http://frohoff.github.io/appseccali-marshalling-pickles/
First presented January 2015 @ AppSecCali conference
CVE Score of 10 (out of 10)
Arbitrary Code Execution Pre Authentication
Java Serialisation
To serialize an object means to convert its state to a byte stream so that the byte stream can be reverted back into a copy of the object.
Passing Objects Around
RMI
JMX (uses RMI)
Http Proxys /
protocols (Jenkins)
Nasty Objects
Too Easy?
What if there was a class which allowed us to change the content of its methods dynamically using instance state?
How would we make sure that our target has this class somewhere on their classpath?
Apache Commons to the Rescue!
Demonstration Time
Deeper Dive into vulnerable classes
Defence
Never expose JMX or RMI endpoints to the outside
Dot not proxy serialised Java objects over http
Ensure that your applications do not expose endpoints which accept serialised objects
Manually remove commons from every jar file on your classpath and test your entire stack!!!
By Chris Rutter
Software Developer (Java)