Automated Discovery of Deserialization Gadget Chains

Automated Discovery of Deserialization Gadget Chains

Black Hat via YouTube Direct link

Magic methods? • readObject() and readResolve() are the main ones...

4 of 25

4 of 25

Magic methods? • readObject() and readResolve() are the main ones...

Class Central Classrooms beta

YouTube videos curated by Class Central.

Classroom Contents

Automated Discovery of Deserialization Gadget Chains

Automatically move to the next video in the Classroom when playback concludes

  1. 1 Intro
  2. 2 Deserialization? That's so 2016...
  3. 3 Why are Deserialization Vulnerabilities so Bad? Magic methods get executed automatically by the deserializer, even before deserialization finishes!
  4. 4 Magic methods? • readObject() and readResolve() are the main ones...
  5. 5 Magic Methods to Gadget Chains
  6. 6 Example Payload
  7. 7 What (Java) Libraries are Vulnerable?
  8. 8 Finding Vulnerabilities
  9. 9 Remediation Options
  10. 10 Finding Exploits
  11. 11 Existing Gadget Chain Tools
  12. 12 Building a New Tool to Find Gadget Chains
  13. 13 Enumerate class/method hierarchy
  14. 14 Discover "Passthrough" Dataflow
  15. 15 Enumerate "Passthrough" Callgraph
  16. 16 Enumerate Sources Using Known Tricks
  17. 17 BFS on Call Graph for Chains Sources
  18. 18 Deserialization Library Flexibility
  19. 19 Results: OSS Library Scans
  20. 20 Results: Old Gadget Chains
  21. 21 New Gadget Chains: Clojure org.clojure clojure
  22. 22 New Gadget Chains: Scala
  23. 23 Results: Netflix Internal Webapp 2
  24. 24 Room for Improvement
  25. 25 Final Thoughts • Automatic discovery for gadget chains is new territory

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.