New Exploit Technique In Java Deserialization Attack

Presented at Black Hat Europe 2019, Dec. 5, 2019, 11:55 a.m. (50 minutes).

<p><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Java deserialization attack has been proposed around 2015 by Foxglove Security Team. Afterward, another attack surface named Marshalsec Attack has been developed. It allows an attacker to gain Remote Command Execution, which affects a number of applications. It's one of the most crucial security issues in Java security history.</span></p><p><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Many security researchers and developers mitigate Java deserialization attack by maintaining a deserialization blacklist. Taking Weblogic as an example, by maintaining the blacklist of deserialization constantly to mitigate deserialization attack. So far it is really hard to find gadget chains which can be exploited and gain Remote Command Execution. We found a serious flaw in Java deserialization from another perspective, and we will mainly talk about it in this presentation.</span></p><p><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">We found a new attack vector in the fundamental classes of JDK. Actually, It's really prevalent in Java applications, which involves most of the request library, such as URLClassLoader, official HTTP request class, Apache HTTP client and so on. Combining this attack vector, we found a lot of new gadget chains that can be utilized, according to these gadget chains and the attack vector, we can bypass all of the blacklists and gain Remote Code Execution.</span></p><p><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">In our depth research, we analyzed more than 10000+ Java third-party libraries and found many cases which can be exploited in real-world attack scenarios. In this talk, we will bat around the principle and exploit technique of these vulnerabilities. Also, we will present how to pwn target server by our new exploit technique. It can not only improve the effect of java deserialization vulnerability but also enhance other Java security issues impact, and we will discuss profound impacts of the attack vector in the java security field.</span></p>

Presenters:

  • Yongtao Wang - Leader of Red Team in BCM Social Corp, BCM Social Corp
    <p><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Yongtao Wang (@by_Sanr) is the co-founder of PegasusTeam and Leader of Red Team in BCM Social Corp. He has profound experience in wireless security and penetration testing, and His research interests include Active Directory态Threat hunting.He shares research achievements at China Internet Security Conference (ISC), Black Hat, Codeblue, POC, CanSecWest, HackInTheBox etc.</span></p>
  • Lucas Zhang - Leader of Security Research Department, BCM Social Corp
    <p><span style="font-size: 10pt;">Lucas Zhang (izy) is the Leader of Security Research Department in BCM Social Corp, with rich experience in application security and penetration testing, leader of Back2Zero Team. Currently focusing on the security research of application security, cloud security, blockchain security. International renowned security conference speaker.</span></p>
  • Kunzhe Chai - Chief Information Security Officer, BCM Social Corp
    <p><span style="font-size: 10pt;">Kunzhe Chai (Anthony) is the founder of PegasusTeam and Chief Information Security Officer in BCM Social Corp, author of the well-known security tool MDK4. He is the maker of China's first Wireless Security Defense Product Standard and he also is the world's first inventor of Fake Base Stations defense technology, He leads his team to share the research results at HackInTheBox(HITB), Black Hat, DEFCON, Cansecwest, CodeBlue, POC, etc. Follow him on Twitter at @swe3per</span></p>

Links:

Similar Presentations: