYPTION=false (yes,
also with server side state saving, and while being totally unnecessary
they are unwilling to fix this:
<https://issues.apache.org/jira/browse/MYFACES-4021>).

- and a method for bypassing application level filtering. Basically you
can open up JRMP (RMI) listeners and connections via various gadgets
(in the standard library) which then again use a standard
ObjectInputStream and can be used to exploit otherwise filtered gadgets.
Jenkins just fixed this sepecific vector (CVE-2016-0788) but this
potentially affects anybody that is using application level filters
(i.e. filtering ObjectInputStreams) and either is using blacklisting or
a too broad whitelist.

These are all now available in my ysoserial branch
<https://github.com/mbechler/ysoserial>


regards

Moritz




[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ