Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
The class java.net.URL
implements Serializable
, this means that this class can be serialized.
This class have a curious behaviour. From the documentation: “Two hosts are considered equivalent if both host names can be resolved into the same IP addresses”.
Then, every-time an URL object calls any of the functions equals
or hashCode
a DNS request to get the IP Address is going to be sent.
Calling the function hashCode
from an URL object is fairly easy, it's enough to insert this object inside a HashMap
that is going to be deserialized. This is because at the end of the readObject
function from HashMap
this code is executed:
It is going the execute putVal
with every value inside the HashMap
. But, more relevant is the call to hash
with every value. This is the code of the hash
function:
As you can observe, when deserializing a HashMap
the function hash
is going to be executed with every object and during the hash
execution it's going to be executed .hashCode()
of the object. Therefore, if you deserializes a HashMap
containing a URL object, the URL object will execute .hashCode()
.
Now, lets take a look to the code of URLObject.hashCode()
:
As you can see, when a URLObject
executes.hashCode()
it is called hashCode(this)
. A continuation you can see the code of this function:
You can see that a getHostAddress
is executed to the domain, launching a DNS query.
Therefore, this class can be abused in order to launch a DNS query to demonstrate that deserialization is possible, or even to exfiltrate information (you can append as subdomain the output of a command execution).
You can find the URDNS payload code from ysoserial here. However, just for make it easier to understand how to code it I created my own PoC (based on the one from ysoserial):
In the original idea thee commons collections payload was changed to perform a DNS query, this was less reliable that the proposed method, but this is the post: https://www.gosecure.net/blog/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/
You can download GadgetProbe from the Burp Suite App Store (Extender).
GadgetProbe will try to figure out if some Java classes exist on the Java class of the server so you can know if it's vulnerable to some known exploit.
GadgetProbe will use the same DNS payload of the previous section but before running the DNS query it will try to deserialize an arbitrary class. If the arbitrary class exists, the DNS query will be sent and GadgProbe will note that this class exist. If the DNS request is never sent, this means that the arbitrary class wasn't deserialized successfully so either it's not present or it''s not serializable/exploitable.
Inside the github, GadgetProbe has some wordlists with Java classes for being tested.
This scanner can be download from the Burp App Store (Extender). The extension has passive and active capabilities.
By default it checks passively all the requests and responses sent looking for Java serialized magic bytes and will present a vulnerability warning if any is found:
Manual Testing
You can select a request, right click and Send request to DS - Manual Testing
.
Then, inside the Deserialization Scanner Tab --> Manual testing tab you can select the insertion point. And launch the testing (Select the appropriate attack depending on the encoding used).
Even if this is called "Manual testing", it's pretty automated. It will automatically check if the deserialization is vulnerable to any ysoserial payload checking the libraries present on the web server and will highlight the ones vulnerable. In order to check for vulnerable libraries you can select to launch Javas Sleeps, sleeps via CPU consumption, or using DNS as it has previously being mentioned.
Exploiting
Once you have identified a vulnerable library you can send the request to the Exploiting Tab. I this tab you have to select the injection point again, an write the vulnerable library you want to create a payload for, and the command. Then, just press the appropriate Attack button.
Make your payload execute something like the following:
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)