A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries.
Please, use #javadeser hash tag for tweets.
- Java Native Serialization (binary)
- XMLEncoder (XML)
- XStream (XML/JSON/various)
- Kryo (binary)
- Hessian/Burlap (binary/XML)
- Castor (XML)
- json-io (JSON)
- Jackson (JSON)
- Red5 IO AMF (AMF)
- Apache Flex BlazeDS (AMF)
- Flamingo AMF (AMF)
- GraniteDS (AMF)
- WebORB for Java (AMF)
- SnakeYAML (YAML)
- jYAML (YAML)
- YamlBeans (YAML)
- "Safe" deserialization
by @pwntester & @cschneider4711
by @cschneider4711 & @pwntester
by @pwntester and O. Mirosh
by @e_rnst
by deadcode.me
https://github.com/frohoff/ysoserial
RCE (or smth else) via:
- Apache Commons Collections <= 3.1
- Apache Commons Collections <= 4.0
- Groovy <= 2.3.9
- Spring Core <= 4.1.4 (?)
- JDK <=7u21
- Apache Commons BeanUtils 1.9.2 + Commons Collections <=3.1 + Commons Logging 1.2 (?)
- BeanShell 2.0
- Groovy 2.3.9
- Jython 2.5.2
- C3P0 0.9.5.2
- Apache Commons Fileupload <= 1.3.1 (File uploading, DoS)
- ROME 1.0
- MyFaces
- JRMPClient/JRMPListener
- JSON
- Hibernate
Additional tools (integration ysoserial with Burp Suite):
Full shell (pipes, redirects and other stuff):
- $@|sh – Or: Getting a shell environment from Runtime.exec
- Set String[] for Runtime.exec (patch ysoserial's payloads)
- Shell Commands Converter
How it works:
- https://blog.srcclr.com/commons-collections-deserialization-vulnerability-research-findings/
- http://gursevkalra.blogspot.ro/2016/01/ysoserial-commonscollections1-exploit.html
https://github.com/pwntester/JRE8u20_RCE_Gadget
Pure JRE 8 RCE Deserialization gadget
https://github.com/GrrrDog/ACEDcup
File uploading via:
- Apache Commons FileUpload <= 1.3 (CVE-2013-2186) and Oracle JDK < 7u40
https://gist.github.com/coekie/a27cc406fc9f3dc7a70d
Won't fix DoS via default Java classes (JRE)
https://github.com/topolik/ois-dos/
How it works:
Won't fix DoS using default Java classes (JRE)
no spec tool - You don't need a special tool (just Burp/ZAP + payload)
- Protocol
- Default - 1099/tcp for rmiregistry
ysoserial (works only against a RMI registry service)
- Protocol based on RMI
- partially patched in JRE
- When we control an adrress for lookup of JNDI (context.lookup(address) and can have backconnect from a server
- Full info
- JNDI remote code injection
https://github.com/zerothoughts/jndipoc
- if no encryption or good mac
no spec tool
- Protocol
- Default - 7001/tcp on localhost interface
- CVE-2015-4852
loubia (tested on 11g and 12c, supports t3s)
JavaUnserializeExploits (doesn't work for all Weblogic versions)
- wsadmin
- Default port - 8880/tcp
- CVE-2015-7450
- When using custom form authentication
- WASPostParam cookie
- Full info
no spec tool
- http://jboss_server/invoker/JMXInvokerServlet
- Default port - 8080/tcp
- CVE-2015-7501
https://github.com/njfox/Java-Deserialization-Exploit
- Jenkins CLI
- Default port - High number/tcp
- CVE-2015-8103
- CVE-2015-3253
- patch "bypass" for Jenkins
- CVE-2016-0788
- Details of exploit
- Jenkins CLI LDAP
- Default port - High number/tcp
- <= 2.32
- <= 2.19.3 (LTS)
- CVE-2016-9299
Metasploit Module for CVE-2016-9299
- <= 2.1.2
- When Rest API accepts serialized objects (uses ObjectRepresentation)
no spec tool
- *When Rest API accepts serialized objects (uses @Consumes({"*/*"}) or "application/*" )
- Details and examples
no spec tool
- RMI
- all versions
- RMI
- CVE-2015-7253
- Serialized object in cookie
no spec tool
- /servlet/ConsoleServlet?ActionType=SendStatPing
- CVE-2015-6555
- https://[target]:18443/v3/dataflow/0/0
- CVE-2016-3461
no spec tool
- custom(?) protocol (1337/tcp)
- MSA-2016-01
- <= 6.3.1
- RMI
- CVE-2016-3642
- https://[target]/xmp_data_handler_service/xmpDataOperationRequestServlet
- <= 2.2.3 Update 4
- <= 3.0.2
- CVE-2016-1291
CoalfireLabs/java_deserialization_exploits
- <= 5.8.0.32.2
- RMI (2020 tcp)
- CSCux34781
- all version, no fix (the project is not supported)
- POST XML request with ex:serializable element
- Details and examples
no spec tool
- because it uses Apache XML-RPC
- CVE-2016-5004
- Details and examples
no spec tool
- https://[target]/developmentserver/metadatauploader
- CVE-2017-9844
- admin panel for Solaris
- < v3.1.
- old DoS sploit
no spec tool
- 1.0.0 <= version < 1.0.13
- 1.2.1 <= version < 1.2.14
- 2.0.0 <= version < 2.0.1
- 2.1.0 <= version < 2.1.1
- it does not check MAC
- CVE-2016-5004
no spec tool
- version 4.x
- CVE-2017-5586
- ObjectInputStream.readObject
- ObjectInputStream.readUnshared
- Tool: Find Security Bugs
- Tool: Serianalyzer
- Magic bytes 'ac ed 00 05' bytes
- 'rO0' for Base64
- 'application/x-java-serialized-object' for Content-Type header
- Nmap >=7.10 has more java-related probes
- use nmap --all-version to find JMX/RMI on non-standart ports
- SOLR-8262
- 5.1 <= version <=5.4
- /stream handler uses Java serialization for RPC
- SHIRO-550
- encrypted cookie (with the hardcoded key)
- CVE-2015-6576
- 2.2 <= version < 5.8.5
- 5.9.0 <= version < 5.9.7
- CVE-2015-8360
- 2.3.1 <= version < 5.9.9
- Bamboo JMS port (port 54663 by default)
- only Jira with a Data Center license
- RMI (port 40001 by default)
- JRA-46203
- version < 2.4.17
- "an ActorSystem exposed via Akka Remote over TCP"
- Official description
- CVE-2016-2173
- 1.0.0 <= version < 1.5.5
- CVE-2016-6809
- 1.6 <= version < 1.14
- Apache Tika’s MATLAB Parser
- custom(?) protocol(60024/tcp)
- article
- 6.0 <= version < 6.4.0
- REST API
- VMSA-2016-0020
- CVE-2016-7462
- CVE-2015-8237
- RMI (30xx/tcp)
- CVE-2015-8238
- js-soc protocol (4711/tcp)
- 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0
- 201505-01
- requires local access
- CVE-2016-0714
- Article
- version < 8.7.0
- CVE-2016-3415
- Look-ahead Java deserialization
- NotSoSerial
- SerialKiller
- ValidatingObjectInputStream
- Name Space Layout Randomization
- Some protection bypasses
- Tool: Serial Whitelist Application Trainer
- JEP 290: Filter Incoming Serialization Data in JDK 6u141, 7u131, 8u121
- One Class to Rule Them All: 0-Day Deserialization Vulnerabilities in Android
- Android Serialization Vulnerabilities Revisited
How it works:
- http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
- Java Unmarshaller Security
Payload generators:
How it works:
- http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/
- http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
- https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream
- Java Unmarshaller Security
Payload generators:
Vulnerable apps (without public sploits/need more info):
How it works:
- https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-1-kryo
- Java Unmarshaller Security
Payload generators:
How it works:
Payload generators:
How it works:
Payload generators:
Vulnerable apps (without public sploits/need more info):
How it works:
Payload generators:
vulnerable in some configuration
How it works:
Payload generators:
Vulnerable apps (without public sploits/need more info):
How it works:
Payload generators:
Vulnerable apps (without public sploits/need more info):
How it works:
Payload generators:
Vulnerable apps (without public sploits/need more info):
- CVE-2017-3066
- <= 2016 Update 3
- <= 11 update 11
- <= 10 Update 22
How it works:
How it works:
How it works:
How it works:
Payload generators:
Vulnerable apps (without public sploits/need more info):
How it works:
Payload generators:
How it works:
Payload generators:
Some serialization libs are safe (or almost safe) https://github.com/mbechler/marshalsec
However, it's not a recomendation, but just a list of other libs that has been researched by someone:
- JAXB
- XmlBeans
- Jibx
- ProtobufGSON
- GWT-RPC