I. Mining of Java anti-serialization vulnerabilities
1, black box flow analysis:
In the Java deserialization packet, there are generally two modes of transmission, in the TCP message, the general binary streaming mode, in the HTTP message, most of the Base64 transmission. Thus there are some characteristics in the flow:
(1) TCP: Must have aced0005, this 16 binary stream basically also means the beginning of Java deserialization;
(2) HTTP: Must have ro0ab, in fact, this is the result of aced0005 base64 coding;
This means that there is a Java deserialization that attempts to construct a payload for an attack.
2. RMI for black box Java:
RMI is a server for a remote object (class) Invocation of Java, which defaults to Port 1099, which is based on socket communication, which implements remote invocation entirely on serialization and deserialization.
3, White Box code audit:
(1) See if there is a problem with the class that implements the Serializable interface.
(2) Observe if there is a problem with the function logic that overrides the ReadObject method.
Second, the Java deserialization attack:
See my blog:
Java Anti-Serialization vulnerability detection
Third, Java Anti-serialization Vulnerability Defense:
1, the white list check mechanism of the class:
In fact, the principle is simple, that is, for all incoming deserialization objects, before the deserialization process begins, the type name to do a check, non-compliant class does not deserialize the operation. Obviously, this whitelist certainly does not exist in the runtime.
2. Prohibit the JVM from executing external commands runtime.exec
This measure can be achieved by extending the SecurityManager.
1SecurityManager Originalsecuritymanager =System.getsecuritymanager ();2 if(Originalsecuritymanager = =NULL) {3 //Create your own SecurityManager4SecurityManager SM =NewSecurityManager () {5 Private voidCheck (Permission perm) {6 //prohibit exec7 if(Perminstanceofjava.io.FilePermission) {8String actions =perm.getactions ();9 if(Actions! =NULL&& actions.contains ("Execute")) {Ten Throw NewSecurityException ("Execute denied!"); One } A } - //prohibit setting up new SecurityManager to protect yourself - if(Perminstanceofjava.lang.RuntimePermission) { theString name =perm.getname (); - if(Name! =NULL&& name.contains ("Setsecuritymanager")) { - Throw NewSecurityException ("System.setsecuritymanager denied!"); - } + } - } + A @Override at Public voidcheckpermission (Permission perm) { - check (perm); - } - - @Override - Public voidcheckpermission (Permission perm, Object context) { in check (perm); - } to }; + - System.setsecuritymanager (SM); the}
Iv. Reference Documents:
https://paper.seebug.org/312/
Exploitation, attack and defense of Java Deserialization Vulnerability