Java Serialized Objects (JSOs) are a reliable attack vector and present a rising threat to enterprise networks, as evidenced by a significant increase in both CVE assignments and public exploits. The Metasploit Framework team has seen a marked uptick in community exploit submissions, and Rapid7’s Project Sonar was able to highlight the prevalence of internet-accessible JSO-based applications with an internet-wide scan. The result of this research is our new report, Java Serialization: A Practical Exploitation Guide.
JSOs provide a flexible way of exchanging data between services, often using files or network connections, and are used to transport complex Java objects around. Their innate flexibility makes them a boon to developers; consequently, they are a major part of the underlying architecture of many Java-based projects. Yet that same flexibility also aids attackers by allowing them to package malicious objects for execution on remote targets. Unless code designers go to lengths to check serialized objects before acting on them, the characteristics that make JSOs attractive to software developers also offer a reliable malicious code execution vector.
Unlike many exploits, JSO-based exploits don’t involve putting the target system into an unpredictable state. As a result, exploits are easy to write and test, even for low-skill attackers. Our new paper, Java Serialization: A Practical Exploitation Guide, examines the attack surface provided by JSOs, analyzes deserialization vulnerability trends across CVEs, and measures the public visibility of one such vulnerable service. We go on to demonstrate how defenders can test their networks, highlighting new functionality within the Metasploit Framework.
You can read the full report here. The latest additions to Metasploit Framework are documented on our wiki. For more on the internet exposure of Java deserialization attack surfaces and Oracle WebLogic, join Jon Hart and Tod Beardsley for a live webcast on March 26 at 2 p.m. EST.