search

federicodotta / Java-Deserialization-Scanner

All-in-one plugin for Burp Suite for the detection and the exploitation of Java deserialization vulnerabilities
774 stars 178 forks source link

Scanner detected wrong library #35

Open nobodynate opened 1 year ago

nobodynate commented 1 year ago

While doing a vulnerable lab the scanner detected RCE using CommonsCollections3 alt payloads 3 and 4 with gzip and base64. Exploitation was failing. A colleague suggested I brute force the library instead of trusting the scan results and I ended up exploiting the lab with CommonsCollections6.

I don't know a ton about java, or these libs, but I wanted to make an issue for this and dig into it, sharing my findings here for others that run into this issue.

nobodynate commented 1 year ago

I made a bit of headway and got a headache from the Java 😆 The Active Scan payloads for each library are statically defined in this area of code: https://github.com/federicodotta/Java-Deserialization-Scanner/blob/8dbadfa085128391922519f0e459ad2cacf032a9/src/main/java/burp/BurpExtender.java#L285C16-L285C16

CommonsCollections6 is not in there, so that explains why the scanner doesn't detect it. It doesn't explain why the scanner detects CommonsCollections3. Manual exploitation with CommonsCollections3 fails in the lab.

I guess the next steps should be to figure out

  1. Why the CommonsCollection3 alt DNS payloads 3 and 4 work in the lab.
  2. Is there some improvement that can be made -- like dynamic payload generation based on the libs available in YSOSerial so payloads don't need to be manually maintained for this tool (what a headache that's gotta be).
federicodotta commented 1 year ago

Hi @nobodynate

The reason for the mismatch in the names is that I did not use the same names of payload of ysoserial because ysoserial mix payloads for the version 3 and 4 of the library under the same name and I prefer to keep payloads for CC3 and CC4 divided.

I try to explain it better. CommonCollections payloads in ysoserial are half for the "Commons Collections version 3" library and half for the "Commons Collections version 4" library (CommonsCollections1 is for the version 3, CommonsCollections2 is for version 4, CommonsCollections3 is for version 3, CommonsCollections4 is for version 4, etc). I changed their name in order to reflect the vulnerable version of the library (CommonsCollection3 and CommonsCollection4, with many alternate payloads).

Probably this change causes some misunderstanding but all my payloads comes from ysoserial. I only changed the ysoserial code in order to generate also DNS and Time payloads in native Java, useful for detection. You can find my ysoserial fork here. I used that version to generate all the Java Deserialization Scanner payloads.

To answer your 2 points:

  1. CommonsCollection3 alternate payloads 3 and 4 if I'm not wrong are CommonsCollections6 and CommonsCollections7 of ysoserial
  2. Unfortunately not, because detection payloads require some changes in ysoserial code (as you can see from my fork) and not all ysoserial payloads can be changed for detection (es. payloads that execute file upload, ...)

Federico