Defending against Java Deserialization Vulnerabilities

During a recent OWASP Meetup in San Francisco, I gave a presentation on Java Deserialization vulnerabilities focused on defense techniques for identifying and fixing this class of bugs.

While most of the content is based on the work of several Java Security aficionados (@cschneider4711, @e_rnst, @matthias_kaiser,  @pwntester, @frohoff and many others), this presentation contains a couple of new things:

  • Technical details (and exploit) of a serialization bug via JSF view state affecting Sun Java Web Console
  • New features introduced in SerialKiller 

Sun Java Web Console serialized object injection via JSF view state

Since it appears that there're no publicly disclosed details on Java serialization vulnerabilities triggered via JSF ViewState, I thought it would be a good idea to illustrate a bug I discovered in 2010. From slides 12 to 17, you can read more about this issue affecting Sun Java Web Console (which was the default web admin console for Solaris). I've also released an exploit (download here) that uses Hashtable collisions to trigger DoS. RCE is also possible via Apache Common Collections.

Interestingly enough, old versions of javax.faces.ViewState (client-side and with no signature) can be abused in multiple ways:

SerialKiller v0.4

I've released a new version of SerialKiller with new features and improvements:
  • Basic logging support, using Java's native logging
  • Profiling mode. While look-ahead whitelisting provides a robust protection to modern applications, it requires complete enumeration of all Java classes exchanged by the application. With this feature, it is possible to setup SK in "non-blocking" mode in order to enumerate all classes within client-server requests. A step-by-step tutorial on how to whitelist classes is available in the documentation page
  • Signatures parity with Ysoserial. I've created default blacklisting signatures for all exploits (as of 09/07) included in this popular payloads generator tool