Java-Deserialization-Cheat-Sheet

A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries.

Please, use #javadeser hash tag for tweets.

Table of content

• Java Native Serialization (binary)
  • Overview
  • Main talks & presentations & docs
  • Payload generators
  • Exploits
  • Detect
  • Vulnerable apps (without public sploits/need more info)
  • Protection
  • For Android
• XMLEncoder (XML)
• XStream (XML/JSON/various)
• Kryo (binary)
• Hessian/Burlap (binary/XML)
• Castor (XML)
• json-io (JSON)
• Jackson (JSON)
• Fastjson (JSON)
• Genson (JSON)
• Flexjson (JSON)
• Jodd (JSON)
• Red5 IO AMF (AMF)
• Apache Flex BlazeDS (AMF)
• Flamingo AMF (AMF)
• GraniteDS (AMF)
• WebORB for Java (AMF)
• SnakeYAML (YAML)
• jYAML (YAML)
• YamlBeans (YAML)
• "Safe" deserialization

Java Native Serialization (binary)

Overview

• Java Deserialization Security FAQ
• From Foxgloves Security

Main talks & presentations & docs

Marshalling Pickles

by @frohoff & @gebl

• Video
• Slides
• Other stuff

Exploiting Deserialization Vulnerabilities in Java

by @matthias_kaiser

• Video

Serial Killer: Silently Pwning Your Java Endpoints

by @pwntester & @cschneider4711

• Slides
• White Paper
• Bypass Gadget Collection

Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization

by @frohoff & @gebl

• Slides

Surviving the Java serialization apocalypse

by @cschneider4711 & @pwntester

• Slides
• Video
• PoC for Scala, Grovy

Java Deserialization Vulnerabilities - The Forgotten Bug Class

by @matthias_kaiser

• Slides

Pwning Your Java Messaging With Deserialization Vulnerabilities

by @matthias_kaiser

• Slides
• White Paper
• Tool for jms hacking

Defending against Java Deserialization Vulnerabilities

by @lucacarettoni

• Slides

A Journey From JNDI/LDAP Manipulation To Remote Code Execution Dream Land

by @pwntester and O. Mirosh

• Slides
• White Paper

Fixing the Java Serialization mess

by @e_rnst

• Slides+Source

Blind Java Deserialization

by deadcode.me

• Part I - Commons Gadgets
• Part II - exploitation rev 2

An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (JVM)

by @joaomatosf

• Slides
• Examples

Automated Discovery of Deserialization Gadget Chains

by @ianhaken

• Video
• Slides
• Tool

An Far Sides Of Java Remote Protocols

by @_tint0

• Slides

Payload generators

ysoserial

https://github.com/frohoff/ysoserial

ysoserial 0.6 payloads:

payload	author	dependencies	impact (if not RCE)
AspectJWeaver	@Jang	aspectjweaver:1.9.2, commons-collections:3.2.2
BeanShell1	@pwntester, @cschneider4711	bsh:2.0b5
C3P0	@mbechler	c3p0:0.9.5.2, mchange-commons-java:0.2.11
Click1	@artsploit	click-nodeps:2.3.0, javax.servlet-api:3.1.0
Clojure	@JackOfMostTrades	clojure:1.8.0
CommonsBeanutils1	@frohoff	commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
CommonsCollections1	@frohoff	commons-collections:3.1
CommonsCollections2	@frohoff	commons-collections4:4.0
CommonsCollections3	@frohoff	commons-collections:3.1
CommonsCollections4	@frohoff	commons-collections4:4.0
CommonsCollections5	@matthias_kaiser, @jasinner	commons-collections:3.1
CommonsCollections6	@matthias_kaiser	commons-collections:3.1
CommonsCollections7	@scristalli, @hanyrax, @EdoardoVignati	commons-collections:3.1
FileUpload1	@mbechler	commons-fileupload:1.3.1, commons-io:2.4	file uploading
Groovy1	@frohoff	groovy:2.3.9
Hibernate1	@mbechler
Hibernate2	@mbechler
JBossInterceptors1	@matthias_kaiser	javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
JRMPClient	@mbechler
JRMPListener	@mbechler
JSON1	@mbechler	json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
JavassistWeld1	@matthias_kaiser	javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
Jdk7u21	@frohoff
Jython1	@pwntester, @cschneider4711	jython-standalone:2.5.2
MozillaRhino1	@matthias_kaiser	js:1.7R2
MozillaRhino2	@_tint0	js:1.7R2
Myfaces1	@mbechler
Myfaces2	@mbechler
ROME	@mbechler	rome:1.0
Spring1	@frohoff	spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
Spring2	@mbechler	spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
URLDNS	@gebl		jre only vuln detect
Vaadin1	@kai_ullrich	vaadin-server:7.7.14, vaadin-shared:7.7.14
Wicket1	@jacob-baines	wicket-util:6.23.0, slf4j-api:1.6.4

Plugins for Burp Suite (detection, ysoserial integration ):

• Freddy
• JavaSerialKiller
• Java Deserialization Scanner
• Burp-ysoserial
• SuperSerial
• SuperSerial-Active

Full shell (pipes, redirects and other stuff):

• $@|sh – Or: Getting a shell environment from Runtime.exec
• Set String[] for Runtime.exec (patch ysoserial's payloads)
• Shell Commands Converter

How it works:

• https://blog.srcclr.com/commons-collections-deserialization-vulnerability-research-findings/
• http://gursevkalra.blogspot.ro/2016/01/ysoserial-commonscollections1-exploit.html

ysoserial fork with additional payloads

https://github.com/wh1t3p1g/ysoserial

• CommonsCollection8,9,10
• RMIRegistryExploit2,3
• RMIRefListener,RMIRefListener2
• PayloadHTTPServer
• Spring3

JRE8u20_RCE_Gadget

https://github.com/pwntester/JRE8u20_RCE_Gadget

Pure JRE 8 RCE Deserialization gadget

ACEDcup

https://github.com/GrrrDog/ACEDcup

File uploading via:

• Apache Commons FileUpload <= 1.3 (CVE-2013-2186) and Oracle JDK < 7u40

Universal billion-laughs DoS

https://gist.github.com/coekie/a27cc406fc9f3dc7a70d

Won't fix DoS via default Java classes (JRE)

Universal Heap overflows DoS using Arrays and HashMaps

https://github.com/topolik/ois-dos/

How it works:

• Java Deserialization DoS - payloads

Won't fix DoS using default Java classes (JRE)

DoS against Serialization Filtering (JEP-290)

• CVE-2018-2677

Tool to search gadgets in source

• Gadget Inspector
• Article about Gadget Inspector

Additional tools to test RMI:

• BaRMIe
• Barmitza
• RMIScout
• attackRmi
• Remote Method Guesser

Remote class detection:

• GadgetProbe: Exploiting Deserialization to Brute-Force the Remote Classpath

• GadgetProbe

• Remote Java classpath enumeration with EnumJavaLibs

• EnumJavaLibs

Library for creating Java serialization data

• serial-builder

Exploits

no spec tool - You don't need a special tool (just Burp/ZAP + payload)

RMI

• Protocol
• Default - 1099/tcp for rmiregistry
• partially patched in JRE with JEP290 (JDK 8u121, JDK 7u131, JDK 6u141)
• Attacking Java RMI services after JEP 290
• An Trinhs RMI Registry Bypass
• RMIScout

ysoserial

Additional tools

JMX

• JMX on RMI
• • CVE-2016-3427
• partially patched in JRE with JEP290 (JDK 8u121, JDK 7u131, JDK 6u141)
• Attacking RMI based JMX services (after JEP 290)

ysoserial

mjet

JexBoss

JMXMP

• Special JMX protocol
• The Curse of Old Java Libraries

JNDI/LDAP

• When we control an address for lookup of JNDI (context.lookup(address) and can have backconnect from a server
• Full info
• JNDI remote code injection
• Exploiting JNDI Injections in Java

https://github.com/zerothoughts/jndipoc

https://github.com/welk1n/JNDI-Injection-Exploit

JMS

• Full info

JMET

JSF ViewState

• if no encryption or good mac

no spec tool

JexBoss

vjdbc

• JDBC via HTTP library
• all version are vulnerable
• Details

no spec tool

T3 of Oracle Weblogic

• Protocol
• Default - 7001/tcp on localhost interface
• CVE-2015-4852
• Blacklist bypass - CVE-2017-3248
• Blacklist bypass - CVE-2017-3248 PoC
• Blacklist bypass - CVE-2018-2628
• Blacklist bypass - cve-2018-2893
• Blacklist bypass - CVE-2018-3245
• Blacklist bypass - CVE-2018-3191
• CVE-2019-2725
• CVE-2020-2555
• CVE-2020-2883
• CVE-2020-2963
• CVE-2020-14625
• CVE-2020-14644
• CVE-2020-14645
• CVE-2020-14756
• CVE-2020-14825
• CVE-2020-14841
• CVE-2021-2394
• SSRF JDBC
• CVE-2023-21931

loubia (tested on 11g and 12c, supports t3s)

JavaUnserializeExploits (doesn't work for all Weblogic versions)

WLT3Serial

CVE-2018-2628 sploit

IIOP of Oracle Weblogic

• Protocol

• Default - 7001/tcp on localhost interface

• CVE-2020-2551

• Details

CVE-2020-2551 sploit

Oracle Weblogic (1)

• auth required
• How it works
• CVE-2018-3252

Oracle Weblogic (2)

• auth required
• CVE-2021-2109

Exploit

Oracle Access Manager (1)

• CVE-2021-35587

Oracle ADF Faces

• CVE-2022–21445
• /appcontext/afr/test/remote/payload/

no spec tool

IBM Websphere (1)

• wsadmin
• Default port - 8880/tcp
• CVE-2015-7450

JavaUnserializeExploits

serialator

CoalfireLabs/java_deserialization_exploits

IBM Websphere (2)

• When using custom form authentication
• WASPostParam cookie
• Full info

no spec tool

IBM Websphere (3)

• IBM WAS DMGR
• special port
• CVE-2019-4279
• ibm10883628
• Exploit

Metasploit

IIOP of IBM Websphere

• Protocol
• 2809, 9100, 9402, 9403
• CVE-2020-4450
• CVE-2020-4449
• Abusing Java Remote Protocols in IBM WebSphere
• Vuln Details

Red Hat JBoss (1)

• http://jboss_server/invoker/JMXInvokerServlet
• Default port - 8080/tcp
• CVE-2015-7501

JavaUnserializeExploits

https://github.com/njfox/Java-Deserialization-Exploit

serialator

JexBoss

Red Hat JBoss 6.X

• http://jboss_server/invoker/readonly
• Default port - 8080/tcp
• CVE-2017-12149
• JBoss 6.X and EAP 5.X
• Details

no spec tool

Red Hat JBoss 4.x

• http://jboss_server/jbossmq-httpil/HTTPServerILServlet/
• <= 4.x
• CVE-2017-7504

no spec tool

Jenkins (1)

• Jenkins CLI
• Default port - High number/tcp
• CVE-2015-8103
• CVE-2015-3253

JavaUnserializeExploits

JexBoss

Jenkins (2)

• patch "bypass" for Jenkins
• CVE-2016-0788
• Details of exploit

ysoserial

Jenkins (s)

• Jenkins CLI LDAP
• *Default port - High number/tcp
• <= 2.32
• <= 2.19.3 (LTS)
• CVE-2016-9299

CloudBees Jenkins

• <= 2.32.1
• CVE-2017-1000353
• Details

Sploit

JetBrains TeamCity

• RMI

ysoserial

Restlet

• <= 2.1.2
• When Rest API accepts serialized objects (uses ObjectRepresentation)

no spec tool

RESTEasy

• *When Rest API accepts serialized objects (uses @Consumes({"*/*"}) or "application/*" )
• Details and examples

no spec tool

OpenNMS (1)

• RMI

ysoserial

OpenNMS (2)

• CVE-2020-12760/NMS-12673
• JMS

JMET

Progress OpenEdge RDBMS

• all versions
• RMI

ysoserial

Commvault Edge Server

• CVE-2015-7253
• Serialized object in cookie

no spec tool

Symantec Endpoint Protection Manager

• /servlet/ConsoleServlet?ActionType=SendStatPing
• CVE-2015-6555

serialator

Oracle MySQL Enterprise Monitor

• https://[target]:18443/v3/dataflow/0/0
• CVE-2016-3461

no spec tool

serialator

PowerFolder Business Enterprise Suite

• custom(?) protocol (1337/tcp)
• MSA-2016-01

powerfolder-exploit-poc

Solarwinds Virtualization Manager

• <= 6.3.1
• RMI
• CVE-2016-3642

ysoserial

Cisco Prime Infrastructure

• https://[target]/xmp_data_handler_service/xmpDataOperationRequestServlet
• <= 2.2.3 Update 4
• <= 3.0.2
• CVE-2016-1291

CoalfireLabs/java_deserialization_exploits

Cisco ACS

• <= 5.8.0.32.2
• RMI (2020 tcp)
• CSCux34781

ysoserial

Cisco Unity Express

• RMI (port 1099 tcp)
• version < 9.0.6
• CVE-2018-15381

ysoserial

Cisco Unified CVP

• RMI (2098 and 2099)
• Details

ysoserial

NASDAQ BWISE

• RMI (port 81 tcp)
• Details
• CVE-2018-11247

ysoserial

NICE ENGAGE PLATFORM

• JMX (port 6338 tcp)
• Details
• CVE-2019-7727

Apache Cassandra

• JMX (port 7199 tcp)
• Details
• [CVE-2018-8016](https://www.vulners.com/search?query= CVE-2018-8016)

Cloudera Zookeeper

• JMX (port 9010 tcp)
• Details

Apache Olingo

• version < 4.7.0
• CVE-2019-17556
• Details and examples

no spec tool

Apache Dubbo

• CVE-2019-17564
• Details and examples

no spec tool

Apache XML-RPC

• all version, no fix (the project is not supported)
• POST XML request with ex:serializable element
• Details and examples

no spec tool

Apache Archiva

• because it uses Apache XML-RPC
• CVE-2016-5004
• Details and examples

no spec tool

SAP NetWeaver

• https://[target]/developmentserver/metadatauploader
• CVE-2017-9844

PoC

SAP Hybris

• /virtualjdbc/
• CVE-2019-0344

no spec tool

Sun Java Web Console

• admin panel for Solaris
• < v3.1.
• old DoS sploit

no spec tool

Apache MyFaces Trinidad

• 1.0.0 <= version < 1.0.13
• 1.2.1 <= version < 1.2.14
• 2.0.0 <= version < 2.0.1
• 2.1.0 <= version < 2.1.1
• it does not check MAC
• CVE-2016-5019

no spec tool

JBoss Richfaces

• Variation of exploitation CVE-2018-12532
• When EL Injection meets Java Deserialization

Apache Tomcat JMX

• JMX
• Patch bypass
• CVE-2016-8735

JexBoss

OpenText Documentum D2

• version 4.x
• CVE-2017-5586

exploit

Liferay

• /api/spring
• /api/liferay
• <= 7.0-ga3
• if IP check works incorrectly
• Details

no spec tool

ScrumWorks Pro

• /UFC
• <= 6.7.0
• Details

PoC

ManageEngine Applications Manager

• version
• RMI
• CVE-2016-9498

ysoserial

ManageEngine OpManager

• version < 12.5.329
• Details with exploit CVE-2020-28653/CVE-2021-3287

ManageEngine Desktop Central

• version < 10.0.474
• CVE-2020-10189

MSF exploit

Apache Shiro

• SHIRO-550
• encrypted cookie (with the hardcoded key)
• Exploitation (in Chinese)

HP IMC (Intelligent Management Center)

• WebDMDebugServlet
• <= 7.3 E0504P2
• CVE-2017-12557

Metasploit module

HP IMC (Intelligent Management Center)

• RMI
• <= 7.3 E0504P2
• CVE-2017-5792

ysoserial

Apache Brooklyn

• Non default config
• JMXMP

Elassandra

• Non default config
• JMXMP

Micro Focus

• CVE-2020-11853
• Vulnerability analyzis Affected products:
• Operations Bridge Manager versions: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, versions 10.6x and 10.1x and older versions
• Application Performance Management versions: 9.51, 9.50 and 9.40 with uCMDB 10.33 CUP 3 \
• Data Center Automation version 2019.11
• Operations Bridge (containerized) versions: 2019.11, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05, 2018.02, 2017.11
• Universal CMDB versions: 2020.05, 2019.11, 2019.05, 2019.02, 2018.11, 2018.08, 2018.05, 11, 10.33, 10.32, 10.31, 10.30
• Hybrid Cloud Management version 2020.05
• Service Management Automation versions 2020.5 and 2020.02

Metasploit Exploit

IBM Qradar (1)

• CVE-2020-4280
• Exploitation

IBM Qradar (2)

• /console/remoteJavaScript
• CVE-2020-4888

Exploit

IBM InfoSphere JReport

• RMI
• port 58611
• <=8.5.0.0 (all)
• Exploitation details

Apache Kafka

• connect-api
• Vulnerbility analyzis

Zoho ManageEngine ADSelfService Plus

• CVE-2020-11518
• Exloitation

Apache ActiveMQ - Client lib

• JMS

JMET

Redhat/Apache HornetQ - Client lib

• JMS

JMET

Oracle OpenMQ - Client lib

• JMS

JMET

IBM WebSphereMQ - Client lib

• JMS

JMET

Oracle Weblogic - Client lib

• JMS

JMET

Pivotal RabbitMQ - Client lib

• JMS

JMET

IBM MessageSight - Client lib

• JMS

JMET

IIT Software SwiftMQ - Client lib

• JMS

JMET

Apache ActiveMQ Artemis - Client lib

• JMS

JMET

Apache QPID JMS - Client lib

• JMS

JMET

Apache QPID - Client lib

• JMS

JMET

Amazon SQS Java Messaging - Client lib

• JMS

JMET

Axis/Axis2 SOAPMonitor

• All version (this was deemed by design by project maintainer)
• Binary
• Default port : 5001
• Info : https://axis.apache.org/axis2/java/core/docs/soapmonitor-module.html

java -jar ysoserial-*-all.jar CommonsCollections1 'COMMAND_HERE' | nc TARGET_SERVER 5001

ysoserial

Apache Synapse

• <= 3.0.1
• RMI
• Exploit

ysoserial

Apache Jmeter

• <= 3.0.1
• RMI
• When using Distributed Test only
• Exploit

ysoserial

Jolokia

• <= 1.4.0
• JNDI injection
• /jolokia/
• Exploit

RichFaces

• all versions
• Poor RichFaces
• When EL Injection meets Java Deserialization

Apache James

• < 3.0.1
• Analysis of CVE-2017-12628

ysoserial

Oracle DB

• <= Oracle 12C
• CVE-2018-3004 - Oracle Privilege Escalation via Deserialization

Zimbra Collaboration

• < 8.7.0
• CVE-2016-3415
• <= 8.8.11
• A Saga of Code Executions on Zimbra

Adobe ColdFusion (1)

• <= 2016 Update 4
• <= 11 update 12
• CVE-2017-11283
• CVE-2017-11284

Adobe ColdFusion (2)

• RMI
• <= 2016 Update 5
• <= 11 update 13
• Another ColdFusion RCE – CVE-2018-4939
• CVE-2018-4939

Adobe ColdFusion (3) / JNBridge

• custom protocol in JNBridge
• port 6093 or 6095
• <= 2016 Update ?
• <= 2018 Update ?
• APSB19-17
• CVE-2019-7839: ColdFusion Code Execution Through JNBridge

Apache SOLR (1)

• SOLR-8262
• 5.1 <= version <=5.4
• /stream handler uses Java serialization for RPC

Apache SOLR (2)

• SOLR-13301
• CVE-2019-0192
• version: 5.0.0 to 5.5.5
• version: 6.0.0 to 6.6.5
• Attack via jmx.serviceUrl
• Exploit

Adobe Experience Manager AEM

• 5.5 - 6.1 (?)
• /lib/dam/cloud/proxy.json parameter file
• ExternalJobPostServlet

MySQL Connector/J

• version < 5.1.41
• when "autoDeserialize" is set on
• CVE-2017-3523

Pitney Bowes Spectrum

• RMI
• Java RMI Server Insecure Default Configuration

SmartBear ReadyAPI

• RMI
• SYSS-2019-039

NEC ESMPRO Manager

• RMI
• CVE-2020-10917
• ZDI-20-684

Apache OFBiz

• RMI
• cve-2021-26295
• Exploit

NetMotion Mobility

• < 11.73
• < 12.02
• NetMotion Mobility Server Multiple Deserialization of Untrusted Data Lead to RCE
• CVE-2021-26914

ysoserial Metasploit Exploit: exploit/windows/http/netmotion_mobility_mvcutil_deserialization

Bonita

• Bonita serverAPI
• /bonita/serverAPI/

ysoserial

Neo4j

• <= 3.4.18 (with the shell server enabled)
• RMI
• Exploit for CVE-2021-34371

Bitbucket Data Center

• port 5701 (Hazelcast)
• similar to CVE-2016-10750
• Exploit for CVE-2022-26133

Jira Data Center / Jira Service Management Data Center

• RMI of Ehcache
• CVE-2020-36239

Nomulus

• patched
• Details of exloitation

Detect

Code review

• ObjectInputStream.readObject
• ObjectInputStream.readUnshared
• Tool: Find Security Bugs
• Tool: Serianalyzer

Traffic

• Magic bytes 'ac ed 00 05' bytes
• 'rO0' for Base64
• 'application/x-java-serialized-object' for Content-Type header

Network

• Nmap >=7.10 has more java-related probes
• use nmap --all-version to find JMX/RMI on non-standart ports

Burp plugins

• JavaSerialKiller
• Java Deserialization Scanner
• Burp-ysoserial
• SuperSerial
• SuperSerial-Active
• Freddy

Vulnerable apps (without public sploits/need more info)

Spring Service Invokers (HTTP, JMS, RMI...)

• Details

SAP P4

• info from slides

Apache ActiveMQ (2)

• CVE-2015-5254
• <= 5.12.1
• Explanation of the vuln
• CVE-2015-7253

Atlassian Bamboo (1)

• CVE-2015-6576
• 2.2 <= version < 5.8.5
• 5.9.0 <= version < 5.9.7

Atlassian Bamboo (2)

• CVE-2015-8360
• 2.3.1 <= version < 5.9.9
• Bamboo JMS port (port 54663 by default)

Atlassian Jira

• only Jira with a Data Center license
• RMI (port 40001 by default)
• JRA-46203

Akka

• version < 2.4.17
• "an ActorSystem exposed via Akka Remote over TCP"
• Official description

Spring AMPQ

• CVE-2016-2173
• 1.0.0 <= version < 1.5.5

Apache Tika

• CVE-2016-6809
• 1.6 <= version < 1.14
• Apache Tika’s MATLAB Parser

Apache HBase

• HBASE-14799

Apache Camel

• CVE-2015-5348

Apache Dubbo

• CVE-2020-1948
• <=2.7.7

Apache Spark

• SPARK-20922: Unsafe deserialization in Spark LauncherConnection

Apache Spark

• SPARK-11652: Remote code execution with InvokerTransformer

Apache Log4j (1)

• as server
• CVE-2017-5645

Apache Log4j (2)

• <= 1.2.17
• CVE-2019-17571

Apache Geode

• CVE-2017-15692
• CVE-2017-15693
• Details

Apache Ignite

• CVE-2018-1295
• CVE-2018-8018
• Details

Infinispan

• CVE-2017-15089
• Details

Hazelcast

• CVE-2016-10750
• Details

Gradle (gui)

• custom(?) protocol(60024/tcp)
• article

Oracle Hyperion

• from slides

Oracle Application Testing Suite

• CVE-2015-7501

Red Hat JBoss BPM Suite

• RHSA-2016-0539
• CVE-2016-2510

Red Hat Wildfly

• CVE-2020-10740

VMWare vRealize Operations

• 6.0 <= version < 6.4.0
• REST API
• VMSA-2016-0020
• CVE-2016-7462

VMWare vCenter/vRealize (various)

• CVE-2015-6934
• VMSA-2016-0005
• JMX

Cisco (various)

• List of vulnerable products
• CVE-2015-6420

Cisco Security Manager

• CVE-2020-27131

Lexmark Markvision Enterprise

• CVE-2016-1487

McAfee ePolicy Orchestrator

• CVE-2015-8765

HP IMC PLAT

• version 7.3 E0506P09 and earlier
• several CVE-2019-x

HP iMC

• CVE-2016-4372

HP Operations Orchestration

• CVE-2016-1997

HP Asset Manager

• CVE-2016-2000

HP Service Manager

• CVE-2016-1998

HP Operations Manager

• CVE-2016-1985

HP Release Control

• CVE-2016-1999

HP Continuous Delivery Automation

• CVE-2016-1986

HP P9000, XP7 Command View Advanced Edition (CVAE) Suite

• CVE-2016-2003

HP Network Automation

• CVE-2016-4385

Adobe Experience Manager

• CVE-2016-0958

Unify OpenScape (various)

• CVE-2015-8237 (CVE ID changed?)
• RMI (30xx/tcp)
• CVE-2015-8238 (CVE ID changed?)
• js-soc protocol (4711/tcp)
• Details

Apache OFBiz (1)

• CVE-2016-2170

Apache OFBiz (2)

• CVE-2020-9496

Apache Tomcat (1)

• requires local access
• CVE-2016-0714
• Article

Apache Tomcat (2)

• many requirements
• Apache Tomcat Remote Code Execution via session persistence
• CVE-2020-9484

Apache TomEE

• CVE-2016-0779

IBM Congnos BI

• CVE-2012-4858

IBM Maximo Asset Management

• CVE-2020-4521

Novell NetIQ Sentinel

• CVE-2016-1000031

ForgeRock OpenAM

• 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0
• 201505-01

F5 (various)

• sol30518307

Hitachi (various)

• HS16-010
• 0328_acc

NetApp (various)

• CVE-2015-8545 (CVE ID changed?)

Citrix XenMobile Server

• port 45000
• when Clustering is enabled
• Won't Fix (?)
• 10.7 and 10.8
• Citrix advisory
• CVE-2018-10654

IBM WebSphere (1)

• SOAP connector
• <= 9.0.0.9
• <= 8.5.5.14
• <= 8.0.0.15
• <= 7.0.0.45
• CVE-2018-1567

IBM WebSphere (2)

• CVE-2015-1920

IBM WebSphere (3)

• TCP port 11006
• CVE-2020-4448
• Vuln details

IBM WebSphere (4)

• SOAP connector
• CVE-2020-4464
• Vuln details

IBM WebSphere (5)

• CVE-2021-20353

IBM WebSphere (6)

• CVE-2020-4576

IBM WebSphere (7)

• CVE-2020-4589

Code42 CrashPlan

• TCP port 4282
• RMI (?)
• 5.4.x
• CVE-2017-9830
• Details

Apache OpenJPA

• CVE-2013-1768

Dell EMC VNX Monitoring and Reporting

• CVE-2017-8012

Taoensso Nippy

• <2.14.2
• CVE-2020-24164

CAS

• v4.1.x
• v4.2.x
• CAS Vulnerability Disclosure from Apereo

SolarWinds Network Performance Monitor

• CVE-2021–31474
• Video

Apache Batchee

Apache JCS

Apache OpenWebBeans

Protection

• Look-ahead Java deserialization
• NotSoSerial
• SerialKiller
• ValidatingObjectInputStream
• Name Space Layout Randomization
• Some protection bypasses
• Tool: Serial Whitelist Application Trainer
• JEP 290: Filter Incoming Serialization Data in JDK 6u141, 7u131, 8u121
  • A First Look Into Java's New Serialization Filtering
• AtomicSerial

For Android

Main talks & presentations & examples

• One Class to Rule Them All: 0-Day Deserialization Vulnerabilities in Android
• Android Serialization Vulnerabilities Revisited
• A brief history of Android deserialization vulnerabilities
• Exploiting Android trough an Intent with Reflection

Tools

• Android Java Deserialization Vulnerability Tester

XMLEncoder (XML)

How it works:

• https://web.archive.org/web/20191007233559/http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
• Java Unmarshaller Security

Detect

Code review

• java.beans.XMLDecoder
• readObject

Burp plugins

• Freddy

Exploits

Oracle Weblogic

• <= 10.3.6.0.0
• <= 12.1.3.0.0
• <= 12.2.1.2.0
• <= 12.2.1.1.0
• http://weblogic_server/wls-wsat/CoordinatorPortType
• CVE-2017-3506
• CVE-2017-10271
• Details
• CVE-2019-2729 Details

Exploit

Oracle RDBMS

• priv escalation
• Oracle Privilege Escalation via Deserialization

XStream (XML/JSON/various)

How it works:

• http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/
• http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
• https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream
• Java Unmarshaller Security

Payload generators

• https://github.com/mbechler/marshalsec
• https://github.com/chudyPB/XStream-Gadgets
• CVE-2020-26217
• CVE-2020-26258 - SSRF
• CVE-2021-29505
• CVE-2021-39144

Exploits

Apache Struts (S2-052)

• <= 2.3.34
• <= 2.5.13
• REST plugin
• CVE-2017-9805

Exploit

Detect

Code review

• com.thoughtworks.xstream.XStream
• xs.fromXML(data)

Burp plugins

• Freddy

Vulnerable apps (without public sploits/need more info):

Atlassian Bamboo

• CVE-2016-5229

Jenkins

• CVE-2017-2608

Kryo (binary)

How it works:

• https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-1-kryo
• Java Unmarshaller Security

Payload generators

• https://github.com/mbechler/marshalsec

Detect

Code review

• com.esotericsoftware.kryo.io.Input
• SomeClass object = (SomeClass)kryo.readClassAndObject(input);
• SomeClass someObject = kryo.readObjectOrNull(input, SomeClass.class);
• SomeClass someObject = kryo.readObject(input, SomeClass.class);

Burp plugins

• Freddy

Hessian/Burlap (binary/XML)

How it works:

• Java Unmarshaller Security
• Castor and Hessian java deserialization vulnerabilities
• Recurrence and Analysis of Hessian Deserialization RCE Vulnerability

Payload generators

• https://github.com/mbechler/marshalsec

Detect

Code review

• com.caucho.hessian.io
• AbstractHessianInput
• com.caucho.burlap.io.BurlapInput;
• com.caucho.burlap.io.BurlapOutput;
• BurlapInput in = new BurlapInput(is);
• Person2 p1 = (Person2) in.readObject();

Burp plugins

• Freddy

Vulnerable apps (without public sploits/need more info):

Apache Camel

• CVE-2017-12634

MobileIron MDM

• CVE-2020-15505
• Metasploit Exploit

Apache Dubbo

• Details and examples

Castor (XML)

How it works:

• Java Unmarshaller Security
• Castor and Hessian java deserialization vulnerabilities

Payload generators

• https://github.com/mbechler/marshalsec

Detect

Code review

• org.codehaus.castor
• org.exolab.castor.xml.Unmarshaller
• org.springframework.oxm.Unmarshaller
• Unmarshaller.unmarshal(Person.class, reader)
• unmarshaller = context.createUnmarshaller();
• unmarshaller.unmarshal(new StringReader(data));

Burp plugins

• Freddy

Vulnerable apps (without public sploits/need more info):

OpenNMS

• NMS-9100

Apache Camel

• CVE-2017-12633

json-io (JSON)

How it works:

• Java Unmarshaller Security

Exploitation examples:

• Experiments with JSON-IO, Serialization, Mass Assignment, and General Java Object Wizardry
• JSON Deserialization Memory Corruption Vulnerabilities on Android

Payload generators

• https://github.com/mbechler/marshalsec

Detect

Code review

• com.cedarsoftware.util.io.JsonReader
• JsonReader.jsonToJava

Burp plugins

• Freddy

Jackson (JSON)

vulnerable in specific configuration

How it works:

• Java Unmarshaller Security
• On Jackson CVEs: Don’t Panic — Here is what you need to know
• Jackson Deserialization Vulnerabilities
• The End of the Blacklist

Payload generators / gadget chains

• https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
• https://github.com/mbechler/marshalsec
• blacklist bypass - CVE-2017-17485
• blacklist bypass - CVE-2017-15095
• CVE-2019-14540
• Jackson gadgets - Anatomy of a vulnerability
• JNDI Injection using Getter Based Deserialization Gadgets
• blacklist bypass - CVE-2020-8840
• blacklist bypass - CVE-2020-10673

Detect

Code review

• com.fasterxml.jackson.databind.ObjectMapper
• ObjectMapper mapper = new ObjectMapper();
• objectMapper.enableDefaultTyping();
• @JsonTypeInfo(use=JsonTypeInfo.Id.CLASS, include=JsonTypeInfo.As.PROPERTY, property="@class")
• public Object message;
• mapper.readValue(data, Object.class);

Burp plugins

• Freddy

Exploits

FasterXML

• CVE-2019-12384

Liferay

• CVE-2019-16891

Vulnerable apps (without public sploits/need more info):

Apache Camel

• CVE-2016-8749

Fastjson (JSON)

How it works:

• https://www.secfree.com/article-590.html
• Official advisory
• Fastjson process analysis and RCE analysis
• Fastjson Deserialization Vulnerability History
• Hao Xing Zekai Wu - How I use a JSON Deserialization 0day to Steal Your Money On The Blockchain.pdf

Detect

Code review

• com.alibaba.fastjson.JSON
• JSON.parseObject

Burp plugins

• Freddy

Payload generators

• fastjson 1.2.24 <=
• fastjson 1.2.47 <=
• fastjson 1.2.66 <=
• blacklisted gadgets
• Fastjson: exceptional deserialization vulnerabilities
• Hao Xing Zekai Wu - How I use a JSON Deserialization 0day to Steal Your Money On The Blockchain.pdf

Genson (JSON)

How it works:

• Friday the 13th JSON Attacks

Detect

Code review

• com.owlike.genson.Genson
• useRuntimeType
• genson.deserialize

Burp plugins

• Freddy

Flexjson (JSON)

How it works:

• Friday the 13th JSON Attacks

Payload generators / gadget chains

• PoC

Detect

Code review

• import flexjson.JSONDeserializer
• JSONDeserializer jsonDeserializer = new JSONDeserializer()
• jsonDeserializer.deserialize(jsonString);

Exploits

Liferay

• Liferay Portal JSON Web Service RCE Vulnerabilities
• CST-7111

Jodd (JSON)

vulnerable in a non-default configuration when setClassMetadataName() is set

• issues/628

Payload generators / gadget chains

• PoC

Detect

Code review

• com.fasterxml.jackson.databind.ObjectMapper
• JsonParser jsonParser = new JsonParser()
• jsonParser.setClassMetadataName("class").parse(jsonString, ClassName.class);

Red5 IO AMF (AMF)

How it works:

• Java Unmarshaller Security

Payload generators

• https://github.com/mbechler/marshalsec

Detect

Code review

• org.red5.io
• Deserializer.deserialize(i, Object.class);

Burp plugins

• Freddy

Vulnerable apps (without public sploits/need more info):

Apache OpenMeetings

• CVE-2017-5878

Apache Flex BlazeDS (AMF)

How it works:

• AMF – Another Malicious Format
• Java Unmarshaller Security

Payload generators

• https://github.com/mbechler/marshalsec

Detect

Code review

Burp plugins

• Freddy

Vulnerable apps:

Oracle Business Intelligence

• BIRemotingServlet
• no auth
• CVE-2020-2950
• Details on the Oracle WebLogic Vulnerability Being Exploited in the Wild
• CVE-2020–2950 — Turning AMF Deserialize bug to Java Deserialize bug

Adobe ColdFusion

• CVE-2017-3066

• <= 2016 Update 3

• <= 11 update 11

• <= 10 Update 22

• Exploiting Adobe ColdFusion before CVE-2017-3066

• PoC

Draytek VigorACS

• /ACSServer/messagebroker/amf

• at least 2.2.1

• based on CVE-2017-5641

• PoC

Apache BlazeDS

• CVE-2017-5641

VMWare VCenter

• based on CVE-2017-5641

HP Systems Insight Manager

• /simsearch/messagebroker/amfsecure
• 7.6.x
• CVE-2020-7200
• Metasploit Exploit

TIBCO Data Virtualization

• < 8.3
• /monitor/messagebroker/amf
• Details

Flamingo AMF (AMF)

How it works:

• AMF – Another Malicious Format

Detect

Burp plugins

• Freddy

GraniteDS (AMF)

How it works:

• AMF – Another Malicious Format

Detect

Burp plugins

• Freddy

WebORB for Java (AMF)

How it works:

• AMF – Another Malicious Format

Detect

Burp plugins

• Freddy

SnakeYAML (YAML)

How it works:

• Java Unmarshaller Security

Payload generators

• https://github.com/mbechler/marshalsec
• Payload Generator for the SnakeYAML deserialization gadget

Detect

Code review

• org.yaml.snakeyaml.Yaml
• yaml.load

Burp plugins

• Freddy

Vulnerable apps (without public sploits/need more info):

Resteasy

• CVE-2016-9606

Apache Camel

• CVE-2017-3159

Apache Brooklyn

• CVE-2016-8744

Apache ShardingSphere

• CVE-2020-1947

jYAML (YAML)

How it works:

• Java Unmarshaller Security

Payload generators

• https://github.com/mbechler/marshalsec

Detect

• org.ho.yaml.Yaml
• Yaml.loadType(data, Object.class);

Burp plugins

• Freddy

YamlBeans (YAML)

How it works:

• Java Unmarshaller Security

Payload generators

• https://github.com/mbechler/marshalsec

Detect

• com.esotericsoftware.yamlbeans
• YamlReader r = new YamlReader(data, yc);

Burp plugins

• Freddy

"Safe" deserialization

Some serialization libs are safe (or almost safe) https://github.com/mbechler/marshalsec

However, it's not a recommendation, but just a list of other libs that has been researched by someone:

• JAXB
• XmlBeans
• Jibx
• Protobuf
• GSON
• GWT-RPC