A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries.
Please, use #javadeser hash tag for tweets.
- Java Native Serialization (binary)
- XMLEncoder (XML)
- XStream (XML/JSON/various)
- Kryo (binary)
- Hessian/Burlap (binary/XML)
- Castor (XML)
- json-io (JSON)
- Jackson (JSON)
- Fastjson (JSON)
- Genson (JSON)
- Red5 IO AMF (AMF)
- Apache Flex BlazeDS (AMF)
- Flamingo AMF (AMF)
- GraniteDS (AMF)
- WebORB for Java (AMF)
- SnakeYAML (YAML)
- jYAML (YAML)
- YamlBeans (YAML)
- "Safe" deserialization
by @pwntester & @cschneider4711
by @cschneider4711 & @pwntester
by @pwntester and O. Mirosh
by @e_rnst
by deadcode.me
by @joaomatosf
by @ianhaken
https://github.com/frohoff/ysoserial
ysoserial 0.6 payloads:
payload | author | dependencies | impact (if not RCE) |
---|---|---|---|
BeanShell1 | @pwntester, @cschneider4711 | bsh:2.0b5 | |
C3P0 | @mbechler | c3p0:0.9.5.2, mchange-commons-java:0.2.11 | |
Clojure | @JackOfMostTrades | clojure:1.8.0 | |
CommonsBeanutils1 | @frohoff | commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2 | |
CommonsCollections1 | @frohoff | commons-collections:3.1 | |
CommonsCollections2 | @frohoff | commons-collections4:4.0 | |
CommonsCollections3 | @frohoff | commons-collections:3.1 | |
CommonsCollections4 | @frohoff | commons-collections4:4.0 | |
CommonsCollections5 | @matthias_kaiser, @jasinner | commons-collections:3.1 | |
CommonsCollections6 | @matthias_kaiser | commons-collections:3.1 | |
CommonsCollections7 | @scristalli, @hanyrax, @EdoardoVignati | commons-collections:3.1 | |
FileUpload1 | @mbechler | commons-fileupload:1.3.1, commons-io:2.4 | file uploading |
Groovy1 | @frohoff | groovy:2.3.9 | |
Hibernate1 | @mbechler | ||
Hibernate2 | @mbechler | ||
JBossInterceptors1 | @matthias_kaiser | javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 | |
JRMPClient | @mbechler | ||
JRMPListener | @mbechler | ||
JSON1 | @mbechler | json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1 | |
JavassistWeld1 | @matthias_kaiser | javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 | |
Jdk7u21 | @frohoff | ||
Jython1 | @pwntester, @cschneider4711 | jython-standalone:2.5.2 | |
MozillaRhino1 | @matthias_kaiser | js:1.7R2 | |
MozillaRhino2 | @_tint0 | js:1.7R2 | |
Myfaces1 | @mbechler | ||
Myfaces2 | @mbechler | ||
ROME | @mbechler | rome:1.0 | |
Spring1 | @frohoff | spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE | |
Spring2 | @mbechler | spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2 | |
URLDNS | @gebl | jre only vuln detect | |
Vaadin1 | @kai_ullrich | vaadin-server:7.7.14, vaadin-shared:7.7.14 | |
Wicket1 | @jacob-baines | wicket-util:6.23.0, slf4j-api:1.6.4 |
Additional tools (detection, integration ysoserial with Burp Suite):
Additional tool to test RMI:
Full shell (pipes, redirects and other stuff):
- $@|sh – Or: Getting a shell environment from Runtime.exec
- Set String[] for Runtime.exec (patch ysoserial's payloads)
- Shell Commands Converter
How it works:
- https://blog.srcclr.com/commons-collections-deserialization-vulnerability-research-findings/
- http://gursevkalra.blogspot.ro/2016/01/ysoserial-commonscollections1-exploit.html
https://github.com/pwntester/JRE8u20_RCE_Gadget
Pure JRE 8 RCE Deserialization gadget
https://github.com/GrrrDog/ACEDcup
File uploading via:
- Apache Commons FileUpload <= 1.3 (CVE-2013-2186) and Oracle JDK < 7u40
https://gist.github.com/coekie/a27cc406fc9f3dc7a70d
Won't fix DoS via default Java classes (JRE)
https://github.com/topolik/ois-dos/
How it works:
Won't fix DoS using default Java classes (JRE)
no spec tool - You don't need a special tool (just Burp/ZAP + payload)
- Protocol
- Default - 1099/tcp for rmiregistry
ysoserial (works only against a RMI registry service)
- Protocol based on RMI
- partially patched in JRE
- When we control an address for lookup of JNDI (context.lookup(address) and can have backconnect from a server
- Full info
- JNDI remote code injection
https://github.com/zerothoughts/jndipoc
- if no encryption or good mac
no spec tool
- Protocol
- Default - 7001/tcp on localhost interface
- CVE-2015-4852
- Blacklist bypass - CVE-2017-3248
- Blacklist bypass - CVE-2017-3248 PoC
- Blacklist bypass - CVE-2018-2628
- Blacklist bypass - CVE-2018-3245
- Blacklist bypass - CVE-2018-3191
- CVE-2019-2725
loubia (tested on 11g and 12c, supports t3s)
JavaUnserializeExploits (doesn't work for all Weblogic versions)
- auth required
- How it works
- CVE-2018-3252
- wsadmin
- Default port - 8880/tcp
- CVE-2015-7450
CoalfireLabs/java_deserialization_exploits
- When using custom form authentication
- WASPostParam cookie
- Full info
no spec tool
- http://jboss_server/invoker/JMXInvokerServlet
- Default port - 8080/tcp
- CVE-2015-7501
https://github.com/njfox/Java-Deserialization-Exploit
- http://jboss_server/invoker/readonly
- Default port - 8080/tcp
- CVE-2017-12149
- JBoss 6.X and EAP 5.X
- Details
no spec tool
- http://jboss_server/jbossmq-httpil/HTTPServerILServlet/
- <= 4.x
- CVE-2017-7504
no spec tool
- Jenkins CLI
- Default port - High number/tcp
- CVE-2015-8103
- CVE-2015-3253
- patch "bypass" for Jenkins
- CVE-2016-0788
- Details of exploit
- Jenkins CLI LDAP
- *Default port - High number/tcp
- <= 2.32
- <= 2.19.3 (LTS)
- CVE-2016-9299
- <= 2.32.1
- CVE-2017-1000353
- Details
- <= 2.1.2
- When Rest API accepts serialized objects (uses ObjectRepresentation)
no spec tool
- *When Rest API accepts serialized objects (uses @Consumes({"*/*"}) or "application/*" )
- Details and examples
no spec tool
- RMI
- all versions
- RMI
- CVE-2015-7253
- Serialized object in cookie
no spec tool
- /servlet/ConsoleServlet?ActionType=SendStatPing
- CVE-2015-6555
- https://[target]:18443/v3/dataflow/0/0
- CVE-2016-3461
no spec tool
- custom(?) protocol (1337/tcp)
- MSA-2016-01
- <= 6.3.1
- RMI
- CVE-2016-3642
- https://[target]/xmp_data_handler_service/xmpDataOperationRequestServlet
- <= 2.2.3 Update 4
- <= 3.0.2
- CVE-2016-1291
CoalfireLabs/java_deserialization_exploits
- <= 5.8.0.32.2
- RMI (2020 tcp)
- CSCux34781
- all version, no fix (the project is not supported)
- POST XML request with ex:serializable element
- Details and examples
no spec tool
- because it uses Apache XML-RPC
- CVE-2016-5004
- Details and examples
no spec tool
- https://[target]/developmentserver/metadatauploader
- CVE-2017-9844
- admin panel for Solaris
- < v3.1.
- old DoS sploit
no spec tool
- 1.0.0 <= version < 1.0.13
- 1.2.1 <= version < 1.2.14
- 2.0.0 <= version < 2.0.1
- 2.1.0 <= version < 2.1.1
- it does not check MAC
- CVE-2016-5019
no spec tool
- version 4.x
- CVE-2017-5586
- /api/spring
- /api/liferay
- <= 7.0-ga3
- if IP check works incorrectly
- Details
no spec tool
- /UFC
- <= 6.7.0
- Details
- version: 12, 13
- RMI
- CVE-2016-9498
- SHIRO-550
- encrypted cookie (with the hardcoded key)
- Exploitation (in Chinese)
- WebDMDebugServlet
- <= 7.3 E0504P2
- CVE-2017-12557
- RMI
- <= 7.3 E0504P2
- CVE-2017-5792
- All version (this was deemed by design by project maintainer)
- Binary
- Default port : 5001
- Info : https://axis.apache.org/axis2/java/core/docs/soapmonitor-module.html
java -jar ysoserial-*-all.jar CommonsCollections1 'COMMAND_HERE' | nc TARGET_SERVER 5001
- <= 3.0.1
- RMI
- Exploit
- <= 3.0.1
- RMI
- When using Distributed Test only
- Exploit
- <= 1.4.0
- JNDI injection
- /jolokia/
- Exploit
- < 3.0.1
- Analysis of CVE-2017-12628
- ObjectInputStream.readObject
- ObjectInputStream.readUnshared
- Tool: Find Security Bugs
- Tool: Serianalyzer
- Magic bytes 'ac ed 00 05' bytes
- 'rO0' for Base64
- 'application/x-java-serialized-object' for Content-Type header
- Nmap >=7.10 has more java-related probes
- use nmap --all-version to find JMX/RMI on non-standart ports
-
5.1 <= version <=5.4
-
/stream handler uses Java serialization for RPC
-
Attack via jmx.serviceUrl
- CVE-2015-6576
- 2.2 <= version < 5.8.5
- 5.9.0 <= version < 5.9.7
- CVE-2015-8360
- 2.3.1 <= version < 5.9.9
- Bamboo JMS port (port 54663 by default)
- only Jira with a Data Center license
- RMI (port 40001 by default)
- JRA-46203
- version < 2.4.17
- "an ActorSystem exposed via Akka Remote over TCP"
- Official description
- CVE-2016-2173
- 1.0.0 <= version < 1.5.5
- CVE-2016-6809
- 1.6 <= version < 1.14
- Apache Tika’s MATLAB Parser
- as server
- CVE-2017-5645
- custom(?) protocol(60024/tcp)
- article
- 6.0 <= version < 6.4.0
- REST API
- VMSA-2016-0020
- CVE-2016-7462
- CVE-2015-8237
- RMI (30xx/tcp)
- CVE-2015-8238
- js-soc protocol (4711/tcp)
- requires local access
- CVE-2016-0714
- Article
- 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0
- 201505-01
- < 8.7.0
- CVE-2016-3415
- <= 8.8.11
- A Saga of Code Executions on Zimbra
- <= 2016 Update 4
- <= 11 update 12
- CVE-2017-11283
- CVE-2017-11284
- RMI
- <= 2016 Update 5
- <= 11 update 13
- Another ColdFusion RCE – CVE-2018-4939
- CVE-2018-4939
- port 45000
- when Clustering is enabled
- Won't Fix (?)
- 10.7 and 10.8
- Citrix advisory
- CVE-2018-10654
- SOAP connector
- <= 9.0.0.9
- <= 8.5.5.14
- <= 8.0.0.15
- <= 7.0.0.45
- CVE-2018-1567
- TCP port 4282
- RMI (?)
- 5.4.x
- CVE-2017-9830
- Details
- Look-ahead Java deserialization
- NotSoSerial
- SerialKiller
- ValidatingObjectInputStream
- Name Space Layout Randomization
- Some protection bypasses
- Tool: Serial Whitelist Application Trainer
- JEP 290: Filter Incoming Serialization Data in JDK 6u141, 7u131, 8u121
- AtomicSerial
- One Class to Rule Them All: 0-Day Deserialization Vulnerabilities in Android
- Android Serialization Vulnerabilities Revisited
- A brief history of Android deserialization vulnerabilities
How it works:
- http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
- Java Unmarshaller Security
- java.beans.XMLDecoder
- readObject
- <= 10.3.6.0.0
- <= 12.1.3.0.0
- <= 12.2.1.2.0
- <= 12.2.1.1.0
- http://weblogic_server/wls-wsat/CoordinatorPortType
- CVE-2017-3506
- CVE-2017-10271
- Details
- priv escalation
- Oracle Privilege Escalation via Deserialization
How it works:
- http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/
- http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
- https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream
- Java Unmarshaller Security
- <= 2.3.34
- <= 2.5.13
- REST plugin
- CVE-2017-9805
- com.thoughtworks.xstream.XStream
- xs.fromXML(data)
How it works:
- https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-1-kryo
- Java Unmarshaller Security
- com.esotericsoftware.kryo.io.Input
- SomeClass object = (SomeClass)kryo.readClassAndObject(input);
- SomeClass someObject = kryo.readObjectOrNull(input, SomeClass.class);
- SomeClass someObject = kryo.readObject(input, SomeClass.class);
How it works:
- com.caucho.hessian.io
- AbstractHessianInput
- com.caucho.burlap.io.BurlapInput;
- com.caucho.burlap.io.BurlapOutput;
- BurlapInput in = new BurlapInput(is);
- Person2 p1 = (Person2) in.readObject();
How it works:
- org.codehaus.castor
- org.exolab.castor.xml.Unmarshaller
- org.springframework.oxm.Unmarshaller
- Unmarshaller.unmarshal(Person.class, reader)
- unmarshaller = context.createUnmarshaller();
- unmarshaller.unmarshal(new StringReader(data));
How it works:
Exploitation examples:
- Experiments with JSON-IO, Serialization, Mass Assignment, and General Java Object Wizardry
- JSON Deserialization Memory Corruption Vulnerabilities on Android
- com.cedarsoftware.util.io.JsonReader
- JsonReader.jsonToJava
vulnerable in specific configuration
How it works:
- Java Unmarshaller Security
- On Jackson CVEs: Don’t Panic — Here is what you need to know
- Jackson Deserialization Vulnerabilities
- https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
- https://github.com/mbechler/marshalsec
- blacklist bypass - CVE-2017-17485
- blacklist bypass - CVE-2017-15095
- com.fasterxml.jackson.databind.ObjectMapper
- ObjectMapper mapper = new ObjectMapper();
- objectMapper.enableDefaultTyping();
- @JsonTypeInfo(use=JsonTypeInfo.Id.CLASS, include=JsonTypeInfo.As.PROPERTY, property="@class")
- public Object message;
- mapper.readValue(data, Object.class);
How it works (in Chinese):
- com.alibaba.fastjson.JSON
- JSON.parseObject
How it works:
- com.owlike.genson.Genson
- useRuntimeType
- genson.deserialize
How it works:
- org.red5.io
- Deserializer.deserialize(i, Object.class);
How it works:
-
<= 2016 Update 3
-
<= 11 update 11
-
<= 10 Update 22
-
/ACSServer/messagebroker/amf
-
at least 2.2.1
-
based on CVE-2017-5641
- based on CVE-2017-5641
How it works:
How it works:
How it works:
How it works:
- org.yaml.snakeyaml.Yaml
- yaml.load
How it works:
- org.ho.yaml.Yaml
- Yaml.loadType(data, Object.class);
How it works:
- com.esotericsoftware.yamlbeans
- YamlReader r = new YamlReader(data, yc);
Some serialization libs are safe (or almost safe) https://github.com/mbechler/marshalsec
However, it's not a recommendation, but just a list of other libs that has been researched by someone:
- JAXB
- XmlBeans
- Jibx
- Protobuf
- GSON
- GWT-RPC