Java-Deserialization-Cheat-Sheet
A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries.
Please, use #javadeser hash tag for tweets.
Table of content
- Java Native Serialization (binary)
- XMLEncoder (XML)
- XStream (XML/JSON/various)
- Kryo (binary)
- Hessian/Burlap (binary/XML)
- Castor (XML)
- json-io (JSON)
- Jackson (JSON)
- Red5 IO AMF (AMF)
- Apache Flex BlazeDS (AMF)
- Flamingo AMF (AMF)
- GraniteDS (AMF)
- WebORB for Java (AMF)
- SnakeYAML (YAML)
- jYAML (YAML)
- YamlBeans (YAML)
- "Safe" deserialization
Java Native Serialization (binary)
Overview
Main talks & presentations & docs
Marshalling Pickles
Exploiting Deserialization Vulnerabilities in Java
Serial Killer: Silently Pwning Your Java Endpoints
by @pwntester & @cschneider4711
Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization
Surviving the Java serialization apocalypse
by @cschneider4711 & @pwntester
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Pwning Your Java Messaging With Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
A Journey From JNDI/LDAP Manipulation To Remote Code Execution Dream Land
by @pwntester and O. Mirosh
Fixing the Java Serialization mess
by @e_rnst
Blind Java Deserialization
by deadcode.me
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (JVM)
by @joaomatosf
Payload generators
ysoserial
https://github.com/frohoff/ysoserial
ysoserial 0.6 payloads:
| payload | author | dependencies | impact (if not RCE) |
|---|---|---|---|
| BeanShell1 | @pwntester, @cschneider4711 | bsh:2.0b5 | |
| C3P0 | @mbechler | c3p0:0.9.5.2, mchange-commons-java:0.2.11 | |
| Clojure | @JackOfMostTrades | clojure:1.8.0 | |
| CommonsBeanutils1 | @frohoff | commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2 | |
| CommonsCollections1 | @frohoff | commons-collections:3.1 | |
| CommonsCollections2 | @frohoff | commons-collections4:4.0 | |
| CommonsCollections3 | @frohoff | commons-collections:3.1 | |
| CommonsCollections4 | @frohoff | commons-collections4:4.0 | |
| CommonsCollections5 | @matthias_kaiser, @jasinner | commons-collections:3.1 | |
| CommonsCollections6 | @matthias_kaiser | commons-collections:3.1 | |
| FileUpload1 | @mbechler | commons-fileupload:1.3.1, commons-io:2.4 | file uploading |
| Groovy1 | @frohoff | groovy:2.3.9 | |
| Hibernate1 | @mbechler | ||
| Hibernate2 | @mbechler | ||
| JBossInterceptors1 | @matthias_kaiser | javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 | |
| JRMPClient | @mbechler | ||
| JRMPListener | @mbechler | ||
| JSON1 | @mbechler | json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1 | |
| JavassistWeld1 | @matthias_kaiser | javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 | |
| Jdk7u21 | @frohoff | ||
| Jython1 | @pwntester, @cschneider4711 | jython-standalone:2.5.2 | |
| MozillaRhino1 | @matthias_kaiser | js:1.7R2 | |
| Myfaces1 | @mbechler | ||
| Myfaces2 | @mbechler | ||
| ROME | @mbechler | rome:1.0 | |
| Spring1 | @frohoff | spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE | |
| Spring2 | @mbechler | spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2 | |
| URLDNS | @gebl | jre only vuln detect | |
| Wicket1 | @jacob-baines | wicket-util:6.23.0, slf4j-api:1.6.4 |
Additional tools (integration ysoserial with Burp Suite):
Full shell (pipes, redirects and other stuff):
- $@|sh – Or: Getting a shell environment from Runtime.exec
- Set String[] for Runtime.exec (patch ysoserial's payloads)
- Shell Commands Converter
How it works:
- https://blog.srcclr.com/commons-collections-deserialization-vulnerability-research-findings/
- http://gursevkalra.blogspot.ro/2016/01/ysoserial-commonscollections1-exploit.html
JRE8u20_RCE_Gadget
https://github.com/pwntester/JRE8u20_RCE_Gadget
Pure JRE 8 RCE Deserialization gadget
ACEDcup
https://github.com/GrrrDog/ACEDcup
File uploading via:
- Apache Commons FileUpload <= 1.3 (CVE-2013-2186) and Oracle JDK < 7u40
Universal billion-laughs DoS
https://gist.github.com/coekie/a27cc406fc9f3dc7a70d
Won't fix DoS via default Java classes (JRE)
Universal Heap overflows DoS using Arrays and HashMaps
https://github.com/topolik/ois-dos/
How it works:
Won't fix DoS using default Java classes (JRE)
Exploits
no spec tool - You don't need a special tool (just Burp/ZAP + payload)
RMI
- Protocol
- Default - 1099/tcp for rmiregistry
ysoserial (works only against a RMI registry service)
JMX
- Protocol based on RMI
- partially patched in JRE
JNDI/LDAP
- When we control an adrress for lookup of JNDI (context.lookup(address) and can have backconnect from a server
- Full info
- JNDI remote code injection
https://github.com/zerothoughts/jndipoc
JMS
JSF ViewState
- if no encryption or good mac
no spec tool
T3 of Oracle Weblogic
- Protocol
- Default - 7001/tcp on localhost interface
- CVE-2015-4852
- Blacklist bypass
loubia (tested on 11g and 12c, supports t3s)
JavaUnserializeExploits (doesn't work for all Weblogic versions)
IBM Websphere (1)
- wsadmin
- Default port - 8880/tcp
- CVE-2015-7450
IBM Websphere (2)
- When using custom form authentication
- WASPostParam cookie
- Full info
no spec tool
Red Hat JBoss (1)
- http://jboss_server/invoker/JMXInvokerServlet
- Default port - 8080/tcp
- CVE-2015-7501
https://github.com/njfox/Java-Deserialization-Exploit
Red Hat JBoss 6.X
- http://jboss_server/invoker/readonly
- Default port - 8080/tcp
- CVE-2017-12149
- JBoss 6.X and EAP 5.X
- Details
no spec tool
Red Hat JBoss 4.x
- http://jboss_server/jbossmq-httpil/HTTPServerILServlet/
- <= 4.x
- CVE-2017-7504
no spec tool
Jenkins (1)
- Jenkins CLI
- Default port - High number/tcp
- CVE-2015-8103
- CVE-2015-3253
Jenkins (2)
- patch "bypass" for Jenkins
- CVE-2016-0788
- Details of exploit
Jenkins (s)
- Jenkins CLI LDAP
- *Default port - High number/tcp
- <= 2.32
- <= 2.19.3 (LTS)
- CVE-2016-9299
Metasploit Module for CVE-2016-9299
CloudBees Jenkins
- <= 2.32.1
- CVE-2017-1000353
- Details
Restlet
- <= 2.1.2
- When Rest API accepts serialized objects (uses ObjectRepresentation)
no spec tool
RESTEasy
- *When Rest API accepts serialized objects (uses @Consumes({"*/*"}) or "application/*" )
- Details and examples
no spec tool
OpenNMS
- RMI
Progress OpenEdge RDBMS
- all versions
- RMI
Commvault Edge Server
- CVE-2015-7253
- Serialized object in cookie
no spec tool
Symantec Endpoint Protection Manager
- /servlet/ConsoleServlet?ActionType=SendStatPing
- CVE-2015-6555
Oracle MySQL Enterprise Monitor
- https://[target]:18443/v3/dataflow/0/0
- CVE-2016-3461
no spec tool
PowerFolder Business Enterprise Suite
- custom(?) protocol (1337/tcp)
- MSA-2016-01
Solarwinds Virtualization Manager
- <= 6.3.1
- RMI
- CVE-2016-3642
Cisco Prime Infrastructure
- https://[target]/xmp_data_handler_service/xmpDataOperationRequestServlet
- <= 2.2.3 Update 4
- <= 3.0.2
- CVE-2016-1291
CoalfireLabs/java_deserialization_exploits
Cisco ACS
- <= 5.8.0.32.2
- RMI (2020 tcp)
- CSCux34781
Apache XML-RPC
- all version, no fix (the project is not supported)
- POST XML request with ex:serializable element
- Details and examples
no spec tool
Apache Archiva
- because it uses Apache XML-RPC
- CVE-2016-5004
- Details and examples
no spec tool
SAP NetWeaver
- https://[target]/developmentserver/metadatauploader
- CVE-2017-9844
Sun Java Web Console
- admin panel for Solaris
- < v3.1.
- old DoS sploit
no spec tool
Apache MyFaces Trinidad
- 1.0.0 <= version < 1.0.13
- 1.2.1 <= version < 1.2.14
- 2.0.0 <= version < 2.0.1
- 2.1.0 <= version < 2.1.1
- it does not check MAC
- CVE-2016-5004
no spec tool
Apache Tomcat JMX
OpenText Documentum D2
- version 4.x
- CVE-2017-5586
Liferay
- /api/spring
- /api/liferay
- <= 7.0-ga3
- if IP check works incorrectly
- Details
no spec tool
Apache ActiveMQ - Client lib
Redhat/Apache HornetQ - Client lib
Oracle OpenMQ - Client lib
IBM WebSphereMQ - Client lib
Oracle Weblogic - Client lib
Pivotal RabbitMQ - Client lib
IBM MessageSight - Client lib
IIT Software SwiftMQ - Client lib
Apache ActiveMQ Artemis - Client lib
Apache QPID JMS - Client lib
Apache QPID - Client lib
Amazon SQS Java Messaging - Client lib
Detect
Code review
- ObjectInputStream.readObject
- ObjectInputStream.readUnshared
- Tool: Find Security Bugs
- Tool: Serianalyzer
Traffic
- Magic bytes 'ac ed 00 05' bytes
- 'rO0' for Base64
- 'application/x-java-serialized-object' for Content-Type header
Network
- Nmap >=7.10 has more java-related probes
- use nmap --all-version to find JMX/RMI on non-standart ports
Burp plugins
Vulnerable apps (without public sploits/need more info)
Spring Service Invokers (HTTP, JMS, RMI...)
SAP P4
Apache SOLR
- SOLR-8262
- 5.1 <= version <=5.4
- /stream handler uses Java serialization for RPC
Apache Shiro
- SHIRO-550
- encrypted cookie (with the hardcoded key)
Apache ActiveMQ (2)
Atlassian Bamboo (1)
- CVE-2015-6576
- 2.2 <= version < 5.8.5
- 5.9.0 <= version < 5.9.7
Atlassian Bamboo (2)
- CVE-2015-8360
- 2.3.1 <= version < 5.9.9
- Bamboo JMS port (port 54663 by default)
Atlassian Jira
- only Jira with a Data Center license
- RMI (port 40001 by default)
- JRA-46203
Akka
- version < 2.4.17
- "an ActorSystem exposed via Akka Remote over TCP"
- Official description
Spring AMPQ
- CVE-2016-2173
- 1.0.0 <= version < 1.5.5
Apache Tika
- CVE-2016-6809
- 1.6 <= version < 1.14
- Apache Tika’s MATLAB Parser
Apache HBase
Apache Camel
Apache Log4j
- as server
- CVE-2017-5645
Gradle (gui)
- custom(?) protocol(60024/tcp)
- article
Oracle Hyperion
Oracle Application Testing Suite
Red Hat JBoss BPM Suite
VMWare vRealize Operations
- 6.0 <= version < 6.4.0
- REST API
- VMSA-2016-0020
- CVE-2016-7462
VMWare vCenter/vRealize (various)
Cisco (various)
Lexmark Markvision Enterprise
McAfee ePolicy Orchestrator
HP iMC
HP Operations Orchestration
HP Asset Manager
HP Service Manager
HP Operations Manager
HP Release Control
HP Continuous Delivery Automation
HP P9000, XP7 Command View Advanced Edition (CVAE) Suite
HP Network Automation
Adobe Experience Manager
Unify OpenScape (various)
- CVE-2015-8237
- RMI (30xx/tcp)
- CVE-2015-8238
- js-soc protocol (4711/tcp)
Apache OFBiz
Apache Tomcat
- requires local access
- CVE-2016-0714
- Article
Apache TomEE
IBM Congnos BI
Novell NetIQ Sentinel
ForgeRock OpenAM
- 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0
- 201505-01
F5 (various)
Hitachi (various)
NetApp (various)
Zimbra Collaboration
- < 8.7.0
- CVE-2016-3415
Adobe ColdFusion
- <= 2016 Update 5
- <= 11 update 13
- CVE-2017-11283
- CVE-2017-11284
Code42 CrashPlan
- TCP port 4282
- RMI (?)
- 5.4.x
- CVE-2017-9830
- Details
Apache Batchee
Apache JCS
Apache OpenJPA
Apache OpenWebBeans
Protection
- Look-ahead Java deserialization
- NotSoSerial
- SerialKiller
- ValidatingObjectInputStream
- Name Space Layout Randomization
- Some protection bypasses
- Tool: Serial Whitelist Application Trainer
- JEP 290: Filter Incoming Serialization Data in JDK 6u141, 7u131, 8u121
For Android
- One Class to Rule Them All: 0-Day Deserialization Vulnerabilities in Android
- Android Serialization Vulnerabilities Revisited
XMLEncoder (XML)
How it works:
- http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
- Java Unmarshaller Security
Payload generators:
XStream (XML/JSON/various)
How it works:
- http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/
- http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
- https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream
- Java Unmarshaller Security
Payload generators:
Exploits:
Apache Struts (S2-052)
- <= 2.3.34
- <= 2.5.13
- REST plugin
- CVE-2017-9805
Vulnerable apps (without public sploits/need more info):
Atlassian Bamboo
Jenkins
Kryo (binary)
How it works:
- https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-1-kryo
- Java Unmarshaller Security
Payload generators:
Hessian/Burlap (binary/XML)
How it works:
Payload generators:
Castor (XML)
How it works:
Payload generators:
Vulnerable apps (without public sploits/need more info):
OpenNMS
json-io (JSON)
How it works:
Payload generators:
Jackson (JSON)
vulnerable in some configuration
How it works:
Payload generators:
- https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
- https://github.com/mbechler/marshalsec
Vulnerable apps (without public sploits/need more info):
Apache Camel
Red5 IO AMF (AMF)
How it works:
Payload generators:
Vulnerable apps (without public sploits/need more info):
Apache OpenMeetings
Apache Flex BlazeDS (AMF)
How it works:
Payload generators:
Vulnerable apps (without public sploits/need more info):
Adobe ColdFusion
- CVE-2017-3066
- <= 2016 Update 3
- <= 11 update 11
- <= 10 Update 22
Apache BlazeDS
VMWare VCenter
Flamingo AMF (AMF)
How it works:
GraniteDS (AMF)
How it works:
WebORB for Java (AMF)
How it works:
SnakeYAML (YAML)
How it works:
Payload generators:
Vulnerable apps (without public sploits/need more info):
Resteasy
Apache Camel
Apache Brooklyn
jYAML (YAML)
How it works:
Payload generators:
YamlBeans (YAML)
How it works:
Payload generators:
"Safe" deserialization
Some serialization libs are safe (or almost safe) https://github.com/mbechler/marshalsec
However, it's not a recommendation, but just a list of other libs that has been researched by someone:
- JAXB
- XmlBeans
- Jibx
- ProtobufGSON
- GWT-RPC
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent