java

Java Deserialization Exploits: Registry Whitelist Bypass

May 25, 2020

In 2019, An Trinh discovered two vulnerabilities, CVE-2019-9670 (XXE/SSRF) and CVE-2019-6980 (deserialization vulnerability), in Zimbra.

As usual, An Trinh did not disclose any details.

Luckily, Hans Martin Munch is more generous than An Trinh and has shared many interesting ideas. For example, he once advised using YouDebug to fix the CVE-2017-3241 vulnerability.

ysoserial.payloads.JRMPClient is designed to trick a victim into accessing a malicious DGC server as a DGC client. When the victim deserialization comes from a malicious object of the DGC server, a filter is configured by default. For details, see the implementation of sun.rmi.transport.DGCImpl.checkInput().

A new idea proposed by An Trinh is to trick a victim into accessing a malicious RMI Registry server as an RMI Registry client. In this case, there is no filter involved if the victim deserialization comes from a malicious object of the RMI Registry server. No default filter is configured on JEP 290 for this scenario.

(more…)

Search

Subscribe to the NSFOCUS Blog