Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 29 Feb 2016 20:30:52 +0100
From: Moritz Bechler <>
Subject: Java Deserialization continued, Analysis Tooling and (potentially)
 bypassing Application Level Filtering


sharing some results from my research on deserialization
(vulnerabilities, or rather gadgets):

- a static bytecode analyzer that traces invocations reachable
from deserialization that helps (high FP rate, obviously) with finding
gadget chains even when more complex interactions are involved:

- through it discovered a few more RCE gadgets most notably ones in

- and MyFaces (actually that's RCE via EL injection via deserialization)
that one is only usable in a JSF context - but MyFaces also performs
unsafe deserization when org.apache.myfaces.USE_ENCRYPTION=false (yes,
also with server side state saving, and while being totally unnecessary
they are unwilling to fix this:

- and a method for bypassing application level filtering. Basically you
can open up JRMP (RMI) listeners and connections via various gadgets
(in the standard library) which then again use a standard
ObjectInputStream and can be used to exploit otherwise filtered gadgets.
Jenkins just fixed this sepecific vector (CVE-2016-0788) but this
potentially affects anybody that is using application level filters
(i.e. filtering ObjectInputStreams) and either is using blacklisting or
a too broad whitelist.

These are all now available in my ysoserial branch



Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.