A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries.

Please, use #javadeser hash tag for tweets.

• Java Native Serialization (binary)
  • Overview
  • Main talks & presentations & docs
  • Payload generators
  • Exploits
  • Detect
  • Vulnerable apps (without public sploits/need more info)
  • Protection
  • For Android
• XMLEncoder (XML)
• XStream (XML/JSON/various)
• Kryo (binary)
• Hessian/Burlap (binary/XML)
• Castor (XML)
• json-io (JSON)
• Jackson (JSON)
• Fastjson (JSON)
• Genson (JSON)
• Flexjson (JSON)
• Jodd (JSON)
• Red5 IO AMF (AMF)
• Apache Flex BlazeDS (AMF)
• Flamingo AMF (AMF)
• GraniteDS (AMF)
• WebORB for Java (AMF)
• SnakeYAML (YAML)
• jYAML (YAML)
• YamlBeans (YAML)
• "Safe" deserialization

• Java Deserialization Security FAQ
• From Foxgloves Security

by @frohoff & @gebl

• Video
• Slides
• Other stuff

by @matthias_kaiser

• Video

by @pwntester & @cschneider4711

• Slides
• White Paper
• Bypass Gadget Collection

by @frohoff & @gebl

• Slides

by @cschneider4711 & @pwntester

• Slides
• Video
• PoC for Scala, Grovy

by @matthias_kaiser

• Slides

by @matthias_kaiser

• Slides
• White Paper
• Tool for jms hacking

by @lucacarettoni

• Slides

by @pwntester and O. Mirosh

• Slides
• White Paper

by @e_rnst

• Slides+Source

by deadcode.me

• Part I - Commons Gadgets
• Part II - exploitation rev 2

by @joaomatosf

• Slides
• Examples

by @ianhaken

• Video
• Slides
• Tool

by @_tint0

• Slides

https://github.com/frohoff/ysoserial

ysoserial 0.6 payloads:

Plugins for Burp Suite (detection, ysoserial integration ):

• Freddy
• JavaSerialKiller
• Java Deserialization Scanner
• Burp-ysoserial
• SuperSerial
• SuperSerial-Active

Full shell (pipes, redirects and other stuff):

• $@|sh – Or: Getting a shell environment from Runtime.exec
• Set String[] for Runtime.exec (patch ysoserial's payloads)
• Shell Commands Converter

How it works:

• https://blog.srcclr.com/commons-collections-deserialization-vulnerability-research-findings/
• http://gursevkalra.blogspot.ro/2016/01/ysoserial-commonscollections1-exploit.html

https://github.com/wh1t3p1g/ysoserial

• CommonsCollection8,9,10
• RMIRegistryExploit2,3
• RMIRefListener,RMIRefListener2
• PayloadHTTPServer
• Spring3

https://github.com/pwntester/JRE8u20_RCE_Gadget

Pure JRE 8 RCE Deserialization gadget

https://github.com/GrrrDog/ACEDcup

File uploading via:

• Apache Commons FileUpload <= 1.3 (CVE-2013-2186) and Oracle JDK < 7u40

https://gist.github.com/coekie/a27cc406fc9f3dc7a70d

Won't fix DoS via default Java classes (JRE)

https://github.com/topolik/ois-dos/

How it works:

• Java Deserialization DoS - payloads

Won't fix DoS using default Java classes (JRE)

• CVE-2018-2677

• Gadget Inspector
• Article about Gadget Inspector

• BaRMIe
• Barmitza
• RMIScout
• attackRmi
• Remote Method Guesser

• GadgetProbe: Exploiting Deserialization to Brute-Force the Remote Classpath

• GadgetProbe

• Remote Java classpath enumeration with EnumJavaLibs

• EnumJavaLibs

• serial-builder

no spec tool - You don't need a special tool (just Burp/ZAP + payload)

• Protocol
• Default - 1099/tcp for rmiregistry
• partially patched in JRE with JEP290 (JDK 8u121, JDK 7u131, JDK 6u141)
• Attacking Java RMI services after JEP 290
• An Trinhs RMI Registry Bypass
• RMIScout

ysoserial

Additional tools

• JMX on RMI
• • CVE-2016-3427
• partially patched in JRE with JEP290 (JDK 8u121, JDK 7u131, JDK 6u141)
• Attacking RMI based JMX services (after JEP 290)

ysoserial

mjet

JexBoss

• Special JMX protocol
• The Curse of Old Java Libraries

• When we control an address for lookup of JNDI (context.lookup(address) and can have backconnect from a server
• Full info
• JNDI remote code injection
• Exploiting JNDI Injections in Java

https://github.com/zerothoughts/jndipoc

https://github.com/welk1n/JNDI-Injection-Exploit

• Full info

JMET

• if no encryption or good mac

no spec tool

JexBoss

• JDBC via HTTP library
• all version are vulnerable
• Details

no spec tool

• Protocol
• Default - 7001/tcp on localhost interface
• CVE-2015-4852
• Blacklist bypass - CVE-2017-3248
• Blacklist bypass - CVE-2017-3248 PoC
• Blacklist bypass - CVE-2018-2628
• Blacklist bypass - cve-2018-2893
• Blacklist bypass - CVE-2018-3245
• Blacklist bypass - CVE-2018-3191
• CVE-2019-2725
• CVE-2020-2555
• CVE-2020-2883
• CVE-2020-2963
• CVE-2020-14625
• CVE-2020-14644
• CVE-2020-14645
• CVE-2020-14756
• CVE-2020-14825
• CVE-2020-14841
• CVE-2021-2394
• SSRF JDBC
• CVE-2023-21931

loubia (tested on 11g and 12c, supports t3s)

JavaUnserializeExploits (doesn't work for all Weblogic versions)

WLT3Serial

CVE-2018-2628 sploit

• Protocol

• Default - 7001/tcp on localhost interface

• CVE-2020-2551

• Details

CVE-2020-2551 sploit

• auth required
• How it works
• CVE-2018-3252

• auth required
• CVE-2021-2109

Exploit

• CVE-2021-35587

• CVE-2022–21445
• /appcontext/afr/test/remote/payload/

no spec tool

• wsadmin
• Default port - 8880/tcp
• CVE-2015-7450

JavaUnserializeExploits

serialator

CoalfireLabs/java_deserialization_exploits

• When using custom form authentication
• WASPostParam cookie
• Full info

no spec tool

• IBM WAS DMGR
• special port
• CVE-2019-4279
• ibm10883628
• Exploit

Metasploit

• Protocol
• 2809, 9100, 9402, 9403
• CVE-2020-4450
• CVE-2020-4449
• Abusing Java Remote Protocols in IBM WebSphere
• Vuln Details

• http://jboss_server/invoker/JMXInvokerServlet
• Default port - 8080/tcp
• CVE-2015-7501

JavaUnserializeExploits

https://github.com/njfox/Java-Deserialization-Exploit

serialator

JexBoss

• http://jboss_server/invoker/readonly
• Default port - 8080/tcp
• CVE-2017-12149
• JBoss 6.X and EAP 5.X
• Details

no spec tool

• http://jboss_server/jbossmq-httpil/HTTPServerILServlet/
• <= 4.x
• CVE-2017-7504

no spec tool

• Jenkins CLI
• Default port - High number/tcp
• CVE-2015-8103
• CVE-2015-3253

JavaUnserializeExploits

JexBoss

• patch "bypass" for Jenkins
• CVE-2016-0788
• Details of exploit

ysoserial

• Jenkins CLI LDAP
• *Default port - High number/tcp
• <= 2.32
• <= 2.19.3 (LTS)
• CVE-2016-9299

• <= 2.32.1
• CVE-2017-1000353
• Details

Sploit

• RMI

ysoserial

• <= 2.1.2
• When Rest API accepts serialized objects (uses ObjectRepresentation)

no spec tool

• *When Rest API accepts serialized objects (uses @Consumes({"*/*"}) or "application/*" )
• Details and examples

no spec tool

• RMI

ysoserial

• CVE-2020-12760/NMS-12673
• JMS

JMET

• all versions
• RMI

ysoserial

• CVE-2015-7253
• Serialized object in cookie

no spec tool

• /servlet/ConsoleServlet?ActionType=SendStatPing
• CVE-2015-6555

serialator

• https://[target]:18443/v3/dataflow/0/0
• CVE-2016-3461

no spec tool

serialator

• custom(?) protocol (1337/tcp)
• MSA-2016-01

powerfolder-exploit-poc

• <= 6.3.1
• RMI
• CVE-2016-3642

ysoserial

• https://[target]/xmp_data_handler_service/xmpDataOperationRequestServlet
• <= 2.2.3 Update 4
• <= 3.0.2
• CVE-2016-1291

CoalfireLabs/java_deserialization_exploits

• <= 5.8.0.32.2
• RMI (2020 tcp)
• CSCux34781

ysoserial

• RMI (port 1099 tcp)
• version < 9.0.6
• CVE-2018-15381

ysoserial

• RMI (2098 and 2099)
• Details

ysoserial

• RMI (port 81 tcp)
• Details
• CVE-2018-11247

ysoserial

• JMX (port 6338 tcp)
• Details
• CVE-2019-7727

• JMX (port 7199 tcp)
• Details
• [CVE-2018-8016](https://www.vulners.com/search?query= CVE-2018-8016)

• JMX (port 9010 tcp)
• Details

• version < 4.7.0
• CVE-2019-17556
• Details and examples

no spec tool

• CVE-2019-17564
• Details and examples

no spec tool

• all version, no fix (the project is not supported)
• POST XML request with ex:serializable element
• Details and examples

no spec tool

• because it uses Apache XML-RPC
• CVE-2016-5004
• Details and examples

no spec tool

• https://[target]/developmentserver/metadatauploader
• CVE-2017-9844

PoC

• /virtualjdbc/
• CVE-2019-0344

no spec tool

• admin panel for Solaris
• < v3.1.
• old DoS sploit

no spec tool

• 1.0.0 <= version < 1.0.13
• 1.2.1 <= version < 1.2.14
• 2.0.0 <= version < 2.0.1
• 2.1.0 <= version < 2.1.1
• it does not check MAC
• CVE-2016-5019

no spec tool

• Variation of exploitation CVE-2018-12532
• When EL Injection meets Java Deserialization

• JMX
• Patch bypass
• CVE-2016-8735

JexBoss

• version 4.x
• CVE-2017-5586

exploit

• /api/spring
• /api/liferay
• <= 7.0-ga3
• if IP check works incorrectly
• Details

no spec tool

• /UFC
• <= 6.7.0
• Details

PoC

• version
• RMI
• CVE-2016-9498

ysoserial

• version < 12.5.329
• Details with exploit CVE-2020-28653/CVE-2021-3287

• version < 10.0.474
• CVE-2020-10189

MSF exploit

• SHIRO-550
• encrypted cookie (with the hardcoded key)
• Exploitation (in Chinese)

• WebDMDebugServlet
• <= 7.3 E0504P2
• CVE-2017-12557

Metasploit module

• RMI
• <= 7.3 E0504P2
• CVE-2017-5792

ysoserial

• Non default config
• JMXMP

• Non default config
• JMXMP

• CVE-2020-11853
• Vulnerability analyzis Affected products:
• Operations Bridge Manager versions: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, versions 10.6x and 10.1x and older versions
• Application Performance Management versions: 9.51, 9.50 and 9.40 with uCMDB 10.33 CUP 3 \
• Data Center Automation version 2019.11
• Operations Bridge (containerized) versions: 2019.11, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05, 2018.02, 2017.11
• Universal CMDB versions: 2020.05, 2019.11, 2019.05, 2019.02, 2018.11, 2018.08, 2018.05, 11, 10.33, 10.32, 10.31, 10.30
• Hybrid Cloud Management version 2020.05
• Service Management Automation versions 2020.5 and 2020.02

Metasploit Exploit

• CVE-2020-4280
• Exploitation

• /console/remoteJavaScript
• CVE-2020-4888

Exploit

• RMI
• port 58611
• <=8.5.0.0 (all)
• Exploitation details

• connect-api
• Vulnerbility analyzis

• CVE-2020-11518
• Exloitation

• JMS

JMET

• JMS

JMET

• JMS

JMET

• JMS

JMET

• JMS

JMET

• JMS

JMET

• JMS

JMET

• JMS

JMET

• JMS

JMET

• JMS

JMET

• JMS

JMET

• JMS

JMET

• All version (this was deemed by design by project maintainer)
• Binary
• Default port : 5001
• Info : https://axis.apache.org/axis2/java/core/docs/soapmonitor-module.html

java -jar ysoserial-*-all.jar CommonsCollections1 'COMMAND_HERE' | nc TARGET_SERVER 5001

ysoserial

• <= 3.0.1
• RMI
• Exploit

ysoserial

• <= 3.0.1
• RMI
• When using Distributed Test only
• Exploit

ysoserial

• <= 1.4.0
• JNDI injection
• /jolokia/
• Exploit

• all versions
• Poor RichFaces
• When EL Injection meets Java Deserialization

• < 3.0.1
• Analysis of CVE-2017-12628

ysoserial

• <= Oracle 12C
• CVE-2018-3004 - Oracle Privilege Escalation via Deserialization

• < 8.7.0
• CVE-2016-3415
• <= 8.8.11
• A Saga of Code Executions on Zimbra

• <= 2016 Update 4
• <= 11 update 12
• CVE-2017-11283
• CVE-2017-11284

• RMI
• <= 2016 Update 5
• <= 11 update 13
• Another ColdFusion RCE – CVE-2018-4939
• CVE-2018-4939

• custom protocol in JNBridge
• port 6093 or 6095
• <= 2016 Update ?
• <= 2018 Update ?
• APSB19-17
• CVE-2019-7839: ColdFusion Code Execution Through JNBridge

• SOLR-8262
• 5.1 <= version <=5.4
• /stream handler uses Java serialization for RPC

• SOLR-13301
• CVE-2019-0192
• version: 5.0.0 to 5.5.5
• version: 6.0.0 to 6.6.5
• Attack via jmx.serviceUrl
• Exploit

• 5.5 - 6.1 (?)
• /lib/dam/cloud/proxy.json parameter file
• ExternalJobPostServlet

• version < 5.1.41
• when "autoDeserialize" is set on
• CVE-2017-3523

• RMI
• Java RMI Server Insecure Default Configuration

• RMI
• SYSS-2019-039

• RMI
• CVE-2020-10917
• ZDI-20-684

• RMI
• cve-2021-26295
• Exploit

• < 11.73
• < 12.02
• NetMotion Mobility Server Multiple Deserialization of Untrusted Data Lead to RCE
• CVE-2021-26914

ysoserial Metasploit Exploit: exploit/windows/http/netmotion_mobility_mvcutil_deserialization

• Bonita serverAPI
• /bonita/serverAPI/

ysoserial

• <= 3.4.18 (with the shell server enabled)
• RMI
• Exploit for CVE-2021-34371

• port 5701 (Hazelcast)
• similar to CVE-2016-10750
• Exploit for CVE-2022-26133

• RMI of Ehcache
• CVE-2020-36239

• patched
• Details of exloitation

• ObjectInputStream.readObject
• ObjectInputStream.readUnshared
• Tool: Find Security Bugs
• Tool: Serianalyzer

• Magic bytes 'ac ed 00 05' bytes
• 'rO0' for Base64
• 'application/x-java-serialized-object' for Content-Type header

• Nmap >=7.10 has more java-related probes
• use nmap --all-version to find JMX/RMI on non-standart ports

• JavaSerialKiller
• Java Deserialization Scanner
• Burp-ysoserial
• SuperSerial
• SuperSerial-Active
• Freddy

• Details

• info from slides

• CVE-2015-5254
• <= 5.12.1
• Explanation of the vuln
• CVE-2015-7253

• CVE-2015-6576
• 2.2 <= version < 5.8.5
• 5.9.0 <= version < 5.9.7

• CVE-2015-8360
• 2.3.1 <= version < 5.9.9
• Bamboo JMS port (port 54663 by default)

• only Jira with a Data Center license
• RMI (port 40001 by default)
• JRA-46203

• version < 2.4.17
• "an ActorSystem exposed via Akka Remote over TCP"
• Official description

• CVE-2016-2173
• 1.0.0 <= version < 1.5.5

• CVE-2016-6809
• 1.6 <= version < 1.14
• Apache Tika’s MATLAB Parser

• HBASE-14799

• CVE-2015-5348

• CVE-2020-1948
• <=2.7.7

• SPARK-20922: Unsafe deserialization in Spark LauncherConnection

• SPARK-11652: Remote code execution with InvokerTransformer

• as server
• CVE-2017-5645

• <= 1.2.17
• CVE-2019-17571

• CVE-2017-15692
• CVE-2017-15693
• Details

• CVE-2018-1295
• CVE-2018-8018
• Details

• CVE-2017-15089
• Details

• CVE-2016-10750
• Details

• custom(?) protocol(60024/tcp)
• article

• from slides

• CVE-2015-7501

• RHSA-2016-0539
• CVE-2016-2510

• CVE-2020-10740

• 6.0 <= version < 6.4.0
• REST API
• VMSA-2016-0020
• CVE-2016-7462

• CVE-2015-6934
• VMSA-2016-0005
• JMX

• List of vulnerable products
• CVE-2015-6420

• CVE-2020-27131

• CVE-2016-1487

• CVE-2015-8765

• version 7.3 E0506P09 and earlier
• several CVE-2019-x

• CVE-2016-4372

• CVE-2016-1997

• CVE-2016-2000

• CVE-2016-1998

• CVE-2016-1985

• CVE-2016-1999

• CVE-2016-1986

• CVE-2016-2003

• CVE-2016-4385

• CVE-2016-0958

• CVE-2015-8237 (CVE ID changed?)
• RMI (30xx/tcp)
• CVE-2015-8238 (CVE ID changed?)
• js-soc protocol (4711/tcp)
• Details

• CVE-2016-2170

• CVE-2020-9496

• requires local access
• CVE-2016-0714
• Article

• many requirements
• Apache Tomcat Remote Code Execution via session persistence
• CVE-2020-9484

• CVE-2016-0779

• CVE-2012-4858

• CVE-2020-4521

• CVE-2016-1000031

• 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0
• 201505-01

• sol30518307

• HS16-010
• 0328_acc

• CVE-2015-8545 (CVE ID changed?)

• port 45000
• when Clustering is enabled
• Won't Fix (?)
• 10.7 and 10.8
• Citrix advisory
• CVE-2018-10654

• SOAP connector
• <= 9.0.0.9
• <= 8.5.5.14
• <= 8.0.0.15
• <= 7.0.0.45
• CVE-2018-1567

• CVE-2015-1920

• TCP port 11006
• CVE-2020-4448
• Vuln details

• SOAP connector
• CVE-2020-4464
• Vuln details

• CVE-2021-20353

• CVE-2020-4576

• CVE-2020-4589

• TCP port 4282
• RMI (?)
• 5.4.x
• CVE-2017-9830
• Details

• CVE-2013-1768

• CVE-2017-8012

• <2.14.2
• CVE-2020-24164

• v4.1.x
• v4.2.x
• CAS Vulnerability Disclosure from Apereo

• CVE-2021–31474
• Video

• Look-ahead Java deserialization
• NotSoSerial
• SerialKiller
• ValidatingObjectInputStream
• Name Space Layout Randomization
• Some protection bypasses
• Tool: Serial Whitelist Application Trainer
• JEP 290: Filter Incoming Serialization Data in JDK 6u141, 7u131, 8u121
  • A First Look Into Java's New Serialization Filtering
• AtomicSerial

• One Class to Rule Them All: 0-Day Deserialization Vulnerabilities in Android
• Android Serialization Vulnerabilities Revisited
• A brief history of Android deserialization vulnerabilities
• Exploiting Android trough an Intent with Reflection

• Android Java Deserialization Vulnerability Tester

How it works:

• https://web.archive.org/web/20191007233559/http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
• Java Unmarshaller Security

• java.beans.XMLDecoder
• readObject

• Freddy

• <= 10.3.6.0.0
• <= 12.1.3.0.0
• <= 12.2.1.2.0
• <= 12.2.1.1.0
• http://weblogic_server/wls-wsat/CoordinatorPortType
• CVE-2017-3506
• CVE-2017-10271
• Details
• CVE-2019-2729 Details

Exploit

• priv escalation
• Oracle Privilege Escalation via Deserialization

How it works:

• http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/
• http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
• https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream
• Java Unmarshaller Security

• https://github.com/mbechler/marshalsec
• https://github.com/chudyPB/XStream-Gadgets
• CVE-2020-26217
• CVE-2020-26258 - SSRF
• CVE-2021-29505
• CVE-2021-39144

• <= 2.3.34
• <= 2.5.13
• REST plugin
• CVE-2017-9805

Exploit

• com.thoughtworks.xstream.XStream
• xs.fromXML(data)

• Freddy

• CVE-2016-5229

• CVE-2017-2608

How it works:

• https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-1-kryo
• Java Unmarshaller Security

• https://github.com/mbechler/marshalsec

• com.esotericsoftware.kryo.io.Input
• SomeClass object = (SomeClass)kryo.readClassAndObject(input);
• SomeClass someObject = kryo.readObjectOrNull(input, SomeClass.class);
• SomeClass someObject = kryo.readObject(input, SomeClass.class);

• Freddy

How it works:

• Java Unmarshaller Security
• Castor and Hessian java deserialization vulnerabilities
• Recurrence and Analysis of Hessian Deserialization RCE Vulnerability

• https://github.com/mbechler/marshalsec

• com.caucho.hessian.io
• AbstractHessianInput
• com.caucho.burlap.io.BurlapInput;
• com.caucho.burlap.io.BurlapOutput;
• BurlapInput in = new BurlapInput(is);
• Person2 p1 = (Person2) in.readObject();

• Freddy

• CVE-2017-12634

• CVE-2020-15505
• Metasploit Exploit

• Details and examples

How it works:

• Java Unmarshaller Security
• Castor and Hessian java deserialization vulnerabilities

• https://github.com/mbechler/marshalsec

• org.codehaus.castor
• org.exolab.castor.xml.Unmarshaller
• org.springframework.oxm.Unmarshaller
• Unmarshaller.unmarshal(Person.class, reader)
• unmarshaller = context.createUnmarshaller();
• unmarshaller.unmarshal(new StringReader(data));

• Freddy

• NMS-9100

• CVE-2017-12633

How it works:

• Java Unmarshaller Security

Exploitation examples:

• Experiments with JSON-IO, Serialization, Mass Assignment, and General Java Object Wizardry
• JSON Deserialization Memory Corruption Vulnerabilities on Android

• https://github.com/mbechler/marshalsec

• com.cedarsoftware.util.io.JsonReader
• JsonReader.jsonToJava

• Freddy

vulnerable in specific configuration

How it works:

• Java Unmarshaller Security
• On Jackson CVEs: Don’t Panic — Here is what you need to know
• Jackson Deserialization Vulnerabilities
• The End of the Blacklist

• https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
• https://github.com/mbechler/marshalsec
• blacklist bypass - CVE-2017-17485
• blacklist bypass - CVE-2017-15095
• CVE-2019-14540
• Jackson gadgets - Anatomy of a vulnerability
• JNDI Injection using Getter Based Deserialization Gadgets
• blacklist bypass - CVE-2020-8840
• blacklist bypass - CVE-2020-10673

• com.fasterxml.jackson.databind.ObjectMapper
• ObjectMapper mapper = new ObjectMapper();
• objectMapper.enableDefaultTyping();
• @JsonTypeInfo(use=JsonTypeInfo.Id.CLASS, include=JsonTypeInfo.As.PROPERTY, property="@class")
• public Object message;
• mapper.readValue(data, Object.class);

• Freddy

• CVE-2019-12384

• CVE-2019-16891

• CVE-2016-8749

How it works:

• https://www.secfree.com/article-590.html
• Official advisory
• Fastjson process analysis and RCE analysis
• Fastjson Deserialization Vulnerability History
• Hao Xing Zekai Wu - How I use a JSON Deserialization 0day to Steal Your Money On The Blockchain.pdf

• com.alibaba.fastjson.JSON
• JSON.parseObject

• Freddy

• fastjson 1.2.24 <=
• fastjson 1.2.47 <=
• fastjson 1.2.66 <=
• blacklisted gadgets
• Fastjson: exceptional deserialization vulnerabilities
• Hao Xing Zekai Wu - How I use a JSON Deserialization 0day to Steal Your Money On The Blockchain.pdf

How it works:

• Friday the 13th JSON Attacks

• com.owlike.genson.Genson
• useRuntimeType
• genson.deserialize

• Freddy

How it works:

• Friday the 13th JSON Attacks

• PoC

• import flexjson.JSONDeserializer
• JSONDeserializer jsonDeserializer = new JSONDeserializer()
• jsonDeserializer.deserialize(jsonString);

• Liferay Portal JSON Web Service RCE Vulnerabilities
• CST-7111

vulnerable in a non-default configuration when setClassMetadataName() is set

• issues/628

• PoC

• com.fasterxml.jackson.databind.ObjectMapper
• JsonParser jsonParser = new JsonParser()
• jsonParser.setClassMetadataName("class").parse(jsonString, ClassName.class);

How it works:

• Java Unmarshaller Security

• https://github.com/mbechler/marshalsec

• org.red5.io
• Deserializer.deserialize(i, Object.class);

• Freddy

• CVE-2017-5878

How it works:

• AMF – Another Malicious Format
• Java Unmarshaller Security

• https://github.com/mbechler/marshalsec

• Freddy

• BIRemotingServlet
• no auth
• CVE-2020-2950
• Details on the Oracle WebLogic Vulnerability Being Exploited in the Wild
• CVE-2020–2950 — Turning AMF Deserialize bug to Java Deserialize bug

• CVE-2017-3066

• <= 2016 Update 3

• <= 11 update 11

• <= 10 Update 22

• Exploiting Adobe ColdFusion before CVE-2017-3066

• PoC

• /ACSServer/messagebroker/amf

• at least 2.2.1

• based on CVE-2017-5641

• PoC

• CVE-2017-5641

• based on CVE-2017-5641

• /simsearch/messagebroker/amfsecure
• 7.6.x
• CVE-2020-7200
• Metasploit Exploit

• < 8.3
• /monitor/messagebroker/amf
• Details

How it works:

• AMF – Another Malicious Format

• Freddy

How it works:

• AMF – Another Malicious Format

• Freddy

How it works:

• AMF – Another Malicious Format

• Freddy

How it works:

• Java Unmarshaller Security

• https://github.com/mbechler/marshalsec
• Payload Generator for the SnakeYAML deserialization gadget

• org.yaml.snakeyaml.Yaml
• yaml.load

• Freddy

• CVE-2016-9606

• CVE-2017-3159

• CVE-2016-8744

• CVE-2020-1947

How it works:

• Java Unmarshaller Security

• https://github.com/mbechler/marshalsec

• org.ho.yaml.Yaml
• Yaml.loadType(data, Object.class);

• Freddy

How it works:

• Java Unmarshaller Security

• https://github.com/mbechler/marshalsec

• com.esotericsoftware.yamlbeans
• YamlReader r = new YamlReader(data, yc);

• Freddy

Some serialization libs are safe (or almost safe) https://github.com/mbechler/marshalsec

However, it's not a recommendation, but just a list of other libs that has been researched by someone:

• JAXB
• XmlBeans
• Jibx
• Protobuf
• GSON
• GWT-RPC