Date: Mon, 29 Feb 2016 20:30:52 +0100 From: Moritz Bechler <mbechler@...terphace.org> To: oss-security@...ts.openwall.com Subject: Java Deserialization continued, Analysis Tooling and (potentially) bypassing Application Level Filtering Hi, sharing some results from my research on deserialization (vulnerabilities, or rather gadgets): - a static bytecode analyzer that traces invocations reachable from deserialization that helps (high FP rate, obviously) with finding gadget chains even when more complex interactions are involved: <https://github.com/mbechler/serianalyzer> - through it discovered a few more RCE gadgets most notably ones in Hibernate - and MyFaces (actually that's RCE via EL injection via deserialization) that one is only usable in a JSF context - but MyFaces also performs unsafe deserization when org.apache.myfaces.USE_ENCRYPTION=false (yes, also with server side state saving, and while being totally unnecessary they are unwilling to fix this: <https://issues.apache.org/jira/browse/MYFACES-4021>). - and a method for bypassing application level filtering. Basically you can open up JRMP (RMI) listeners and connections via various gadgets (in the standard library) which then again use a standard ObjectInputStream and can be used to exploit otherwise filtered gadgets. Jenkins just fixed this sepecific vector (CVE-2016-0788) but this potentially affects anybody that is using application level filters (i.e. filtering ObjectInputStreams) and either is using blacklisting or a too broad whitelist. These are all now available in my ysoserial branch <https://github.com/mbechler/ysoserial> regards Moritz Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.