Nathan
Posted on April 20, 2022
Java is a programming language originally developed by James Gosling at Sun Microsystems (which has since been acquired by Oracle Corporation) and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++, but it has a simpler object model and fewer low-level facilities than either of them.
Java enables developers to create applications that can run on multiple platforms.This language is based on the object-oriented programming paradigm. This means that code is organized into objects that can interact with each other.
In addition java has a platform-independent language. This means that Java code can run on any platform that supports the Java Runtime Environment (JRE). The JRE is a software layer that provides a platform for Java code to run on. The JRE is available for multiple platforms, including Windows, macOS, and Linux.
At a glance Java is a safe language that provides a high level of security (but we will se here that there are always vulnerabilities). In other hand java is the most documented language for insecure deserialization.
Java is an easy language to learn, and there are a variety of resources available to help developers get started with Java programming.
When you write Java programs, you can compile them into bytecode, the machine code for a Java Virtual Machine (JVM), which then runs the program. The JVM is platform-independent, so the same bytecode can run on any operating system that has a JVM.
Last thing Java is a object-oriented programming language, which means that it uses objects and classes to build applications. In object-oriented programming, a class is a template for creating objects. An object is an instance of a class. When you create an object, you are creating an instance of a class. For example, you can create an object that represents a person. The class for this object might include information such as the person's name, address, and phone number. Once you have created the class, you can create as many objects from that class as you want.
Java vulnerabilities
Before continue to read , let 's check my previous article if you did not read it.
How a serialize object looks in java?
Objects that can be serialize must implement the java.io.seralizable interface or java.io.extenrnalizable.
The process of deserialization is excuted by the java.io.objectOutputStream and java.io.ObjectInputStream .
The malicious deserialization occurs when the object is read by objectInputStream.
A classic serialization and deserialization code in java:
import java.io.*;
class someObj implements Serializable
{
String name;
static String id;
someObj(String n, String id)
{
this.name = n;
this.id = id;
}
}
class Test
{
public static void main(String[] args)
{
someObj sobj=null ;
try
{
FileInputStream fis = new
FileInputStream("/filepath/file.txt"); //serialization
//deserialization
ObjectInputStream ois = new ObjectInputStream(fis); //
sobj = (someObj)ois.readObject();
}
catch (Exception e)
{
e.printStackTrace(); }
}
}
Main java flaws
We can categorize insecure deserialization in java in five categories according to "Apostolos Giannakidis"
- variable modification attack: the attacker modify a variable in the serialization object.
O:4:"User":2:{s:8:"username";s:6:"wiener";s:5:"admin";b:0;}
Just changing the value of param b to 1 to become an admin user.
polymorphism: An attacker can send another object from the same parent object.Example: simpleUSer and AdminUser both of us inherit from User class.
deferred execution attack: the malicious payload will execute in specific time during the processes of deserialization, for example during the end-life of the object with "finalize" function.
gadget chain attack: is a type of exploit where an attacker uses a series of "gadgets" — small pieces of code that perform a specific function — to execute a larger, more complex attack. By chaining together these gadgets, an attacker can gain control of a target system or perform other malicious actions. You can use ysoserial to create a serialize payload
java -jar path/to/ysoserial.jar CommonsCollections4 'whoami'
proxy attacks: use of others class as proxy, in order to use gadget in the code through method's class.
To conclude Java and insecure deserialization is a serious problem that needs to be addressed. While there are some workarounds that can be used to mitigate the issue, it is ultimately up to the developer to ensure that their code is secure. Insecure deserialization can lead to serious security vulnerabilities, so it is important to be aware of the risks and take steps to avoid them.
Posted on April 20, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.