Hacking Java with Apache Commons

http://frohoff.github.io/appseccali-marshalling-pickles/

First presented January 2015 @ AppSecCali conference

CVE Score of 10 (out of 10)

Arbitrary Code Execution Pre Authentication

Java Serialisation

To serialize an object means to convert its state to a byte stream so that the byte stream can be reverted back into a copy of the object.

Passing Objects Around

RMI

JMX (uses RMI)

Http Proxys /

protocols (Jenkins)

Nasty Objects

Too Easy?

What if there was a class which allowed us to change the content of its methods dynamically using instance state?

How would we make sure that our target has this class somewhere on their classpath?

Apache Commons to the Rescue!

Demonstration Time

Deeper Dive into vulnerable classes

Defence

Never expose JMX or RMI endpoints to the outside

Dot not proxy serialised Java objects over http

Ensure that your applications do not expose endpoints which accept serialised objects

Manually remove commons from every jar file on your classpath and test your entire stack!!!