From f7c837ffdd21c3567bd3d7725e75de0a827a3a3b Mon Sep 17 00:00:00 2001 From: clem9669 <18504086+clem9669@users.noreply.github.com> Date: Mon, 26 Oct 2020 14:43:16 +0000 Subject: [PATCH] Adding marshalsec tool & references Adding marshalsec tool & references --- Insecure Deserialization/Java.md | 34 ++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/Insecure Deserialization/Java.md b/Insecure Deserialization/Java.md index 5915688..8a0b39c 100644 --- a/Insecure Deserialization/Java.md +++ b/Insecure Deserialization/Java.md @@ -65,6 +65,38 @@ JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXp ysoserial-modified [https://github.com/pimps/ysoserial-modified](https://github.com/pimps/ysoserial-modified) +Java Unmarshaller Security: Turning your data into code execution - [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec) + +```java +java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec. [-a] [-v] [-t] [ []] + + where + -a - generates/tests all payloads for that marshaller + -t - runs in test mode, unmarshalling the generated payloads after generating them. + -v - verbose mode, e.g. also shows the generated payload in test mode. + gadget_type - Identifier of a specific gadget, if left out will display the available ones for that specific marshaller. + arguments - Gadget specific arguments +``` + +Payload generators for the following marshallers are included:
+ +| Marshaller | Gadget Impact +| ------------------------------- | ---------------------------------------------- +| BlazeDSAMF(0|3|X) | JDK only escalation to Java serialization
various third party libraries RCEs +| Hessian|Burlap | various third party RCEs +| Castor | dependency library RCE +| Jackson | **possible JDK only RCE**, various third party RCEs +| Java | yet another third party RCE +| JsonIO | **JDK only RCE** +| JYAML | **JDK only RCE** +| Kryo | third party RCEs +| KryoAltStrategy | **JDK only RCE** +| Red5AMF(0|3) | **JDK only RCE** +| SnakeYAML | **JDK only RCEs** +| XStream | **JDK only RCEs** +| YAMLBeans | third party RCE + + ## References - [Github - ysoserial](https://github.com/frohoff/ysoserial) @@ -72,3 +104,5 @@ ysoserial-modified [https://github.com/pimps/ysoserial-modified](https://github. - [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/) - [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a) - [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html) +- [Jackson CVE-2019-12384: anatomy of a vulnerability class](https://blog.doyensec.com/2019/07/22/jackson-gadgets.html) +- [On Jackson CVEs: Don’t Panic — Here is what you need to know](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062#da96)