└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # Java-Deserialization-Cheat-Sheet 2 | A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries. 3 | 4 | Please, use **#javadeser** hash tag for tweets. 5 | 6 | ## Table of content 7 | - [Java Native Serialization (binary)](#java-native-serialization-binary) 8 | - [Overview](#overview) 9 | - [Main talks & presentations & docs](#main-talks--presentations--docs) 10 | - [Payload generators](#payload-generators) 11 | - [Exploits](#exploits) 12 | - [Detect](#detect) 13 | - [Vulnerable apps (without public sploits/need more info)](#vulnerable-apps-without-public-sploitsneed-more-info) 14 | - [Protection](#protection) 15 | - [For Android](#for-android) 16 | - [XMLEncoder (XML)](#xmlencoder-xml) 17 | - [XStream (XML/JSON/various)](#xstream-xmljsonvarious) 18 | - [Kryo (binary)](#kryo-binary) 19 | - [Hessian/Burlap (binary/XML)](#hessianburlap-binaryxml) 20 | - [Castor (XML)](#castor-xml) 21 | - [json-io (JSON)](#json-io-json) 22 | - [Jackson (JSON)](#jackson-json) 23 | - [Fastjson (JSON)](#fastjson-json) 24 | - [Genson (JSON)](#genson-json) 25 | - [Flexjson (JSON)](#flexjson-json) 26 | - [Jodd (JSON)](#jodd-json) 27 | - [Red5 IO AMF (AMF)](#red5-io-amf-amf) 28 | - [Apache Flex BlazeDS (AMF)](#apache-flex-blazeds-amf) 29 | - [Flamingo AMF (AMF)](#flamingo-amf--amf) 30 | - [GraniteDS (AMF)](#graniteds--amf) 31 | - [WebORB for Java (AMF)](#weborb-for-java--amf) 32 | - [SnakeYAML (YAML)](#snakeyaml-yaml) 33 | - [jYAML (YAML)](#jyaml-yaml) 34 | - [YamlBeans (YAML)](#yamlbeans-yaml) 35 | - ["Safe" deserialization](#safe-deserialization) 36 | 37 | ## Java Native Serialization (binary) 38 | 39 | ### Overview 40 | - [Java Deserialization Security FAQ](https://christian-schneider.net/JavaDeserializationSecurityFAQ.html) 41 | - [From Foxgloves Security](https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/) 42 | 43 | ### Main talks & presentations & docs 44 | ##### Marshalling Pickles 45 | by [@frohoff](https://twitter.com/frohoff) & [@gebl](https://twitter.com/gebl) 46 | 47 | - [Video](https://www.youtube.com/watch?v=KSA7vUkXGSg) 48 | - [Slides](https://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles) 49 | - [Other stuff](https://frohoff.github.io/appseccali-marshalling-pickles/ ) 50 | 51 | ##### Exploiting Deserialization Vulnerabilities in Java 52 | by [@matthias_kaiser](https://twitter.com/matthias_kaiser) 53 | 54 | - [Video](https://www.youtube.com/watch?v=VviY3O-euVQ) 55 | 56 | ##### Serial Killer: Silently Pwning Your Java Endpoints 57 | by [@pwntester](https://twitter.com/pwntester) & [@cschneider4711](https://twitter.com/cschneider4711) 58 | 59 | - [Slides](https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf) 60 | - [White Paper](https://community.hpe.com/hpeb/attachments/hpeb/off-by-on-software-security-blog/722/1/HPE-SR%20whitepaper%20java%20deserialization%20RSA2016.pdf) 61 | - [Bypass Gadget Collection](https://github.com/pwntester/SerialKillerBypassGadgetCollection) 62 | 63 | ##### Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization 64 | by [@frohoff](https://twitter.com/frohoff) & [@gebl](https://twitter.com/gebl) 65 | 66 | - [Slides](https://www.slideshare.net/frohoff1/deserialize-my-shorts-or-how-i-learned-to-start-worrying-and-hate-java-object-deserialization) 67 | 68 | ##### Surviving the Java serialization apocalypse 69 | by [@cschneider4711](https://twitter.com/cschneider4711) & [@pwntester](https://twitter.com/pwntester) 70 | 71 | - [Slides](https://www.slideshare.net/cschneider4711/surviving-the-java-deserialization-apocalypse-owasp-appseceu-2016) 72 | - [Video](https://www.youtube.com/watch?v=m1sH240pEfw) 73 | - [PoC for Scala, Grovy](https://github.com/pwntester/JVMDeserialization) 74 | 75 | ##### Java Deserialization Vulnerabilities - The Forgotten Bug Class 76 | by [@matthias_kaiser](https://twitter.com/matthias_kaiser) 77 | 78 | - [Slides](https://www.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class) 79 | 80 | ##### Pwning Your Java Messaging With Deserialization Vulnerabilities 81 | by [@matthias_kaiser](https://twitter.com/matthias_kaiser) 82 | 83 | - [Slides](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf) 84 | - [White Paper](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf) 85 | - [Tool for jms hacking](https://github.com/matthiaskaiser/jmet) 86 | 87 | ##### Defending against Java Deserialization Vulnerabilities 88 | by [@lucacarettoni](https://twitter.com/lucacarettoni) 89 | 90 | - [Slides](https://www.slideshare.net/ikkisoft/defending-against-java-deserialization-vulnerabilities) 91 | 92 | ##### A Journey From JNDI/LDAP Manipulation To Remote Code Execution Dream Land 93 | by [@pwntester](https://twitter.com/pwntester) and O. Mirosh 94 | 95 | - [Slides](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf) 96 | - [White Paper](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf) 97 | 98 | ##### Fixing the Java Serialization mess 99 | by [@e_rnst](https://twitter.com/e_rnst) 100 | 101 | - [Slides+Source](https://t.co/zsDnQBgw0Y) 102 | 103 | ##### Blind Java Deserialization 104 | by deadcode.me 105 | 106 | - [Part I - Commons Gadgets](https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html) 107 | - [Part II - exploitation rev 2](https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html) 108 | 109 | ##### An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (JVM) 110 | by [@joaomatosf](https://twitter.com/joaomatosf) 111 | 112 | - [Slides](https://www.slideshare.net/joaomatosf_/an-overview-of-deserialization-vulnerabilities-in-the-java-virtual-machine-jvm-h2hc-2017) 113 | - [Examples](https://github.com/joaomatosf/JavaDeserH2HC) 114 | 115 | ##### Automated Discovery of Deserialization Gadget Chains 116 | by [@ianhaken](https://twitter.com/ianhaken) 117 | 118 | - [Video](https://youtube.com/watch?v=wPbW6zQ52w8) 119 | - [Slides](https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/DEFCON-26-Ian-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf) 120 | - [Tool](https://github.com/JackOfMostTrades/gadgetinspector) 121 | 122 | ##### An Far Sides Of Java Remote Protocols 123 | by [@_tint0](https://twitter.com/_tint0) 124 | 125 | - [Slides](https://i.blackhat.com/eu-19/Wednesday/eu-19-An-Far-Sides-Of-Java-Remote-Protocols.pdf) 126 | 127 | ### Payload generators 128 | ##### ysoserial 129 | [https://github.com/frohoff/ysoserial](https://github.com/frohoff/ysoserial) 130 | 131 | ysoserial 0.6 payloads: 132 | 133 | payload | author | dependencies | impact (if not RCE) 134 | ------|--------|------ |------ 135 | AspectJWeaver |@Jang |aspectjweaver:1.9.2, commons-collections:3.2.2 136 | BeanShell1 |@pwntester, @cschneider4711 |bsh:2.0b5 137 | C3P0 |@mbechler |c3p0:0.9.5.2, mchange-commons-java:0.2.11 138 | Click1 |@artsploit |click-nodeps:2.3.0, javax.servlet-api:3.1.0 139 | Clojure |@JackOfMostTrades |clojure:1.8.0 140 | CommonsBeanutils1 |@frohoff |commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2 141 | CommonsCollections1 |@frohoff |commons-collections:3.1 142 | CommonsCollections2 |@frohoff |commons-collections4:4.0 143 | CommonsCollections3 |@frohoff |commons-collections:3.1 144 | CommonsCollections4 |@frohoff |commons-collections4:4.0 145 | CommonsCollections5 |@matthias_kaiser, @jasinner |commons-collections:3.1 146 | CommonsCollections6 |@matthias_kaiser |commons-collections:3.1 147 | CommonsCollections7 |@scristalli, @hanyrax, @EdoardoVignati |commons-collections:3.1 148 | FileUpload1 |@mbechler |commons-fileupload:1.3.1, commons-io:2.4 | file uploading 149 | Groovy1 |@frohoff |groovy:2.3.9 150 | Hibernate1 |@mbechler| 151 | Hibernate2 |@mbechler| 152 | JBossInterceptors1 |@matthias_kaiser |javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 153 | JRMPClient |@mbechler| 154 | JRMPListener |@mbechler| 155 | JSON1 |@mbechler |json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1 156 | JavassistWeld1 |@matthias_kaiser |javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 157 | Jdk7u21 |@frohoff| 158 | Jython1 |@pwntester, @cschneider4711 |jython-standalone:2.5.2 159 | MozillaRhino1 |@matthias_kaiser |js:1.7R2 160 | MozillaRhino2 |@_tint0 |js:1.7R2 161 | Myfaces1 |@mbechler| 162 | Myfaces2 |@mbechler| 163 | ROME |@mbechler |rome:1.0 164 | Spring1 |@frohoff |spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE 165 | Spring2 |@mbechler |spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2 166 | URLDNS |@gebl| |jre only vuln detect 167 | Vaadin1 |@kai_ullrich |vaadin-server:7.7.14, vaadin-shared:7.7.14 168 | Wicket1 |@jacob-baines |wicket-util:6.23.0, slf4j-api:1.6.4 169 | 170 | Plugins for Burp Suite (detection, ysoserial integration ): 171 | - [Freddy](https://github.com/nccgroup/freddy) 172 | - [JavaSerialKiller](https://github.com/NetSPI/JavaSerialKiller) 173 | - [Java Deserialization Scanner](https://github.com/federicodotta/Java-Deserialization-Scanner) 174 | - [Burp-ysoserial](https://github.com/summitt/burp-ysoserial) 175 | - [SuperSerial](https://github.com/DirectDefense/SuperSerial) 176 | - [SuperSerial-Active](https://github.com/DirectDefense/SuperSerial-Active) 177 | 178 | Full shell (pipes, redirects and other stuff): 179 | - [$@|sh – Or: Getting a shell environment from Runtime.exec](http://codewhitesec.blogspot.ru/2015/03/sh-or-getting-shell-environment-from.html) 180 | - Set String[] for Runtime.exec (patch ysoserial's payloads) 181 | - [Shell Commands Converter](https://ares-x.com/tools/runtime-exec/) 182 | 183 | How it works: 184 | - [https://blog.srcclr.com/commons-collections-deserialization-vulnerability-research-findings/](https://blog.srcclr.com/commons-collections-deserialization-vulnerability-research-findings/) 185 | - [http://gursevkalra.blogspot.ro/2016/01/ysoserial-commonscollections1-exploit.html](http://gursevkalra.blogspot.ro/2016/01/ysoserial-commonscollections1-exploit.html) 186 | 187 | ##### ysoserial fork with additional payloads 188 | [https://github.com/wh1t3p1g/ysoserial](https://github.com/wh1t3p1g/ysoserial) 189 | 190 | - CommonsCollection8,9,10 191 | - RMIRegistryExploit2,3 192 | - RMIRefListener,RMIRefListener2 193 | - PayloadHTTPServer 194 | - Spring3 195 | 196 | 197 | ##### JRE8u20_RCE_Gadget 198 | [https://github.com/pwntester/JRE8u20_RCE_Gadget](https://github.com/pwntester/JRE8u20_RCE_Gadget) 199 | 200 | Pure JRE 8 RCE Deserialization gadget 201 | 202 | ##### ACEDcup 203 | [https://github.com/GrrrDog/ACEDcup](https://github.com/GrrrDog/ACEDcup) 204 | 205 | File uploading via: 206 | - Apache Commons FileUpload <= 1.3 (CVE-2013-2186) and Oracle JDK < 7u40 207 | 208 | ##### Universal billion-laughs DoS 209 | [https://gist.github.com/coekie/a27cc406fc9f3dc7a70d](https://gist.github.com/coekie/a27cc406fc9f3dc7a70d) 210 | 211 | Won't fix DoS via default Java classes (JRE) 212 | 213 | ##### Universal Heap overflows DoS using Arrays and HashMaps 214 | [https://github.com/topolik/ois-dos/](https://github.com/topolik/ois-dos/) 215 | 216 | How it works: 217 | - [Java Deserialization DoS - payloads](http://topolik-at-work.blogspot.ru/2016/04/java-deserialization-dos-payloads.html) 218 | 219 | Won't fix DoS using default Java classes (JRE) 220 | 221 | ##### DoS against Serialization Filtering (JEP-290) 222 | - [CVE-2018-2677](https://www.waratek.com/waratek-identifies-two-new-deserialization-vulnerabilities-cve-2018-2677/) 223 | 224 | ##### Tool to search gadgets in source 225 | - [Gadget Inspector](https://github.com/JackOfMostTrades/gadgetinspector) 226 | - [Article about Gadget Inspector](https://paper.seebug.org/1034/) 227 | 228 | ##### Additional tools to test RMI: 229 | - [BaRMIe](https://github.com/NickstaDB/BaRMIe) 230 | - [Barmitza](https://github.com/mogwailabs/rmi-deserialization/blob/master/barmitzwa.groovy) 231 | - [RMIScout](https://labs.bishopfox.com/tech-blog/rmiscout) 232 | - [attackRmi](https://github.com/waderwu/attackRmi) 233 | - [Remote Method Guesser](https://github.com/qtc-de/remote-method-guesser) 234 | 235 | ##### Remote class detection: 236 | - [GadgetProbe: Exploiting Deserialization to Brute-Force the Remote Classpath](https://know.bishopfox.com/research/gadgetprobe) 237 | - [GadgetProbe](https://github.com/BishopFox/GadgetProbe) 238 | 239 | - [Remote Java classpath enumeration with EnumJavaLibs](https://www.redtimmy.com/web-application-hacking/remote-java-classpath-enumeration-with-enumjavalibs/) 240 | - [EnumJavaLibs](https://github.com/redtimmy/EnumJavaLibs) 241 | 242 | ##### Library for creating Java serialization data 243 | - [serial-builder](https://github.com/Marcono1234/serial-builder) 244 | 245 | ### Exploits 246 | 247 | no spec tool - You don't need a special tool (just Burp/ZAP + payload) 248 | 249 | ##### RMI 250 | - *Protocol* 251 | - *Default - 1099/tcp for rmiregistry* 252 | - partially patched in JRE with JEP290 (JDK 8u121, JDK 7u131, JDK 6u141) 253 | - [Attacking Java RMI services after JEP 290](https://mogwailabs.de/en/blog/2019/03/attacking-java-rmi-services-after-jep-290/) 254 | - [An Trinhs RMI Registry Bypass](https://mogwailabs.de/blog/2020/02/an-trinhs-rmi-registry-bypass/) 255 | - [RMIScout](https://labs.bishopfox.com/tech-blog/rmiscout) 256 | 257 | [ysoserial](#ysoserial) 258 | 259 | [Additional tools](#additional-tools-to-test-rmi) 260 | 261 | ##### JMX 262 | - *JMX on RMI* 263 | - + [CVE-2016-3427](http://engineering.pivotal.io/post/java-deserialization-jmx/) 264 | - partially patched in JRE with JEP290 (JDK 8u121, JDK 7u131, JDK 6u141) 265 | - [Attacking RMI based JMX services (after JEP 290)](https://mogwailabs.de/blog/2019/04/attacking-rmi-based-jmx-services/) 266 | 267 | [ysoserial](#ysoserial) 268 | 269 | [mjet](https://github.com/mogwailabs/mjet) 270 | 271 | [JexBoss](https://github.com/joaomatosf/jexboss) 272 | 273 | ##### JMXMP 274 | - *Special JMX protocol* 275 | - [The Curse of Old Java Libraries](https://www.acunetix.com/blog/web-security-zone/old-java-libraries/) 276 | 277 | ##### JNDI/LDAP 278 | - When we control an address for lookup of JNDI (context.lookup(address) and can have backconnect from a server 279 | - [Full info](#a-journey-from-jndildap-manipulation-to-remote-code-execution-dream-land) 280 | - [JNDI remote code injection](http://zerothoughts.tumblr.com/post/137769010389/fun-with-jndi-remote-code-injection) 281 | - [Exploiting JNDI Injections in Java](https://www.veracode.com/blog/research/exploiting-jndi-injections-java) 282 | 283 | [https://github.com/zerothoughts/jndipoc](https://github.com/zerothoughts/jndipoc) 284 | 285 | [https://github.com/welk1n/JNDI-Injection-Exploit](https://github.com/welk1n/JNDI-Injection-Exploit) 286 | 287 | ##### JMS 288 | - [Full info](#pwning-your-java-messaging-with-deserialization-vulnerabilities) 289 | 290 | [JMET](https://github.com/matthiaskaiser/jmet) 291 | 292 | ##### JSF ViewState 293 | - if no encryption or good mac 294 | 295 | no spec tool 296 | 297 | [JexBoss](https://github.com/joaomatosf/jexboss) 298 | 299 | ##### vjdbc 300 | - JDBC via HTTP library 301 | - all version are vulnerable 302 | - [Details](https://www.acunetix.com/blog/web-security-zone/old-java-libraries/) 303 | 304 | no spec tool 305 | 306 | ##### T3 of Oracle Weblogic 307 | - *Protocol* 308 | - *Default - 7001/tcp on localhost interface* 309 | - [CVE-2015-4852](https://www.vulners.com/search?query=CVE-2015-4852) 310 | - [Blacklist bypass - CVE-2017-3248](https://www.tenable.com/security/research/tra-2017-07) 311 | - [Blacklist bypass - CVE-2017-3248 PoC](https://github.com/quentinhardy/scriptsAndExploits/blob/master/exploits/weblogic/exploit-CVE-2017-3248-bobsecq.py) 312 | - [Blacklist bypass - CVE-2018-2628](https://github.com/brianwrf/CVE-2018-2628) 313 | - [Blacklist bypass - cve-2018-2893](https://github.com/pyn3rd/CVE-2018-2893) 314 | - [Blacklist bypass - CVE-2018-3245](https://blogs.projectmoon.pw/2018/10/19/Oracle-WebLogic-Two-RCE-Deserialization-Vulnerabilities/) 315 | - [Blacklist bypass - CVE-2018-3191](https://mp.weixin.qq.com/s/ebKHjpbQcszAy_vPocW0Sg) 316 | - [CVE-2019-2725](https://paper.seebug.org/910/) 317 | - [CVE-2020-2555](https://www.thezdi.com/blog/2020/3/5/cve-2020-2555-rce-through-a-deserialization-bug-in-oracles-weblogic-server) 318 | - [CVE-2020-2883](https://github.com/Y4er/CVE-2020-2883) 319 | - [CVE-2020-2963](https://nvd.nist.gov/vuln/detail/CVE-2020-2963) 320 | - [CVE-2020-14625](https://www.zerodayinitiative.com/advisories/ZDI-20-885/) 321 | - [CVE-2020-14644](https://github.com/rufherg/WebLogic_Basic_Poc/tree/master/poc) 322 | - [CVE-2020-14645](https://github.com/rufherg/WebLogic_Basic_Poc/tree/master/poc) 323 | - [CVE-2020-14756](https://github.com/Y4er/CVE-2020-14756) 324 | - [CVE-2020-14825](https://github.com/rufherg/WebLogic_Basic_Poc/tree/master/poc) 325 | - [CVE-2020-14841](https://www.vulners.com/search?query=CVE-2020-14841) 326 | - [CVE-2021-2394](https://github.com/BabyTeam1024/CVE-2021-2394) 327 | - [SSRF JDBC](https://pyn3rd.github.io/2022/06/18/Weblogic-SSRF-Involving-Deserialized-JDBC-Connection/) 328 | - [CVE-2023-21931](https://github.com/gobysec/Weblogic/blob/main/WebLogic_CVE-2023-21931_en_US.md) 329 | 330 | [loubia](https://github.com/metalnas/loubia) (tested on 11g and 12c, supports t3s) 331 | 332 | [JavaUnserializeExploits](https://github.com/foxglovesec/JavaUnserializeExploits) (doesn't work for all Weblogic versions) 333 | 334 | [WLT3Serial](https://github.com/Bort-Millipede/WLT3Serial) 335 | 336 | [CVE-2018-2628 sploit](https://github.com/brianwrf/CVE-2018-2628) 337 | 338 | ##### IIOP of Oracle Weblogic 339 | - *Protocol* 340 | - *Default - 7001/tcp on localhost interface* 341 | 342 | - [CVE-2020-2551](https://www.vulners.com/search?query=CVE-2020-2551) 343 | - [Details](https://paper.seebug.org/1130/) 344 | 345 | [CVE-2020-2551 sploit](https://github.com/Y4er/CVE-2020-2551) 346 | 347 | ##### Oracle Weblogic (1) 348 | - auth required 349 | - [How it works](https://blogs.projectmoon.pw/2018/10/19/Oracle-WebLogic-Two-RCE-Deserialization-Vulnerabilities/) 350 | - [CVE-2018-3252](https://www.vulners.com/search?query=CVE-2018-3252) 351 | 352 | ##### Oracle Weblogic (2) 353 | - auth required 354 | - [CVE-2021-2109](https://www.vulners.com/search?query=CVE-2021-2109) 355 | 356 | [Exploit](https://packetstormsecurity.com/files/161053/Oracle-WebLogic-Server-14.1.1.0-Remote-Code-Execution.html) 357 | 358 | ##### Oracle Access Manager (1) 359 | - [CVE-2021-35587](https://testbnull.medium.com/oracle-access-manager-pre-auth-rce-cve-2021-35587-analysis-1302a4542316) 360 | 361 | ##### Oracle ADF Faces 362 | - [CVE-2022–21445](https://peterjson.medium.com/miracle-one-vulnerability-to-rule-them-all-c3aed9edeea2) 363 | - /appcontext/afr/test/remote/payload/ 364 | 365 | no spec tool 366 | 367 | ##### IBM Websphere (1) 368 | - *wsadmin* 369 | - *Default port - 8880/tcp* 370 | - [CVE-2015-7450](https://www.vulners.com/search?query=CVE-2015-7450) 371 | 372 | [JavaUnserializeExploits](https://github.com/foxglovesec/JavaUnserializeExploits) 373 | 374 | [serialator](https://github.com/roo7break/serialator) 375 | 376 | [CoalfireLabs/java_deserialization_exploits](https://github.com/Coalfire-Research/java-deserialization-exploits/tree/master/WebSphere) 377 | 378 | ##### IBM Websphere (2) 379 | - When using custom form authentication 380 | - WASPostParam cookie 381 | - [Full info](https://lab.mediaservice.net/advisory/2016-02-websphere.txt) 382 | 383 | no spec tool 384 | 385 | ##### IBM Websphere (3) 386 | - IBM WAS DMGR 387 | - special port 388 | - [CVE-2019-4279](https://www.vulners.com/search?query=CVE-2019-4279) 389 | - [ibm10883628](https://www-01.ibm.com/support/docview.wss?uid=ibm10883628) 390 | - [Exploit](https://vulners.com/exploitdb/EDB-ID:46969?) 391 | 392 | Metasploit 393 | 394 | ##### IIOP of IBM Websphere 395 | - *Protocol* 396 | - 2809, 9100, 9402, 9403 397 | - [CVE-2020-4450](https://www.vulners.com/search?query=CVE-2020-4450) 398 | - [CVE-2020-4449](https://www.vulners.com/search?query=CVE-2020-4449) 399 | - [Abusing Java Remote Protocols in IBM WebSphere](https://www.thezdi.com/blog/2020/7/20/abusing-java-remote-protocols-in-ibm-websphere) 400 | - [Vuln Details](https://www.freebuf.com/vuls/246928.html) 401 | 402 | ##### Red Hat JBoss (1) 403 | - *http://jboss_server/invoker/JMXInvokerServlet* 404 | - *Default port - 8080/tcp* 405 | - [CVE-2015-7501](https://www.vulners.com/search?query=CVE-2015-7501) 406 | 407 | [JavaUnserializeExploits](https://github.com/foxglovesec/JavaUnserializeExploits) 408 | 409 | [https://github.com/njfox/Java-Deserialization-Exploit](https://github.com/njfox/Java-Deserialization-Exploit) 410 | 411 | [serialator](https://github.com/roo7break/serialator) 412 | 413 | [JexBoss](https://github.com/joaomatosf/jexboss) 414 | 415 | ##### Red Hat JBoss 6.X 416 | - *http://jboss_server/invoker/readonly* 417 | - *Default port - 8080/tcp* 418 | - [CVE-2017-12149](https://www.vulners.com/search?query=CVE-2017-12149) 419 | - JBoss 6.X and EAP 5.X 420 | - [Details](https://github.com/joaomatosf/JavaDeserH2HC) 421 | 422 | no spec tool 423 | 424 | ##### Red Hat JBoss 4.x 425 | - *http://jboss_server/jbossmq-httpil/HTTPServerILServlet/* 426 | - <= 4.x 427 | - [CVE-2017-7504](https://www.vulners.com/search?query=CVE-2017-7504) 428 | 429 | no spec tool 430 | 431 | ##### Jenkins (1) 432 | - *Jenkins CLI* 433 | - *Default port - High number/tcp* 434 | - [CVE-2015-8103](https://www.vulners.com/search?query=CVE-2015-8103) 435 | - [CVE-2015-3253](https://www.vulners.com/search?query=CVE-2015-3253) 436 | 437 | [JavaUnserializeExploits](https://github.com/foxglovesec/JavaUnserializeExploits) 438 | 439 | [JexBoss](https://github.com/joaomatosf/jexboss) 440 | 441 | ##### Jenkins (2) 442 | - patch "bypass" for [Jenkins](#jenkins) 443 | - [CVE-2016-0788](https://www.vulners.com/search?query=CVE-2016-0788) 444 | - [Details of exploit](https://www.insinuator.net/2016/07/jenkins-remoting-rce-ii-the-return-of-the-ysoserial/) 445 | 446 | [ysoserial](#ysoserial) 447 | 448 | ##### Jenkins (s) 449 | - *Jenkins CLI LDAP* 450 | - *Default port - High number/tcp 451 | - <= 2.32 452 | - <= 2.19.3 (LTS) 453 | - [CVE-2016-9299](https://www.vulners.com/search?query=CVE-2016-9299) 454 | 455 | ##### CloudBees Jenkins 456 | - <= 2.32.1 457 | - [CVE-2017-1000353](https://www.vulners.com/search?query=CVE-2017-1000353) 458 | - [Details](https://blogs.securiteam.com/index.php/archives/3171) 459 | 460 | [Sploit](https://blogs.securiteam.com/index.php/archives/3171) 461 | 462 | ##### JetBrains TeamCity 463 | - RMI 464 | 465 | [ysoserial](#ysoserial) 466 | 467 | ##### Restlet 468 | - *<= 2.1.2* 469 | - *When Rest API accepts serialized objects (uses ObjectRepresentation)* 470 | 471 | no spec tool 472 | 473 | ##### RESTEasy 474 | - *When Rest API accepts serialized objects (uses @Consumes({"\*/\*"}) or "application/\*" ) 475 | - [Details and examples](https://0ang3el.blogspot.ru/2016/06/note-about-security-of-resteasy-services.html) 476 | 477 | no spec tool 478 | 479 | ##### OpenNMS (1) 480 | - RMI 481 | 482 | [ysoserial](#ysoserial) 483 | 484 | ##### OpenNMS (2) 485 | - [CVE-2020-12760/NMS-12673](https://issues.opennms.org/browse/NMS-12673) 486 | - [JMS](#jms) 487 | 488 | [JMET](https://github.com/matthiaskaiser/jmet) 489 | 490 | ##### Progress OpenEdge RDBMS 491 | - all versions 492 | - RMI 493 | 494 | [ysoserial](#ysoserial) 495 | 496 | ##### Commvault Edge Server 497 | - [CVE-2015-7253](https://www.vulners.com/search?query=CVE-2015-7253) 498 | - Serialized object in cookie 499 | 500 | no spec tool 501 | 502 | ##### Symantec Endpoint Protection Manager 503 | - */servlet/ConsoleServlet?ActionType=SendStatPing* 504 | - [CVE-2015-6555](https://www.vulners.com/search?query=CVE-2015-6555) 505 | 506 | [serialator](https://github.com/roo7break/serialator) 507 | 508 | ##### Oracle MySQL Enterprise Monitor 509 | - *https://[target]:18443/v3/dataflow/0/0* 510 | - [CVE-2016-3461](http://www.tenable.com/security/research/tra-2016-11) 511 | 512 | no spec tool 513 | 514 | [serialator](https://github.com/roo7break/serialator) 515 | 516 | ##### PowerFolder Business Enterprise Suite 517 | - custom(?) protocol (1337/tcp) 518 | - [MSA-2016-01](http://lab.mogwaisecurity.de/advisories/MSA-2016-01/) 519 | 520 | [powerfolder-exploit-poc](https://github.com/h0ng10/powerfolder-exploit-poc) 521 | 522 | ##### Solarwinds Virtualization Manager 523 | - <= 6.3.1 524 | - RMI 525 | - [CVE-2016-3642](https://www.vulners.com/search?query=CVE-2016-3642) 526 | 527 | [ysoserial](#ysoserial) 528 | 529 | ##### Cisco Prime Infrastructure 530 | - *https://[target]/xmp_data_handler_service/xmpDataOperationRequestServlet* 531 | - <= 2.2.3 Update 4 532 | - <= 3.0.2 533 | - [CVE-2016-1291](https://www.vulners.com/search?query=CVE-2016-1291) 534 | 535 | [CoalfireLabs/java_deserialization_exploits](https://github.com/Coalfire-Research/java-deserialization-exploits/tree/master/CiscoPrime) 536 | 537 | ##### Cisco ACS 538 | - <= 5.8.0.32.2 539 | - RMI (2020 tcp) 540 | - [CSCux34781](https://quickview.cloudapps.cisco.com/quickview/bug/CSCux34781) 541 | 542 | [ysoserial](#ysoserial) 543 | 544 | ##### Cisco Unity Express 545 | - RMI (port 1099 tcp) 546 | - version < 9.0.6 547 | - [CVE-2018-15381](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-cue) 548 | 549 | [ysoserial](#ysoserial) 550 | 551 | ##### Cisco Unified CVP 552 | - RMI (2098 and 2099) 553 | - [Details](https://www.redtimmy.com/java-hacking/jmx-rmi-multiple-applications-rce/) 554 | 555 | [ysoserial](#ysoserial) 556 | 557 | ##### NASDAQ BWISE 558 | - RMI (port 81 tcp) 559 | - [Details](https://www.redtimmy.com/java-hacking/jmx-rmi-multiple-applications-rce/) 560 | - [CVE-2018-11247](https://www.vulners.com/search?query=CVE-2018-11247) 561 | 562 | [ysoserial](#ysoserial) 563 | 564 | ##### NICE ENGAGE PLATFORM 565 | - JMX (port 6338 tcp) 566 | - [Details](https://www.redtimmy.com/java-hacking/jmx-rmi-multiple-applications-rce/) 567 | - [CVE-2019-7727](https://www.vulners.com/search?query=CVE-2019-7727) 568 | 569 | ##### Apache Cassandra 570 | - JMX (port 7199 tcp) 571 | - [Details](https://www.redtimmy.com/java-hacking/jmx-rmi-multiple-applications-rce/) 572 | - [CVE-2018-8016](https://www.vulners.com/search?query= CVE-2018-8016) 573 | 574 | ##### Cloudera Zookeeper 575 | - JMX (port 9010 tcp) 576 | - [Details](https://www.redtimmy.com/java-hacking/jmx-rmi-multiple-applications-rce/) 577 | 578 | ##### Apache Olingo 579 | - version < 4.7.0 580 | - [CVE-2019-17556](https://www.vulners.com/search?query=CVE-2019-17556) 581 | - [Details and examples](https://blog.gypsyengineer.com/en/security/cve-2019-17556-unsafe-deserialization-in-apache-olingo.html) 582 | 583 | no spec tool 584 | 585 | ##### Apache Dubbo 586 | - [CVE-2019-17564](https://www.vulners.com/search?query=CVE-2019-17564) 587 | - [Details and examples](https://www.checkmarx.com/blog/apache-dubbo-unauthenticated-remote-code-execution-vulnerability) 588 | 589 | no spec tool 590 | 591 | ##### Apache XML-RPC 592 | - all version, no fix (the project is not supported) 593 | - POST XML request with element 594 | - [Details and examples](https://0ang3el.blogspot.ru/2016/07/beware-of-ws-xmlrpc-library-in-your.html) 595 | 596 | no spec tool 597 | 598 | ##### Apache Archiva 599 | - because it uses [Apache XML-RPC](#apache-xml-rpc) 600 | - [CVE-2016-5004](https://www.vulners.com/search?query=CVE-2016-5004) 601 | - [Details and examples](https://0ang3el.blogspot.ru/2016/07/beware-of-ws-xmlrpc-library-in-your.html) 602 | 603 | no spec tool 604 | 605 | ##### SAP NetWeaver 606 | - *https://[target]/developmentserver/metadatauploader* 607 | - [CVE-2017-9844](https://erpscan.com/advisories/erpscan-17-014-sap-netweaver-java-deserialization-untrusted-user-value-metadatauploader/) 608 | 609 | [PoC](https://github.com/vah13/SAP_vulnerabilities/tree/5995daf7bac2e01a63dc57dcf5bbab70489bf6bb/CVE-2017-9844) 610 | 611 | ##### SAP Hybris 612 | - */virtualjdbc/* 613 | - [CVE-2019-0344](https://www.vulners.com/search?query=CVE-2019-0344) 614 | 615 | no spec tool 616 | 617 | ##### Sun Java Web Console 618 | - admin panel for Solaris 619 | - < v3.1. 620 | - [old DoS sploit](https://www.ikkisoft.com/stuff/SJWC_DoS.java) 621 | 622 | no spec tool 623 | 624 | ##### Apache MyFaces Trinidad 625 | - 1.0.0 <= version < 1.0.13 626 | - 1.2.1 <= version < 1.2.14 627 | - 2.0.0 <= version < 2.0.1 628 | - 2.1.0 <= version < 2.1.1 629 | - it does not check MAC 630 | - [CVE-2016-5019](https://www.vulners.com/search?query=CVE-2016-5019) 631 | 632 | no spec tool 633 | 634 | ##### JBoss Richfaces 635 | - Variation of exploitation CVE-2018-12532 636 | - [When EL Injection meets Java Deserialization](https://blog.tint0.com/2019/03/when-el-injection-meets-java-deserialization.html) 637 | 638 | ##### Apache Tomcat JMX 639 | - JMX 640 | - [Patch bypass](http://seclists.org/oss-sec/2016/q4/502) 641 | - [CVE-2016-8735](https://www.vulners.com/search?query=CVE-2016-8735) 642 | 643 | [JexBoss](https://github.com/joaomatosf/jexboss) 644 | 645 | ##### OpenText Documentum D2 646 | - *version 4.x* 647 | - [CVE-2017-5586](https://www.vulners.com/search?query=CVE-2017-5586) 648 | 649 | [exploit](https://www.exploit-db.com/exploits/41366/) 650 | 651 | ##### Liferay 652 | - */api/spring* 653 | - */api/liferay* 654 | - <= 7.0-ga3 655 | - if IP check works incorrectly 656 | - [Details](https://www.tenable.com/security/research/tra-2017-01) 657 | 658 | no spec tool 659 | 660 | ##### ScrumWorks Pro 661 | - */UFC* 662 | - <= 6.7.0 663 | - [Details](https://blogs.securiteam.com/index.php/archives/3387) 664 | 665 | [PoC](https://blogs.securiteam.com/index.php/archives/3387) 666 | 667 | ##### ManageEngine Applications Manager 668 | - version 669 | - RMI 670 | - [CVE-2016-9498](https://www.vulners.com/search?query=CVE-2016-9498) 671 | 672 | [ysoserial](#ysoserial) 673 | 674 | ##### ManageEngine OpManager 675 | - version < 12.5.329 676 | - [Details with exploit CVE-2020-28653/CVE-2021-3287](https://haxolot.com/posts/2021/manageengine_opmanager_pre_auth_rce/) 677 | 678 | ##### ManageEngine Desktop Central 679 | - version < 10.0.474 680 | - [CVE-2020-10189](https://www.vulners.com/search?query=CVE-2020-10189) 681 | 682 | [MSF exploit](https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/HTTP/DESKTOPCENTRAL_DESERIALIZATION) 683 | 684 | ##### Apache Shiro 685 | - [SHIRO-550](https://issues.apache.org/jira/browse/SHIRO-550) 686 | - encrypted cookie (with the hardcoded key) 687 | - [Exploitation (in Chinese)](http://blog.knownsec.com/2016/08/apache-shiro-java/) 688 | 689 | ##### HP IMC (Intelligent Management Center) 690 | - WebDMDebugServlet 691 | - <= 7.3 E0504P2 692 | - [CVE-2017-12557](https://www.vulners.com/search?query=CVE-2017-12557) 693 | 694 | [Metasploit module](https://www.exploit-db.com/exploits/45952) 695 | 696 | ##### HP IMC (Intelligent Management Center) 697 | - RMI 698 | - <= 7.3 E0504P2 699 | - [CVE-2017-5792](https://www.vulners.com/search?query=CVE-2017-5792) 700 | 701 | [ysoserial](#ysoserial) 702 | 703 | ##### Apache Brooklyn 704 | - Non default config 705 | - [JMXMP](#jmxmp) 706 | 707 | ##### Elassandra 708 | - Non default config 709 | - [JMXMP](#jmxmp) 710 | 711 | ##### Micro Focus 712 | - [CVE-2020-11853](https://www.vulners.com/search?query=CVE-2020-11853) 713 | - [Vulnerability analyzis](https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBM.md) 714 | Affected products: 715 | - Operations Bridge Manager versions: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, versions 10.6x and 10.1x and older versions 716 | - Application Performance Management versions: 9.51, 9.50 and 9.40 with uCMDB 10.33 CUP 3 \ 717 | - Data Center Automation version 2019.11 718 | - Operations Bridge (containerized) versions: 2019.11, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05, 2018.02, 2017.11 719 | - Universal CMDB versions: 2020.05, 2019.11, 2019.05, 2019.02, 2018.11, 2018.08, 2018.05, 11, 10.33, 10.32, 10.31, 10.30 720 | - Hybrid Cloud Management version 2020.05 721 | - Service Management Automation versions 2020.5 and 2020.02 722 | 723 | [Metasploit Exploit](https://github.com/rapid7/metasploit-framework/pull/14671) 724 | 725 | ##### IBM Qradar (1) 726 | - [CVE-2020-4280](https://www.vulners.com/search?query=CVE-2020-4280) 727 | - [Exploitation](https://www.securify.nl/advisory/java-deserialization-vulnerability-in-qradar-remotejavascript-servlet) 728 | 729 | ##### IBM Qradar (2) 730 | - */console/remoteJavaScript* 731 | - [CVE-2020-4888](https://www.vulners.com/search?query=CVE-2020-4888) 732 | 733 | [Exploit](https://gist.github.com/testanull/e9ba06d0c0c403402f6941fe2dbb868a) 734 | 735 | ##### IBM InfoSphere JReport 736 | - RMI 737 | - port 58611 738 | - <=8.5.0.0 (all) 739 | - [Exploitation details](https://n4nj0.github.io/advisories/ibm-infosphere-java-deserialization/) 740 | 741 | ##### Apache Kafka 742 | - connect-api 743 | - [Vulnerbility analyzis](https://www.programmersought.com/article/76446714621/) 744 | 745 | ##### Zoho ManageEngine ADSelfService Plus 746 | - [CVE-2020-11518](https://www.vulners.com/search?query=CVE-2020-11518) 747 | - [Exloitation](https://honoki.net/2020/08/10/cve-2020-11518-how-i-bruteforced-my-way-into-your-active-directory/) 748 | 749 | ##### Apache ActiveMQ - Client lib 750 | - [JMS](#jms) 751 | 752 | [JMET](https://github.com/matthiaskaiser/jmet) 753 | 754 | ##### Redhat/Apache HornetQ - Client lib 755 | - [JMS](#jms) 756 | 757 | [JMET](https://github.com/matthiaskaiser/jmet) 758 | 759 | ##### Oracle OpenMQ - Client lib 760 | - [JMS](#jms) 761 | 762 | [JMET](https://github.com/matthiaskaiser/jmet) 763 | 764 | ##### IBM WebSphereMQ - Client lib 765 | - [JMS](#jms) 766 | 767 | [JMET](https://github.com/matthiaskaiser/jmet) 768 | 769 | ##### Oracle Weblogic - Client lib 770 | - [JMS](#jms) 771 | 772 | [JMET](https://github.com/matthiaskaiser/jmet) 773 | 774 | ##### Pivotal RabbitMQ - Client lib 775 | - [JMS](#jms) 776 | 777 | [JMET](https://github.com/matthiaskaiser/jmet) 778 | 779 | ##### IBM MessageSight - Client lib 780 | - [JMS](#jms) 781 | 782 | [JMET](https://github.com/matthiaskaiser/jmet) 783 | 784 | ##### IIT Software SwiftMQ - Client lib 785 | - [JMS](#jms) 786 | 787 | [JMET](https://github.com/matthiaskaiser/jmet) 788 | 789 | ##### Apache ActiveMQ Artemis - Client lib 790 | - [JMS](#jms) 791 | 792 | [JMET](https://github.com/matthiaskaiser/jmet) 793 | 794 | ##### Apache QPID JMS - Client lib 795 | - [JMS](#jms) 796 | 797 | [JMET](https://github.com/matthiaskaiser/jmet) 798 | 799 | ##### Apache QPID - Client lib 800 | - [JMS](#jms) 801 | 802 | [JMET](https://github.com/matthiaskaiser/jmet) 803 | 804 | ##### Amazon SQS Java Messaging - Client lib 805 | - [JMS](#jms) 806 | 807 | [JMET](https://github.com/matthiaskaiser/jmet) 808 | 809 | ##### Axis/Axis2 SOAPMonitor 810 | - All version (this was deemed by design by project maintainer) 811 | - Binary 812 | - Default port : 5001 813 | - Info : https://axis.apache.org/axis2/java/core/docs/soapmonitor-module.html 814 | 815 | > java -jar ysoserial-*-all.jar CommonsCollections1 'COMMAND_HERE' | nc TARGET_SERVER 5001 816 | 817 | [ysoserial](#ysoserial) 818 | 819 | ##### Apache Synapse 820 | - <= 3.0.1 821 | - RMI 822 | - [Exploit](https://github.com/iBearcat/CVE-2017-15708) 823 | 824 | [ysoserial](#ysoserial) 825 | 826 | ##### Apache Jmeter 827 | - <= 3.0.1 828 | - RMI 829 | - When using Distributed Test only 830 | - [Exploit](https://github.com/iBearcat/CVE-2018-1297) 831 | 832 | [ysoserial](#ysoserial) 833 | 834 | ##### Jolokia 835 | - <= 1.4.0 836 | - JNDI injection 837 | - /jolokia/ 838 | - [Exploit](https://blog.gdssecurity.com/labs/2018/4/18/jolokia-vulnerabilities-rce-xss.html) 839 | 840 | ##### RichFaces 841 | - all versions 842 | - [Poor RichFaces](https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html) 843 | - [When EL Injection meets Java Deserialization](https://tint0.com/when-el-injection-meets-java-deserialization/) 844 | 845 | ##### Apache James 846 | - < 3.0.1 847 | - [Analysis of CVE-2017-12628](https://nickbloor.co.uk/2017/10/22/analysis-of-cve-2017-12628/) 848 | 849 | [ysoserial](#ysoserial) 850 | 851 | ##### Oracle DB 852 | - <= Oracle 12C 853 | - [CVE-2018-3004 - Oracle Privilege Escalation via Deserialization](http://obtruse.syfrtext.com/2018/07/oracle-privilege-escalation-via.html) 854 | 855 | ##### Zimbra Collaboration 856 | - < 8.7.0 857 | - [CVE-2016-3415](https://www.vulners.com/search?query=CVE-2016-3415) 858 | - <= 8.8.11 859 | - [A Saga of Code Executions on Zimbra](https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html) 860 | 861 | ##### Adobe ColdFusion (1) 862 | - <= 2016 Update 4 863 | - <= 11 update 12 864 | - [CVE-2017-11283](https://www.vulners.com/search?query=CVE-2017-11283) 865 | - [CVE-2017-11284](https://www.vulners.com/search?query=CVE-2017-11284) 866 | 867 | ##### Adobe ColdFusion (2) 868 | - RMI 869 | - <= 2016 Update 5 870 | - <= 11 update 13 871 | - [Another ColdFusion RCE – CVE-2018-4939](https://nickbloor.co.uk/2018/06/18/another-coldfusion-rce-cve-2018-4939/) 872 | - [CVE-2018-4939](https://www.vulners.com/search?query=CVE-2018-4939) 873 | 874 | ##### Adobe ColdFusion (3) / JNBridge 875 | - custom protocol in JNBridge 876 | - port 6093 or 6095 877 | - <= 2016 Update ? 878 | - <= 2018 Update ? 879 | - [APSB19-17](https://helpx.adobe.com/security/products/coldfusion/apsb19-27.html) 880 | - [CVE-2019-7839: ColdFusion Code Execution Through JNBridge](https://www.zerodayinitiative.com/blog/2019/7/25/cve-2019-7839-coldfusion-code-execution-through-jnbridge) 881 | 882 | ##### Apache SOLR (1) 883 | - [SOLR-8262](https://issues.apache.org/jira/browse/SOLR-8262) 884 | - 5.1 <= version <=5.4 885 | - /stream handler uses Java serialization for RPC 886 | 887 | ##### Apache SOLR (2) 888 | - [SOLR-13301](https://issues.apache.org/jira/browse/SOLR-13301) 889 | - [CVE-2019-0192](https://www.vulners.com/search?query=CVE-2019-0192) 890 | - version: 5.0.0 to 5.5.5 891 | - version: 6.0.0 to 6.6.5 892 | - Attack via jmx.serviceUrl 893 | - [Exploit](https://github.com/mpgn/CVE-2019-0192) 894 | 895 | ##### Adobe Experience Manager AEM 896 | - 5.5 - 6.1 (?) 897 | - /lib/dam/cloud/proxy.json parameter `file` 898 | - [ExternalJobPostServlet](https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=102) 899 | 900 | ##### MySQL Connector/J 901 | - version < 5.1.41 902 | - when "autoDeserialize" is set on 903 | - [CVE-2017-3523](https://www.computest.nl/advisories/CT-2017-0425_MySQL-Connector-J.txt) 904 | 905 | 906 | ##### Pitney Bowes Spectrum 907 | - RMI 908 | - [Java RMI Server Insecure Default Configuration](https://support.pitneybowes.com/VFP06_KnowledgeWithSidebarTroubleshoot?id=kA280000000PEmXCAW&popup=false&lang=en_US) 909 | 910 | ##### SmartBear ReadyAPI 911 | - RMI 912 | - [SYSS-2019-039](https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-039.txt) 913 | 914 | ##### NEC ESMPRO Manager 915 | - RMI 916 | - [CVE-2020-10917](https://www.vulners.com/search?query=CVE-2020-10917) 917 | - [ZDI-20-684](https://www.zerodayinitiative.com/advisories/ZDI-20-684/) 918 | 919 | ##### Apache OFBiz 920 | - RMI 921 | - [cve-2021-26295](https://www.vulners.com/search?query=cve-2021-26295) 922 | - [Exploit](https://github.com/zhzyker/exphub/tree/master/ofbiz) 923 | 924 | ##### NetMotion Mobility 925 | - < 11.73 926 | - < 12.02 927 | - [NetMotion Mobility Server Multiple Deserialization of Untrusted Data Lead to RCE](https://www.vulners.com/search?query=CVE-2021-26914) 928 | - [CVE-2021-26914](https://ssd-disclosure.com/ssd-advisory-netmotion-mobility-server-multiple-deserialization-of-untrusted-data-lead-to-rce/) 929 | 930 | [ysoserial](#ysoserial) 931 | Metasploit Exploit: exploit/windows/http/netmotion_mobility_mvcutil_deserialization 932 | 933 | ##### Bonita 934 | - [Bonita serverAPI](http://mp.weixin.qq.com/s?__biz=Mzg3MTU0MjkwNw==&mid=2247490269&idx=1&sn=78357c8687101d66f11b98e91afac184&chksm=cefda3c9f98a2adfee40ec062470bacd46d6b42ea2069d62f93a3022eb197713668d2580e1bb&mpshare=1&scene=23&srcid=0530bEaTknyeozALkFfAbvgH&sharer_sharetime=1653965254260&sharer_shareid=4ab8b98c0a9c5866b3e90483ff7445f3#rd) 935 | - /bonita/serverAPI/ 936 | 937 | [ysoserial](#ysoserial) 938 | 939 | ##### Neo4j 940 | - <= 3.4.18 (with the shell server enabled) 941 | - RMI 942 | - [Exploit for CVE-2021-34371](https://www.exploit-db.com/exploits/50170) 943 | 944 | ##### Bitbucket Data Center 945 | - port 5701 (Hazelcast) 946 | - similar to CVE-2016-10750 947 | - [Exploit for CVE-2022-26133](https://github.com/snowyyowl/writeups/tree/main/CVE-2022-26133) 948 | 949 | ##### Jira Data Center / Jira Service Management Data Center 950 | - RMI of Ehcache 951 | - [CVE-2020-36239](https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html) 952 | 953 | ##### Nomulus 954 | - patched 955 | - [Details of exloitation](https://irsl.medium.com/the-nomulus-rift-935a3c4d9300) 956 | 957 | ### Detect 958 | ##### Code review 959 | - *ObjectInputStream.readObject* 960 | - *ObjectInputStream.readUnshared* 961 | - Tool: [Find Security Bugs](http://find-sec-bugs.github.io/) 962 | - Tool: [Serianalyzer](https://github.com/mbechler/serianalyzer) 963 | 964 | ##### Traffic 965 | - *Magic bytes 'ac ed 00 05' bytes* 966 | - *'rO0' for Base64* 967 | - *'application/x-java-serialized-object' for Content-Type header* 968 | 969 | ##### Network 970 | - Nmap >=7.10 has more java-related probes 971 | - use nmap --all-version to find JMX/RMI on non-standart ports 972 | 973 | ##### Burp plugins 974 | - [JavaSerialKiller](https://github.com/NetSPI/JavaSerialKiller) 975 | - [Java Deserialization Scanner](https://github.com/federicodotta/Java-Deserialization-Scanner) 976 | - [Burp-ysoserial](https://github.com/summitt/burp-ysoserial) 977 | - [SuperSerial](https://github.com/DirectDefense/SuperSerial) 978 | - [SuperSerial-Active](https://github.com/DirectDefense/SuperSerial-Active) 979 | - [Freddy](https://github.com/nccgroup/freddy) 980 | 981 | ### Vulnerable apps (without public sploits/need more info) 982 | 983 | ##### Spring Service Invokers (HTTP, JMS, RMI...) 984 | - [Details](https://www.tenable.com/security/research/tra-2016-20) 985 | 986 | ##### SAP P4 987 | - [info from slides](#java-deserialization-vulnerabilities---the-forgotten-bug-class) 988 | 989 | ##### Apache ActiveMQ (2) 990 | - [*CVE-2015-5254*](http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt) 991 | - *<= 5.12.1* 992 | - [*Explanation of the vuln*](https://srcclr.com/security/deserialization-untrusted-data/java/s-1893) 993 | - [CVE-2015-7253](https://www.vulners.com/search?query=CVE-2015-7253) 994 | 995 | ##### Atlassian Bamboo (1) 996 | - [CVE-2015-6576](https://confluence.atlassian.com/x/Hw7RLg) 997 | - *2.2 <= version < 5.8.5* 998 | - *5.9.0 <= version < 5.9.7* 999 | 1000 | ##### Atlassian Bamboo (2) 1001 | - [*CVE-2015-8360*](https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html) 1002 | - *2.3.1 <= version < 5.9.9* 1003 | - Bamboo JMS port (port 54663 by default) 1004 | 1005 | ##### Atlassian Jira 1006 | - only Jira with a Data Center license 1007 | - RMI (port 40001 by default) 1008 | - [*JRA-46203*](https://jira.atlassian.com/browse/JRA-46203) 1009 | 1010 | ##### Akka 1011 | - *version < 2.4.17* 1012 | - "an ActorSystem exposed via Akka Remote over TCP" 1013 | - [Official description](http://doc.akka.io/docs/akka/2.4/security/2017-02-10-java-serialization.html) 1014 | 1015 | ##### Spring AMPQ 1016 | - [CVE-2016-2173](http://pivotal.io/security/cve-2016-2173) 1017 | - *1.0.0 <= version < 1.5.5* 1018 | 1019 | ##### Apache Tika 1020 | - [CVE-2016-6809](https://lists.apache.org/thread.html/93618b15cdf3b38fa1f0bfc0c8c7cf384607e552935bd3db2e322e07@%3Cdev.tika.apache.org%3E) 1021 | - *1.6 <= version < 1.14* 1022 | - Apache Tika’s MATLAB Parser 1023 | 1024 | ##### Apache HBase 1025 | - [HBASE-14799](https://issues.apache.org/jira/browse/HBASE-14799) 1026 | 1027 | ##### Apache Camel 1028 | - [CVE-2015-5348](https://www.vulners.com/search?query=CVE-2015-5348) 1029 | 1030 | ##### Apache Dubbo 1031 | - [CVE-2020-1948](https://www.vulners.com/search?query=CVE-2020-1948) 1032 | - [<=2.7.7](https://lists.apache.org/thread.html/rd4931b5ffc9a2b876431e19a1bffa2b4c14367260a08386a4d461955%40%3Cdev.dubbo.apache.org%3E) 1033 | 1034 | ##### Apache Spark 1035 | - [SPARK-20922: Unsafe deserialization in Spark LauncherConnection](https://issues.apache.org/jira/browse/SPARK-20922) 1036 | 1037 | ##### Apache Spark 1038 | - [SPARK-11652: Remote code execution with InvokerTransformer](https://issues.apache.org/jira/browse/SPARK-11652) 1039 | 1040 | ##### Apache Log4j (1) 1041 | - as server 1042 | - [CVE-2017-5645](https://vulners.com/search?query=CVE-2017-5645) 1043 | 1044 | ##### Apache Log4j (2) 1045 | - *<= 1.2.17* 1046 | - [CVE-2019-17571](https://vulners.com/search?query=CVE-2019-17571) 1047 | 1048 | ##### Apache Geode 1049 | - [CVE-2017-15692](https://vulners.com/search?query=CVE-2017-15692) 1050 | - [CVE-2017-15693](https://vulners.com/search?query=CVE-2017-15693) 1051 | - [Details](https://securitylab.github.com/research/in-memory-data-grid-vulnerabilities) 1052 | 1053 | ##### Apache Ignite 1054 | - [CVE-2018-1295](https://vulners.com/search?query=CVE-2018-1295) 1055 | - [CVE-2018-8018](https://vulners.com/search?query=CVE-2018-8018) 1056 | - [Details](https://securitylab.github.com/research/in-memory-data-grid-vulnerabilities) 1057 | 1058 | ##### Infinispan 1059 | - [CVE-2017-15089](https://vulners.com/search?query=CVE-2017-15089) 1060 | - [Details](https://securitylab.github.com/research/in-memory-data-grid-vulnerabilities) 1061 | 1062 | ##### Hazelcast 1063 | - [CVE-2016-10750](https://vulners.com/search?query=CVE-2016-10750) 1064 | - [Details](https://securitylab.github.com/research/in-memory-data-grid-vulnerabilities) 1065 | 1066 | ##### Gradle (gui) 1067 | - custom(?) protocol(60024/tcp) 1068 | - [article](http://philwantsfish.github.io/security/java-deserialization-github) 1069 | 1070 | ##### Oracle Hyperion 1071 | - [from slides](#java-deserialization-vulnerabilities---the-forgotten-bug-class) 1072 | 1073 | ##### Oracle Application Testing Suite 1074 | - [CVE-2015-7501](http://www.tenable.com/plugins/index.php?view=single&id=90859) 1075 | 1076 | ##### Red Hat JBoss BPM Suite 1077 | - [RHSA-2016-0539](http://rhn.redhat.com/errata/RHSA-2016-0539.html) 1078 | - [CVE-2016-2510](https://www.vulners.com/search?query=CVE-2016-2510) 1079 | 1080 | ##### Red Hat Wildfly 1081 | - [CVE-2020-10740](https://www.vulners.com/search?query=CVE-2020-10740) 1082 | 1083 | ##### VMWare vRealize Operations 1084 | - 6.0 <= version < 6.4.0 1085 | - REST API 1086 | - [VMSA-2016-0020](http://www.vmware.com/security/advisories/VMSA-2016-0020.html) 1087 | - [CVE-2016-7462](https://www.vulners.com/search?query=CVE-2016-7462) 1088 | 1089 | ##### VMWare vCenter/vRealize (various) 1090 | - [CVE-2015-6934](https://www.vulners.com/search?query=CVE-2015-6934) 1091 | - [VMSA-2016-0005](http://www.vmware.com/security/advisories/VMSA-2016-0005.html) 1092 | - JMX 1093 | 1094 | ##### Cisco (various) 1095 | - [List of vulnerable products](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization) 1096 | - [CVE-2015-6420](https://www.vulners.com/search?query=CVE-2015-6420) 1097 | 1098 | ##### Cisco Security Manager 1099 | - [CVE-2020-27131](https://www.vulners.com/search?query=CVE-2020-27131) 1100 | 1101 | ##### Lexmark Markvision Enterprise 1102 | - [CVE-2016-1487](http://support.lexmark.com/index?page=content&id=TE747&locale=en&userlocale=EN_US) 1103 | 1104 | ##### McAfee ePolicy Orchestrator 1105 | - [CVE-2015-8765](https://www.vulners.com/search?query=CVE-2015-8765) 1106 | 1107 | ##### HP IMC PLAT 1108 | - version 7.3 E0506P09 and earlier 1109 | - [several CVE-2019-x](https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03930en_us&withFrame) 1110 | 1111 | ##### HP iMC 1112 | - [CVE-2016-4372](https://www.vulners.com/search?query=CVE-2016-4372) 1113 | 1114 | ##### HP Operations Orchestration 1115 | - [CVE-2016-1997](https://www.vulners.com/search?query=CVE-2016-1997) 1116 | 1117 | ##### HP Asset Manager 1118 | - [CVE-2016-2000](https://www.vulners.com/search?query=CVE-2016-2000) 1119 | 1120 | ##### HP Service Manager 1121 | - [CVE-2016-1998](https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05054565) 1122 | 1123 | ##### HP Operations Manager 1124 | - [CVE-2016-1985](https://h20565.www2.hpe.com/hpsc/doc/public/display?calledBy=Search_Result&docId=emr_na-c04953244&docLocale=en_US) 1125 | 1126 | ##### HP Release Control 1127 | - [CVE-2016-1999](https://h20565.www2.hpe.com/hpsc/doc/public/display?calledBy=Search_Result&docId=emr_na-c05063986&docLocale=en_US) 1128 | 1129 | ##### HP Continuous Delivery Automation 1130 | - [CVE-2016-1986](https://h20565.www2.hpe.com/hpsc/doc/public/display?calledBy=Search_Result&docId=emr_na-c04958567&docLocale=en_US) 1131 | 1132 | ##### HP P9000, XP7 Command View Advanced Edition (CVAE) Suite 1133 | - [CVE-2016-2003](https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05085438) 1134 | 1135 | ##### HP Network Automation 1136 | - [CVE-2016-4385](https://www.vulners.com/search?query=CVE-2016-4385) 1137 | 1138 | ##### Adobe Experience Manager 1139 | - [CVE-2016-0958](https://www.vulners.com/search?query=CVE-2016-0958) 1140 | 1141 | ##### Unify OpenScape (various) 1142 | - [CVE-2015-8237](https://www.vulners.com/search?query=CVE-2015-8237) (CVE ID changed?) 1143 | - RMI (30xx/tcp) 1144 | - [CVE-2015-8238](https://www.vulners.com/search?query=CVE-2015-8238) (CVE ID changed?) 1145 | - js-soc protocol (4711/tcp) 1146 | - [Details](https://networks.unify.com/security/advisories/OBSO-1511-01.pdf) 1147 | 1148 | ##### Apache OFBiz (1) 1149 | - [CVE-2016-2170](https://blogs.apache.org/ofbiz/date/20160405) 1150 | 1151 | ##### Apache OFBiz (2) 1152 | - [CVE-2020-9496](https://www.vulners.com/search?query=CVE-2020-9496) 1153 | 1154 | ##### Apache Tomcat (1) 1155 | - requires local access 1156 | - [CVE-2016-0714](https://www.vulners.com/search?query=CVE-2016-0714) 1157 | - [Article](http://engineering.pivotal.io/post/java-deserialization-jmx/) 1158 | 1159 | ##### Apache Tomcat (2) 1160 | - many requirements 1161 | - [Apache Tomcat Remote Code Execution via session persistence](https://seclists.org/oss-sec/2020/q2/136) 1162 | - [CVE-2020-9484](https://www.vulners.com/search?query=CVE-2020-9484) 1163 | 1164 | ##### Apache TomEE 1165 | - [CVE-2016-0779](https://www.vulners.com/search?query=CVE-2016-0779) 1166 | 1167 | ##### IBM Congnos BI 1168 | - [CVE-2012-4858](https://www.vulners.com/search?query=CVE-2012-4858) 1169 | 1170 | ##### IBM Maximo Asset Management 1171 | - [CVE-2020-4521](https://www.ibm.com/support/pages/node/6332587) 1172 | 1173 | ##### Novell NetIQ Sentinel 1174 | - [CVE-2016-1000031](https://www.zerodayinitiative.com/advisories/ZDI-16-570/) 1175 | 1176 | ##### ForgeRock OpenAM 1177 | - *9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0* 1178 | - [201505-01](https://forgerock.org/2015/07/openam-security-advisory-201505/) 1179 | 1180 | ##### F5 (various) 1181 | - [sol30518307](https://support.f5.com/kb/en-us/solutions/public/k/30/sol30518307.html) 1182 | 1183 | ##### Hitachi (various) 1184 | - [HS16-010](http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS16-010/index.html) 1185 | - [0328_acc](http://www.hitachi.co.jp/products/it/storage-solutions/global/sec_info/2016/0328_acc.html) 1186 | 1187 | ##### NetApp (various) 1188 | - [CVE-2015-8545](https://security.netapp.com/advisory/ntap-20151123-0001/) (CVE ID changed?) 1189 | 1190 | ##### Citrix XenMobile Server 1191 | - port 45000 1192 | - when Clustering is enabled 1193 | - Won't Fix (?) 1194 | - 10.7 and 10.8 1195 | - [Citrix advisory](https://support.citrix.com/article/CTX234879) 1196 | - [CVE-2018-10654](https://www.vulners.com/search?query=CVE-2018-10654) 1197 | 1198 | ##### IBM WebSphere (1) 1199 | - SOAP connector 1200 | - <= 9.0.0.9 1201 | - <= 8.5.5.14 1202 | - <= 8.0.0.15 1203 | - <= 7.0.0.45 1204 | - [CVE-2018-1567](https://www.vulners.com/search?query=CVE-2018-1567) 1205 | 1206 | ##### IBM WebSphere (2) 1207 | - [CVE-2015-1920](https://nvd.nist.gov/vuln/detail/CVE-2015-1920) 1208 | 1209 | ##### IBM WebSphere (3) 1210 | - TCP port 11006 1211 | - [CVE-2020-4448](https://www.vulners.com/search?query=CVE-2020-4448) 1212 | - [Vuln details](https://www.thezdi.com/blog/2020/9/29/exploiting-other-remote-protocols-in-ibm-websphere) 1213 | 1214 | ##### IBM WebSphere (4) 1215 | - SOAP connector 1216 | - [CVE-2020-4464](https://www.vulners.com/search?query=CVE-2020-4464) 1217 | - [Vuln details](https://www.thezdi.com/blog/2020/9/29/exploiting-other-remote-protocols-in-ibm-websphere) 1218 | 1219 | ##### IBM WebSphere (5) 1220 | - [CVE-2021-20353](https://www.zerodayinitiative.com/advisories/ZDI-21-174/) 1221 | 1222 | ##### IBM WebSphere (6) 1223 | - [CVE-2020-4576](https://nvd.nist.gov/vuln/detail/CVE-2020-4576) 1224 | 1225 | ##### IBM WebSphere (7) 1226 | - [CVE-2020-4589](https://nvd.nist.gov/vuln/detail/CVE-2020-4589) 1227 | 1228 | ##### Code42 CrashPlan 1229 | - *TCP port 4282* 1230 | - RMI (?) 1231 | - 5.4.x 1232 | - [CVE-2017-9830](https://www.vulners.com/search?query=CVE-2017-9830) 1233 | - [Details](https://blog.radicallyopensecurity.com/CVE-2017-9830.html) 1234 | 1235 | ##### Apache OpenJPA 1236 | - [CVE-2013-1768](http://seclists.org/fulldisclosure/2013/Jun/98) 1237 | 1238 | ##### Dell EMC VNX Monitoring and Reporting 1239 | - [CVE-2017-8012](https://www.zerodayinitiative.com/advisories/ZDI-17-826/) 1240 | 1241 | ##### Taoensso Nippy 1242 | - <2.14.2 1243 | - [CVE-2020-24164](https://github.com/ptaoussanis/nippy/issues/130) 1244 | 1245 | ##### CAS 1246 | - v4.1.x 1247 | - v4.2.x 1248 | - [CAS Vulnerability Disclosure from Apereo](https://apereo.github.io/2016/04/08/commonsvulndisc/) 1249 | 1250 | ##### SolarWinds Network Performance Monitor 1251 | - [CVE-2021–31474](https://www.vulners.com/search?query=CVE-2021–31474) 1252 | - [Video](https://twitter.com/testanull/status/1397138757673906182) 1253 | 1254 | ##### Apache Batchee 1255 | ##### Apache JCS 1256 | ##### Apache OpenWebBeans 1257 | 1258 | 1259 | ### Protection 1260 | - [Look-ahead Java deserialization](http://www.ibm.com/developerworks/library/se-lookahead/ ) 1261 | - [NotSoSerial](https://github.com/kantega/notsoserial) 1262 | - [SerialKiller](https://github.com/ikkisoft/SerialKiller) 1263 | - [ValidatingObjectInputStream](https://issues.apache.org/jira/browse/IO-487) 1264 | - [Name Space Layout Randomization](http://www.waratek.com/warateks-name-space-layout-randomization-nslr/) 1265 | - [Some protection bypasses](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md#serial-killer-silently-pwning-your-java-endpoints) 1266 | - Tool: [Serial Whitelist Application Trainer](https://github.com/cschneider4711/SWAT) 1267 | - [JEP 290: Filter Incoming Serialization Data](http://openjdk.java.net/jeps/290) in JDK 6u141, 7u131, 8u121 1268 | - [A First Look Into Java's New Serialization Filtering](https://dzone.com/articles/a-first-look-into-javas-new-serialization-filterin) 1269 | - [AtomicSerial](https://github.com/pfirmstone/JGDMS/wiki) 1270 | 1271 | ### For Android 1272 | #### Main talks & presentations & examples 1273 | - [One Class to Rule Them All: 0-Day Deserialization Vulnerabilities in Android](https://www.usenix.org/conference/woot15/workshop-program/presentation/peles) 1274 | - [Android Serialization Vulnerabilities Revisited](https://www.rsaconference.com/events/us16/agenda/sessions/2455/android-serialization-vulnerabilities-revisited) 1275 | - [A brief history of Android deserialization vulnerabilities](https://lgtm.com/blog/android_deserialization) 1276 | - [Exploiting Android trough an Intent with Reflection](https://www.areizen.fr/post/exploiting_android_application_trough_serialized_intent/) 1277 | 1278 | #### Tools 1279 | - [Android Java Deserialization Vulnerability Tester](https://github.com/modzero/modjoda) 1280 | 1281 | ## XMLEncoder (XML) 1282 | How it works: 1283 | 1284 | - [https://web.archive.org/web/20191007233559/http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html](https://web.archive.org/web/20191007233559/http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html) 1285 | - [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf) 1286 | 1287 | ### Detect 1288 | ##### Code review 1289 | - java.beans.XMLDecoder 1290 | - readObject 1291 | 1292 | ##### Burp plugins 1293 | - [Freddy](https://github.com/nccgroup/freddy) 1294 | 1295 | ### Exploits 1296 | ##### Oracle Weblogic 1297 | - <= 10.3.6.0.0 1298 | - <= 12.1.3.0.0 1299 | - <= 12.2.1.2.0 1300 | - <= 12.2.1.1.0 1301 | - *http://weblogic_server/wls-wsat/CoordinatorPortType* 1302 | - [CVE-2017-3506](https://www.vulners.com/search?query=CVE-2017-3506) 1303 | - [CVE-2017-10271](https://www.vulners.com/search?query=CVE-2017-10271) 1304 | - [Details](https://blog.nsfocusglobal.com/threats/vulnerability-analysis/technical-analysis-and-solution-of-weblogic-server-wls-component-vulnerability/) 1305 | - [CVE-2019-2729 Details](https://www.buaq.net/go-20897.html) 1306 | 1307 | [Exploit](https://github.com/1337g/CVE-2017-10271/blob/master/CVE-2017-10271.py) 1308 | 1309 | ##### Oracle RDBMS 1310 | - priv escalation 1311 | - [Oracle Privilege Escalation via Deserialization](http://obtruse.syfrtext.com/2018/07/oracle-privilege-escalation-via.html) 1312 | 1313 | ## XStream (XML/JSON/various) 1314 | How it works: 1315 | 1316 | - [http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/](http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/) 1317 | - [http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html](http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html) 1318 | - [https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream](https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream) 1319 | - [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf) 1320 | 1321 | 1322 | ### Payload generators 1323 | 1324 | - [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec) 1325 | - [https://github.com/chudyPB/XStream-Gadgets](https://github.com/chudyPB/XStream-Gadgets) 1326 | - [CVE-2020-26217](https://github.com/mai-lang-chai/Middleware-Vulnerability-detection/tree/master/XStream) 1327 | - [CVE-2020-26258 - SSRF](http://x-stream.github.io/CVE-2020-26258.html) 1328 | - [CVE-2021-29505](https://github.com/MyBlackManba/CVE-2021-29505) 1329 | - [CVE-2021-39144](https://x-stream.github.io/CVE-2021-39144.html) 1330 | 1331 | ### Exploits 1332 | ##### Apache Struts (S2-052) 1333 | - <= 2.3.34 1334 | - <= 2.5.13 1335 | - REST plugin 1336 | - [CVE-2017-9805](https://www.vulners.com/search?query=CVE-2017-9805) 1337 | 1338 | [Exploit](https://www.exploit-db.com/exploits/42627/) 1339 | 1340 | ### Detect 1341 | ##### Code review 1342 | - com.thoughtworks.xstream.XStream 1343 | - xs.fromXML(data) 1344 | 1345 | ##### Burp plugins 1346 | - [Freddy](https://github.com/nccgroup/freddy) 1347 | 1348 | ### Vulnerable apps (without public sploits/need more info): 1349 | ##### Atlassian Bamboo 1350 | - [CVE-2016-5229](https://www.vulners.com/search?query=CVE-2016-5229) 1351 | 1352 | ##### Jenkins 1353 | - [CVE-2017-2608](https://www.vulners.com/search?query=CVE-2017-2608) 1354 | 1355 | ## Kryo (binary) 1356 | 1357 | How it works: 1358 | 1359 | - [https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-1-kryo](https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-1-kryo) 1360 | - [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf) 1361 | 1362 | ### Payload generators 1363 | 1364 | - [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec) 1365 | 1366 | ### Detect 1367 | ##### Code review 1368 | - com.esotericsoftware.kryo.io.Input 1369 | - SomeClass object = (SomeClass)kryo.readClassAndObject(input); 1370 | - SomeClass someObject = kryo.readObjectOrNull(input, SomeClass.class); 1371 | - SomeClass someObject = kryo.readObject(input, SomeClass.class); 1372 | 1373 | ##### Burp plugins 1374 | - [Freddy](https://github.com/nccgroup/freddy) 1375 | 1376 | ## Hessian/Burlap (binary/XML) 1377 | How it works: 1378 | 1379 | - [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf) 1380 | - [Castor and Hessian java deserialization vulnerabilities](https://blog.semmle.com/hessian-java-deserialization-castor-vulnerabilities/) 1381 | - [Recurrence and Analysis of Hessian Deserialization RCE Vulnerability](https://www.freebuf.com/vuls/224280.html) 1382 | 1383 | ### Payload generators 1384 | 1385 | - [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec) 1386 | 1387 | ### Detect 1388 | ##### Code review 1389 | - com.caucho.hessian.io 1390 | - AbstractHessianInput 1391 | - com.caucho.burlap.io.BurlapInput; 1392 | - com.caucho.burlap.io.BurlapOutput; 1393 | - BurlapInput in = new BurlapInput(is); 1394 | - Person2 p1 = (Person2) in.readObject(); 1395 | 1396 | ##### Burp plugins 1397 | - [Freddy](https://github.com/nccgroup/freddy) 1398 | 1399 | ### Vulnerable apps (without public sploits/need more info): 1400 | 1401 | ##### Apache Camel 1402 | - [CVE-2017-12634](https://blog.semmle.com/hessian-java-deserialization-castor-vulnerabilities/) 1403 | 1404 | ##### MobileIron MDM 1405 | - [CVE-2020-15505](https://www.vulners.com/search?query=2020-15505) 1406 | - [Metasploit Exploit](https://vulners.com/metasploit/MSF:EXPLOIT/LINUX/HTTP/MOBILEIRON_MDM_HESSIAN_RCE/) 1407 | 1408 | ##### Apache Dubbo 1409 | - [Details and examples](https://checkmarx.com/blog/the-0xdabb-of-doom-cve-2021-25641/) 1410 | 1411 | ## Castor (XML) 1412 | How it works: 1413 | 1414 | - [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf) 1415 | - [Castor and Hessian java deserialization vulnerabilities](https://blog.semmle.com/hessian-java-deserialization-castor-vulnerabilities/) 1416 | 1417 | ### Payload generators 1418 | 1419 | - [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec) 1420 | 1421 | ### Detect 1422 | ##### Code review 1423 | - org.codehaus.castor 1424 | - org.exolab.castor.xml.Unmarshaller 1425 | - org.springframework.oxm.Unmarshaller 1426 | - Unmarshaller.unmarshal(Person.class, reader) 1427 | - unmarshaller = context.createUnmarshaller(); 1428 | - unmarshaller.unmarshal(new StringReader(data)); 1429 | 1430 | ##### Burp plugins 1431 | - [Freddy](https://github.com/nccgroup/freddy) 1432 | 1433 | ### Vulnerable apps (without public sploits/need more info): 1434 | 1435 | ##### OpenNMS 1436 | - [NMS-9100](https://issues.opennms.org/browse/NMS-9100) 1437 | 1438 | ##### Apache Camel 1439 | - [CVE-2017-12633](https://blog.semmle.com/hessian-java-deserialization-castor-vulnerabilities/) 1440 | 1441 | ## json-io (JSON) 1442 | How it works: 1443 | 1444 | - [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf) 1445 | 1446 | Exploitation examples: 1447 | 1448 | - [Experiments with JSON-IO, Serialization, Mass Assignment, and General Java Object Wizardry](https://versprite.com/blog/application-security/experiments-with-json-io-serialization-mass-assignment-and-general-java-object-wizardry/) 1449 | - [JSON Deserialization Memory Corruption Vulnerabilities on Android](https://versprite.com/blog/json-deserialization-memory-corruption-vulnerabilities/) 1450 | 1451 | ### Payload generators 1452 | 1453 | - [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec) 1454 | 1455 | ### Detect 1456 | ##### Code review 1457 | - com.cedarsoftware.util.io.JsonReader 1458 | - JsonReader.jsonToJava 1459 | 1460 | ##### Burp plugins 1461 | - [Freddy](https://github.com/nccgroup/freddy) 1462 | 1463 | ## Jackson (JSON) 1464 | *vulnerable in specific configuration* 1465 | 1466 | How it works: 1467 | 1468 | - [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf) 1469 | - [On Jackson CVEs: Don’t Panic — Here is what you need to know](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062) 1470 | - [Jackson Deserialization Vulnerabilities](https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf) 1471 | - [The End of the Blacklist](https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist) 1472 | 1473 | ### Payload generators / gadget chains 1474 | 1475 | - [https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/](https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/) 1476 | - [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec) 1477 | - [blacklist bypass - CVE-2017-17485](https://github.com/irsl/jackson-rce-via-spel) 1478 | - [blacklist bypass - CVE-2017-15095](https://github.com/SecureSkyTechnology/study-struts2-s2-054_055-jackson-cve-2017-7525_cve-2017-15095) 1479 | - [CVE-2019-14540](https://github.com/LeadroyaL/cve-2019-14540-exploit/) 1480 | - [Jackson gadgets - Anatomy of a vulnerability](https://blog.doyensec.com/2019/07/22/jackson-gadgets.html) 1481 | - [JNDI Injection using Getter Based Deserialization Gadgets](https://srcincite.io/blog/2019/08/07/attacking-unmarshallers-jndi-injection-using-getter-based-deserialization.html) 1482 | - [blacklist bypass - CVE-2020-8840](https://github.com/jas502n/CVE-2020-8840) 1483 | - [blacklist bypass - CVE-2020-10673](https://github.com/0nise/CVE-2020-10673/) 1484 | 1485 | ### Detect 1486 | ##### Code review 1487 | - com.fasterxml.jackson.databind.ObjectMapper 1488 | - ObjectMapper mapper = new ObjectMapper(); 1489 | - objectMapper.enableDefaultTyping(); 1490 | - @JsonTypeInfo(use=JsonTypeInfo.Id.CLASS, include=JsonTypeInfo.As.PROPERTY, property="@class") 1491 | - public Object message; 1492 | - mapper.readValue(data, Object.class); 1493 | 1494 | ##### Burp plugins 1495 | - [Freddy](https://github.com/nccgroup/freddy) 1496 | 1497 | ### Exploits 1498 | ##### FasterXML 1499 | - [CVE-2019-12384](https://github.com/jas502n/CVE-2019-12384) 1500 | 1501 | ##### Liferay 1502 | - [CVE-2019-16891](https://sec.vnpt.vn/2019/09/liferay-deserialization-json-deserialization-part-4/) 1503 | 1504 | ### Vulnerable apps (without public sploits/need more info): 1505 | ##### Apache Camel 1506 | - [CVE-2016-8749](https://www.vulners.com/search?query=CVE-2016-8749) 1507 | 1508 | ## Fastjson (JSON) 1509 | 1510 | How it works: 1511 | 1512 | - [https://www.secfree.com/article-590.html](https://www.secfree.com/article-590.html) 1513 | - [Official advisory](https://github.com/alibaba/fastjson/wiki/security_update_20170315) 1514 | - [Fastjson process analysis and RCE analysis](https://paper.seebug.org/994/) 1515 | - [Fastjson Deserialization Vulnerability History](https://paper.seebug.org/1193/) 1516 | - [Hao Xing Zekai Wu - How I use a JSON Deserialization 0day to Steal Your Money On The Blockchain.pdf](https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Hao%20Xing%20Zekai%20Wu%20-%20How%20I%20use%20a%20JSON%20Deserialization%200day%20to%20Steal%20Your%20Money%20On%20The%20Blockchain.pdf?utm_source=pocket_mylist) 1517 | 1518 | 1519 | ### Detect 1520 | ##### Code review 1521 | - com.alibaba.fastjson.JSON 1522 | - JSON.parseObject 1523 | 1524 | ##### Burp plugins 1525 | - [Freddy](https://github.com/nccgroup/freddy) 1526 | 1527 | ### Payload generators 1528 | 1529 | - [fastjson 1.2.24 <=](https://github.com/iBearcat/Fastjson-Payload) 1530 | - [fastjson 1.2.47 <=](https://github.com/jas502n/fastjson-RCE) 1531 | - [fastjson 1.2.66 <=](https://github.com/0nise/CVE-2020-10673/) 1532 | - [blacklisted gadgets](https://github.com/LeadroyaL/fastjson-blacklist) 1533 | - [Fastjson: exceptional deserialization vulnerabilities](https://www.alphabot.com/security/blog/2020/java/Fastjson-exceptional-deserialization-vulnerabilities.html) 1534 | - [Hao Xing Zekai Wu - How I use a JSON Deserialization 0day to Steal Your Money On The Blockchain.pdf](https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Hao%20Xing%20Zekai%20Wu%20-%20How%20I%20use%20a%20JSON%20Deserialization%200day%20to%20Steal%20Your%20Money%20On%20The%20Blockchain.pdf?utm_source=pocket_mylist) 1535 | 1536 | ## Genson (JSON) 1537 | 1538 | How it works: 1539 | 1540 | - [Friday the 13th JSON Attacks](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf) 1541 | 1542 | ### Detect 1543 | ##### Code review 1544 | - com.owlike.genson.Genson 1545 | - useRuntimeType 1546 | - genson.deserialize 1547 | 1548 | ##### Burp plugins 1549 | - [Freddy](https://github.com/nccgroup/freddy) 1550 | 1551 | ## Flexjson (JSON) 1552 | 1553 | How it works: 1554 | 1555 | - [Friday the 13th JSON Attacks](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf) 1556 | 1557 | ### Payload generators / gadget chains 1558 | - [PoC](https://github.com/GrrrDog/Sploits) 1559 | 1560 | ### Detect 1561 | ##### Code review 1562 | - import flexjson.JSONDeserializer 1563 | - JSONDeserializer jsonDeserializer = new JSONDeserializer() 1564 | - jsonDeserializer.deserialize(jsonString); 1565 | 1566 | ### Exploits 1567 | ##### Liferay 1568 | - [Liferay Portal JSON Web Service RCE Vulnerabilities](https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html) 1569 | - [CST-7111](https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/113765197) 1570 | 1571 | 1572 | ## Jodd (JSON) 1573 | *vulnerable in a non-default configuration when setClassMetadataName() is set* 1574 | 1575 | - [issues/628](https://github.com/oblac/jodd/issues/628) 1576 | 1577 | ### Payload generators / gadget chains 1578 | - [PoC](https://github.com/GrrrDog/Sploits) 1579 | 1580 | ### Detect 1581 | ##### Code review 1582 | - com.fasterxml.jackson.databind.ObjectMapper 1583 | - JsonParser jsonParser = new JsonParser() 1584 | - jsonParser.setClassMetadataName("class").parse(jsonString, ClassName.class); 1585 | 1586 | ## Red5 IO AMF (AMF) 1587 | How it works: 1588 | 1589 | - [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf) 1590 | 1591 | ### Payload generators 1592 | 1593 | - [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec) 1594 | 1595 | ### Detect 1596 | ##### Code review 1597 | - org.red5.io 1598 | - Deserializer.deserialize(i, Object.class); 1599 | 1600 | ##### Burp plugins 1601 | - [Freddy](https://github.com/nccgroup/freddy) 1602 | 1603 | ### Vulnerable apps (without public sploits/need more info): 1604 | ##### Apache OpenMeetings 1605 | - [CVE-2017-5878](https://www.vulners.com/search?query=CVE-2017-5878) 1606 | 1607 | ## Apache Flex BlazeDS (AMF) 1608 | How it works: 1609 | 1610 | - [AMF – Another Malicious Format](http://codewhitesec.blogspot.ru/2017/04/amf.html) 1611 | - [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf) 1612 | 1613 | ### Payload generators 1614 | 1615 | - [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec) 1616 | 1617 | ### Detect 1618 | ##### Code review 1619 | 1620 | ##### Burp plugins 1621 | - [Freddy](https://github.com/nccgroup/freddy) 1622 | 1623 | ### Vulnerable apps: 1624 | 1625 | ##### Oracle Business Intelligence 1626 | - *BIRemotingServlet* 1627 | - no auth 1628 | - [CVE-2020-2950](https://www.zerodayinitiative.com/advisories/ZDI-20-505/) 1629 | - [Details on the Oracle WebLogic Vulnerability Being Exploited in the Wild](https://www.thezdi.com/blog/2020/5/8/details-on-the-oracle-weblogic-vulnerability-being-exploited-in-the-wild) 1630 | - [CVE-2020–2950 — Turning AMF Deserialize bug to Java Deserialize bug](https://peterjson.medium.com/cve-2020-2950-turning-amf-deserialize-bug-to-java-deserialize-bug-2984a8542b6f) 1631 | 1632 | ##### Adobe ColdFusion 1633 | - [CVE-2017-3066](https://www.vulners.com/search?query=CVE-2017-3066) 1634 | - *<= 2016 Update 3* 1635 | - *<= 11 update 11* 1636 | - *<= 10 Update 22* 1637 | 1638 | - [Exploiting Adobe ColdFusion before CVE-2017-3066](http://codewhitesec.blogspot.ru/2018/03/exploiting-adobe-coldfusion.html) 1639 | - [PoC](https://github.com/depthsecurity/coldfusion_blazeds_des) 1640 | 1641 | ##### Draytek VigorACS 1642 | - */ACSServer/messagebroker/amf* 1643 | - at least 2.2.1 1644 | - based on [CVE-2017-5641](https://www.vulners.com/search?query=CVE-2017-5641) 1645 | 1646 | - [PoC](https://github.com/pedrib/PoC/blob/master/exploits/acsPwn/acsPwn.rb) 1647 | 1648 | ##### Apache BlazeDS 1649 | - [CVE-2017-5641](https://www.vulners.com/search?query=CVE-2017-5641) 1650 | 1651 | ##### VMWare VCenter 1652 | - based on [CVE-2017-5641](https://www.vulners.com/search?query=CVE-2017-5641) 1653 | 1654 | ##### HP Systems Insight Manager 1655 | - */simsearch/messagebroker/amfsecure* 1656 | - 7.6.x 1657 | - [CVE-2020-7200](https://www.vulners.com/search?query=CVE-2020-7200) 1658 | - [Metasploit Exploit](https://github.com/rapid7/metasploit-framework/pull/14846) 1659 | 1660 | ##### TIBCO Data Virtualization 1661 | - < 8.3 1662 | - */monitor/messagebroker/amf* 1663 | - [Details](https://github.com/pedrib/PoC/blob/master/advisories/TIBCO/tibco_tdv_rce.md) 1664 | 1665 | ## Flamingo AMF (AMF) 1666 | How it works: 1667 | 1668 | - [AMF – Another Malicious Format](http://codewhitesec.blogspot.ru/2017/04/amf.html) 1669 | 1670 | ### Detect 1671 | ##### Burp plugins 1672 | - [Freddy](https://github.com/nccgroup/freddy) 1673 | 1674 | ## GraniteDS (AMF) 1675 | How it works: 1676 | 1677 | - [AMF – Another Malicious Format](http://codewhitesec.blogspot.ru/2017/04/amf.html) 1678 | 1679 | ### Detect 1680 | ##### Burp plugins 1681 | - [Freddy](https://github.com/nccgroup/freddy) 1682 | 1683 | ## WebORB for Java (AMF) 1684 | How it works: 1685 | 1686 | - [AMF – Another Malicious Format](http://codewhitesec.blogspot.ru/2017/04/amf.html) 1687 | 1688 | ### Detect 1689 | ##### Burp plugins 1690 | - [Freddy](https://github.com/nccgroup/freddy) 1691 | 1692 | ## SnakeYAML (YAML) 1693 | How it works: 1694 | 1695 | - [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf) 1696 | 1697 | ### Payload generators 1698 | 1699 | - [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec) 1700 | - [Payload Generator for the SnakeYAML deserialization gadget](https://github.com/artsploit/yaml-payload) 1701 | 1702 | ### Detect 1703 | ##### Code review 1704 | - org.yaml.snakeyaml.Yaml 1705 | - yaml.load 1706 | 1707 | ##### Burp plugins 1708 | - [Freddy](https://github.com/nccgroup/freddy) 1709 | 1710 | ### Vulnerable apps (without public sploits/need more info): 1711 | ##### Resteasy 1712 | - [CVE-2016-9606](https://www.vulners.com/search?query=CVE-2016-9606) 1713 | 1714 | ##### Apache Camel 1715 | - [CVE-2017-3159](https://www.vulners.com/search?query=CVE-2017-3159) 1716 | 1717 | ##### Apache Brooklyn 1718 | - [CVE-2016-8744](https://www.vulners.com/search?query=CVE-2016-8744) 1719 | 1720 | ##### Apache ShardingSphere 1721 | - [CVE-2020-1947](https://www.vulners.com/search?query=CVE-2020-1947) 1722 | 1723 | ## jYAML (YAML) 1724 | How it works: 1725 | 1726 | - [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf) 1727 | 1728 | ### Payload generators 1729 | 1730 | - [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec) 1731 | 1732 | ### Detect 1733 | - org.ho.yaml.Yaml 1734 | - Yaml.loadType(data, Object.class); 1735 | 1736 | ##### Burp plugins 1737 | - [Freddy](https://github.com/nccgroup/freddy) 1738 | 1739 | ## YamlBeans (YAML) 1740 | How it works: 1741 | 1742 | - [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf) 1743 | 1744 | ### Payload generators 1745 | 1746 | - [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec) 1747 | 1748 | ### Detect 1749 | - com.esotericsoftware.yamlbeans 1750 | - YamlReader r = new YamlReader(data, yc); 1751 | 1752 | ##### Burp plugins 1753 | - [Freddy](https://github.com/nccgroup/freddy) 1754 | 1755 | ## "Safe" deserialization 1756 | 1757 | Some serialization libs are safe (or almost safe) [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec) 1758 | 1759 | However, it's not a recommendation, but just a list of other libs that has been researched by someone: 1760 | 1761 | - JAXB 1762 | - XmlBeans 1763 | - Jibx 1764 | - Protobuf 1765 | - GSON 1766 | - GWT-RPC 1767 | --------------------------------------------------------------------------------