Java Unserialize Remote Code Execution Vulnerability

Summary

    Serialization is the process of translating object into a format that can be stored in a file or memory buffer or database, while unserialization is a reverse process that translates source code to an object in Java. In Java, the writeObject() method of class ObjectOutputStream can be used to accomplish unserialization, while readObject() of class ObjectInputStream can be used to accomplish serialization. If Java application allows user to input, untrusted data are unserialized, and therefore attacker can reconstruct malicious input and make unserialization create unexpected object that incurs arbitrary code execution.

    Working Principle

    In Apache Commons Collection database, class TransformedMap has accomplished some Transformer, among which InvokerTransformer can be used to call arbitrary function. The code is shown in the following screenshot:blob.png

    The later reconstructed Map object (including executive code) will be used further to reconstruct AnnotationInvocationHandler object and perform serialization. When readObject() function is used to perform unserialization, arbitrary code may be executed.

    You may refer to the links below to learn more about this vulnerability. 

Detection

    Detection Tool:weblogic_unserialize_exploit-master.zip

    Detection Environment:python2.7, jdk

    Detection Method:

    1.Unzip weblogic_unserialize_exploit-master.zip

    2.Run:python weblogic.py -u Host -p Port -os {win, linux} -t verify

    3. Check the result,it will show true or not。

Solution

    1.WebLogic Company Update:http://www.oracle.com/technetwork/middleware/weblogic/overview/index-085209.html

    2. If you have purchased NGAF appliance, update WAF signature database to version 20151204 or above.