Most programming languages and frameworks have support for serialization of data. It’s quite handy for storing things to disk (or other media) and transporting them around a network for example. The process can be reversed, aptly called deserialization, in order to obtain the original pieces of data. Great. Even though this process sounds simple, there is a lot that can go wrong. First of all data can be manipulated. Subtle modifications can cause havoc when the data is touched. There is a lesser known class of bugs around deserialization and serialization techniques. Matthias Kaiser has some insights to share.
Java deserialization vulnerabilities are a bug class of its own. Although several security researchers have published details in the last ten years, still the bug class is fairly unknown. Early 2015 Chris Frohoff and Gabriel Lawrence made a huge step towards practical exploitation by finding a novel exploit technique in the widespread Apache Commons Collections library. Since then several security researchers have continued on their work and discovered new vulnerabilities as well as exploit techniques. In his talk Matthias Kaiser will give a basic introduction how to find and exploit java deserialization vulnerabilities. He will also cover how vendors failed to fix deserialization vulnerabilities using blacklist filtering. Last but not least an unknown blacklist bypass will be shown for a certain product (name withheld) including a live-demo.
Don’t say „But it’s just data!“. Data-driven attacks are quite common. Deserialization vulnerabilities is yet another attack vector your adversaries will use against you. Therefore you should know about this. We recommend this talk not only for developers. Anyone handling data of any kind should have a look at these vulnerability classes.
Matthias Kaiser is the Head of Vulnerability Research at Code White. He enjoys bug hunting in Enterprise Software but also client side software and has discovered vulnerabilities in products of Oracle, IBM, VMware, SAP, Symantec, Apache, Adobe, etc. He spent quite some time in researching Java deserialization vulnerabilities and deserialization gadgets and has presented his research at international conferences such as Ruhrsec, Infiltrate and Blackhat.