I’ll also be focusing on command execution exploits in order to keep things simple. I’ll be focusing on Java, however the same concepts apply to other languages. In this blog post I’ll attempt to clear up some confusion around deserialization vulnerabilities and hopefully lower the bar to entry in exploiting them using readily available tools. The vulnerability I discovered had previously survived multiple pentests and I would have missed it too if I hadn’t had prior exposure to Java (de)serialization. During a recent client engagement I was able to take advantage of Java deserialization to gain a foothold on a server from where I was able to obtain root access to tens of servers spanning pre-production and production environments across multiple data centres.
Deserialization vulnerabilities are far from new, but exploiting them is more involved than other common vulnerability classes.
0 kommentar(er)
