Overview
Syllabus
Intro
Deserialization? That's so 2016...
Why are Deserialization Vulnerabilities so Bad? Magic methods get executed automatically by the deserializer, even before deserialization finishes!
Magic methods? • readObject() and readResolve() are the main ones...
Magic Methods to Gadget Chains
Example Payload
What (Java) Libraries are Vulnerable?
Finding Vulnerabilities
Remediation Options
Finding Exploits
Existing Gadget Chain Tools
Building a New Tool to Find Gadget Chains
Enumerate class/method hierarchy
Discover "Passthrough" Dataflow
Enumerate "Passthrough" Callgraph
Enumerate Sources Using Known Tricks
BFS on Call Graph for Chains Sources
Deserialization Library Flexibility
Results: OSS Library Scans
Results: Old Gadget Chains
New Gadget Chains: Clojure org.clojure clojure
New Gadget Chains: Scala
Results: Netflix Internal Webapp 2
Room for Improvement
Final Thoughts • Automatic discovery for gadget chains is new territory
Taught by
Black Hat