lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Feb 2020 21:22:58 +0100 (CET)
From: RedTimmy Security <redazione@...fault.it>
To: redazione@...fault.it
Subject: [FD] [EnumJavaLibs]_ Remote Java classpath enumerator

Hi,
we have just released EnumJavaLibs to perform java classes enumeration against java services.

To discover a deserialization vulnerability is often easy. When source code is available, it comes down to finding calls to readObject() and finding a way for user input to reach that function. In case we don’t have source code available, we can spot serialized objects on the wire by looking for binary blobs or base64 encoded objects (recognized by ‘rO0..’). The hard part comes with exploitation. Sure you can throw all exploits from ysoserial at it and hope for the best, but if it doesn’t work there are not much other things you can try.

The big piece of information which is missing at this point, is information about the classpath of the remote application. If we know what libraries are loaded, we might be able to construct a gadget chain (or adjust the existing ysoserial exploit to match the version of the library on the remote application, for example). That’s where the idea of EnumJavaLibs came from: just let it deserialize arbitrary objects from different (popular) 3rd party java libraries. More specifically:

- Create a local database of the most common Java libraries
- For each of these libraries, find a class that is serializable
- Create an instance of this object, serialize it, and send it to the remote application
- If we get a ClassNotFoundException back, we know the library is not on the classpath

At Redtimmy Sec we have released the code of this project on GitHub, together with a tool that can build a database of libraries (JavaClassDB.py). 

You can download the pre-compiled version from: https://github.com/redtimmy/EnumJavaLibs/raw/master/bin/EnumJavaLibs.jar.

The source code is instead over here -> https://github.com/redtimmy/EnumJavaLibs

A wider description of how the tool works in our blog -> https://www.redtimmy.com/uncategorized/remote-java-classpath-enumeration-with-enumjavalibs/

Regards

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists