One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 8326653 |
| Date de publication | 2023-04-11 15:22:39 (vue: 2023-04-11 14:08:53) |
| Titre | Restrictions d'exploitation Java dans les temps JDK modernes Java Exploitation Restrictions in Modern JDK Times |
| Texte | Java deserialization gadgets have a long history in context of vulnerability research and at least go back to the year 2015. One of the most popular tools providing a large set of different gadgets is ysoserial by Chris Frohoff. Recently, we observed increasing concerns from the community why several gadgets do not seem to work anymore with more recent versions of JDKs. In this blog post we try to summarize certain facts to reenable some capabilities which seemed to be broken. But our journey did not begin with deserialization in the first place but rather looking for alternative ways of executing Java code in recent JDK versions. In this blost post, we\'ll focus on OpenJDK and Oracle implementations. Defenders should therefore adjust their search patterns to these alternative code execution patterns accordingly.ScriptEngineManager - It\'s GoneInitially, our problems began on another exploitation track not related to deserialization. Often code execution payloads in Java end with a final call to java.lang.Runtime.getRuntime().exec(args), at least in a proof-of-concept exploitation phase. But as a Red Team, we always try to maintain a low profile and avoid actions that may raise suspicion like spawing new (child) processes. This is a well-known and still hot topic discussed in the context of C2 frameworks today, especially when it comes to AV/EDR evasion techniques. But this can also be applied to Java exploitation. It is a well-known fact that an attacker has the choice between different approaches to stay within the JVM to execute arbitrary Java code, with new javax.script.ScriptEngineManager().getEngineByName(engineName).eval(scriptCode) probably being the most popular one over the last years. The input code used is usually based on JavaScript being executed by the referenced ScriptEngine available, e.g. Nashorn (or Rhino).But since Nashorn was marked as deprecated in Java 11 (JEP 335), and removed entirely in Java 15 (JEP 372), this means that a target using a JDK version >= 15 won\'t process JavaScript payloads anymore by default. Instead of hoping for other manually added JavaScript engines by developers for a specific target, we could make use of a "new" Java code evaluation API: JShell, a read-eval-print loop (REPL) tool that was introduced with Java 9 (JEP 222). Mainly used in combination with a command line interface (CLI) for testing Java code snippets, it allows programmatic access as well (see JShell API). This new evaluation call reads like jdk.jshell.JShell.create().eval(javaCode), executing Java code snippets (not JavaScript!). Further call variants exist, too. We found this being mentioned already in 2019 used in context of a SpEL Injection payload. This all sounded to good to be true but nevertheless some restrictions seemed to apply. "The input should be exactly one complete snippet of source code, that is, one expression, statement, variable declaration, method declaration, class declaration, or import." So, we started to play with some Java code snippets using the JShell API. First, we realized that it is indeed possible to use import statements within such snippets but interestingly the subsequent statements were not executed anymore. This should have been expected by re |
| Envoyé | Oui |
| Condensat | for if was /target/ysoserial /tmp/rce 15 won 2015 222 260 335 372 396 9 about above access access/change accordingly accordingly: account actions actually add added additionally adjust adjustment adjustments affects after again all allow allows almost already also alternative always another any anymore apache api api: apis appears applied apply approach approach: approaches arbitrary are args article articles at attack attacker attacking av/edr available avoid aware back base/java based beanutils because become been before began begin being benefit best between blog blost boolean broken browsing build built but bypass bytecode call called calling calls can capabilities case cases category certain chain chains chapter check checking child choice chris class classes cli cmd code com combination comes command comment commons commonsbeanutils1 commonscollections commonscollections6 community compare compared compile compiled complete concept concerns conclusionsuse context control corresponding could course create created createfile createtemplatesimpl creating creation cross data days debugging declaration declared declaring deep default defenders definition deny depend deprecated describes descriptor deserialization deserializer developers diagnostics did difference different directly directory discussed does don during encapsulated end enginename engines english entirely equivalent error especially etc eval evaluation evasion events exactly exception exec execute executed executing execution exfiltrating exist expected explaining explicitely exploitation exported exports expression fact facts falls familiar field fields file files final find fine first fix flag focus following foreach found frameworks frequently frohoff from fully fun further furthermore gadget gadgets gain game gave get getenginebyname getmessage getruntime getters github gives giving goneinitially good guessed handy has have heavy helps highly hint his historical history hoping hot however huge ibm illegal implementations implemented import imported impossibleanother in 2019 inaccessibileobjectexception inaccessible increasing indeed info inject injecting injection input insecure instance instead inter interestingly interface internal introduced is ysoserial issue itself jar java javacode javascript javascript being javax jdk jdk16 jdk17 jdk9 jdks jep jeps jigsaw journey jpms jres jshell just jvm keep kind kinds known lang large last later learned least let libraries library like line listing lists locale long longer look looking loop lot lot: low made mainly maintain make makes manually many marked matching maven may means meant member members mentioned message messages method methods might mind modern module modules more most must naive namely names namespaces nashorn nashorn need needed nevertheless some new nice nicely nio nonpublic not note note: now observed obviously often one only openjdk opens opens=java option oracle org original other otherwise out over package packages packages: parameter parameters parts party path paths pattern patterns payload payloads people per permitted phase piping place platform play pom popular possible possiblebesides post power powerful pre primitive print printed println private privately probably problems process processes processing profile programmatic programmatically project proof properly property propertyutilsbean protections protects providing public pure purposes put putting qualified quote raise rather read reader reading reads ready realized rebuild recent recently recommend red reenable referenced referencing reflect reflection reflective related relevant rely remote removed repl replace replaced research respect response restrict restricted restriction restrictions result results return rev/bind revealed rhino runtime runtime=all same scenario scenarios script scriptcode scriptengine scriptenginemanager search searching see seem seemed seems server set setaccessible setters several shell short should side similar simply since single sinks s |
| Tags | Tool Vulnerability |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.