The most underrated, underhyped vulnerability of 2015 has recently come to my attention, and I’m about to bring it to yours. No one gave it a fancy name, there were no press releases, nobody called Mandiant to come put out the fires. In fact, even though proof of concept code was released OVER 9 MONTHS AGO, none of the products mentioned in the title of this post have been patched, along with many more. In fact no patch is available for the Java library containing the vulnerability. In addition to any commercial products that are vulnerable, this also affects many custom applications.
web
In this post I’ll be dropping pre-authentication, remote code execution exploits that leverage this vulnerability for WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS. All on the newest versions. Even more interesting, I’ll detail the process we went through to discover that these products were vulnerable, and how I developed the exploits. This should empower you to go out and find this same bug in your own software or commercial products that you or your clients use. All code can be found on the FoxGlove Security Github.
app
I’ll also be touching on why this bug is unlikely to go away soon. You can infuriate your developers and ops people by telling them to follow the instructions in 「The Fix」 section to remediate this in your environment. It will fix it, but it’s an admittedly ugly solution.
ide
This post is going to be long. Because I’m a nice person, I made you an index. Feel free to skip straight to the exploits if you’ve got better things to do than read my rambling:
post
Background – Unserialize vulnerabilities and why didn’t I hear about this sooner?
this
The Vulnerability – Light details on the work of @frohoff and @geblspa
How Common is Commons? – How to find software that is vulnerable.net
Exploit Dev for Skiddies – The high level process to using this vulnerabilityrest
...
文章較長,不復制粘貼了,直接看原文吧
參考文章:http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles