Freddy The (De)serialization Killer

Posted on Friday 8th March 2019

This is a plugin for Burp Suite Pro that helps to detect and exploit deserialization vulnerabilities in web applications. Often this kind of vulnerability leads to remote code or command execution on the affected server.

The plugin is capable of passively detecting, and actively scanning for deserialization vulnerabilities in over 30 Java and .NET libraries and APIs dealing with a range of data serialization formats from binary to JSON and XML.

The plugin can be downloaded from the BApp store within Burp Suite Pro.

BaRMIe Java RMI Assessment Tool

Posted on Friday 8th March 2019

BaRMIe is a tool for enumerating and attacking services built using Java’s Remote Method Invocation (RMI), including Java Management Extensions (JMX).

The tool enables security professionals to identify weaknesses affecting applications and services that use the RMI protocol, and to exploit those weaknesses to gain a foothold during a penetration test.

Visit BaRMIe on GitHub for more information and to download the tool and source code.

Deep Dive into Deserialization

Posted on Thursday 20th September 2018

At 44CON 2018 we delivered a workshop on deserialization vulnerabilities, the latest new entry in the OWASP Top Ten most critical security risks. The workshop began with an introduction to this class of vulnerability before diving deep into more advanced exploitation techniques.

The topics covered included:

  • An introduction to deserialization vulnerabilities
  • Blind command execution and basic exploitation
  • Identifying and enumerating vulnerable targets
  • POP gadgets and gadget chains
  • Building a gadget chain
  • Modifying binary payloads to re-exploit “patched” targets
  • Advanced exploitation with shells and reverse shells

We’re able to offer this training both standalone and as part of a broader training programme. Get in touch to find out more about our training.

Adobe ColdFusion Unauthenticated RCE

Posted on Tuesday 10th April 2018

Vendor:Adobe
Product:ColdFusion
Affected Version(s):ColdFusion 9 (all versions), ColdFusion 11 update 13 and below, ColdFusion 2016 update 5 and below
Severity:Critical
Reference:CVE-2018-4939
Researcher:Nicky Bloor (@NickstaDB)
Links:

Description

When Adobe ColdFusion’s Flex integration is enabled and configured to use Java RMI, a network service is exposed that allows arbitrary Java objects to be deserialized. By supplying a specially crafted object to this service an unauthenticated attacker could trigger the execution of arbitrary code on the server.

Remediation

Correct remediation of this vulnerability involves updating both Adobe ColdFusion and the Java runtime environment that it is configured to use. ColdFusion should be updated to a version greater than 11 update 12 or greater than 2016 update 4.

Adobe ColdFusion Unauthenticated RCE

Posted on Tuesday 12th September 2017

Vendor:Adobe
Product:ColdFusion
Affected Version(s):ColdFusion 9 (all versions), ColdFusion 11 update 12 and below, ColdFusion 2016 update 4 and below
Severity:Critical
Reference:CVE-2017-11284
Researcher:Nicky Bloor (@NickstaDB)
Links:

Description

Affected versions of Adobe ColdFusion were bundled with an outdated Java runtime environment. When Adobe ColdFusion’s Flex integration was enabled and configured to use Java RMI, arbitrary objects could be bound to the RMI registry service. A specially crafted object could enable an unauthenticated attacker to trigger the execution of arbitrary code on the server.

Remediation

Correct remediation of this vulnerability involves updating both Adobe ColdFusion and the Java runtime environment that it is configured to use. ColdFusion should be updated to a version greater than 11 update 12 or greater than 2016 update 4.

Adobe ColdFusion Unauthenticated RCE

Posted on Tuesday 12th September 2017

Vendor:Adobe
Product:ColdFusion
Affected Version(s):ColdFusion 9 (all versions), ColdFusion 11 update 12 and below, ColdFusion 2016 update 4 and below
Severity:Critical
Reference:CVE-2017-11283
Researcher:Nicky Bloor (@NickstaDB)
Links:

Description

When Adobe ColdFusion’s Flex integration is enabled and configured to use Java RMI, a network service is exposed that allows arbitrary Java objects to be deserialized. By supplying a specially crafted object to this service an unauthenticated attacker could trigger the execution of arbitrary code on the server.

Remediation

Correct remediation of this vulnerability involves updating both Adobe ColdFusion and the Java runtime environment that it is configured to use. ColdFusion should be updated to a version greater than 11 update 12 or greater than 2016 update 4.

Java RMI Potential Deserialization RCE

Posted on Tuesday 17th January 2017

Vendor:Oracle
Product:Java
Affected Version(s):Java SE 6 <= 6u131, Java SE 7 <= 7u121, Java SE 8 <= 8u112, Java SE Embedded <= 8u111, JRockit <= R28.3.12
Severity:Critical
Reference:CVE-2017-3241
Researcher:Nicky Bloor (@NickstaDB)
Links:

Description

When an object is bound to Java’s RMI (remote method invocation) registry, Java deserializes the object without proper validation. This could lead to an unauthenticated attacker executing arbitrary code on the underlying server.

Remediation

Upgrade Java to a version that is greater than 6u131, 7u121, or 8u112. Java SE Embedded should be upgraded to a version greater than 8u111 and JRockit should be upgraded to a version greater than R28.3.12.

Drupal ‘Coder’ Module Unauthenticated RCE

Posted on Wednesday 13th July 2016

Vendor:Tag1 Consulting
Product:Coder Module for Drupal
Affected Version(s):<= 7.x-2.5, <= 7.x-1.2
Severity:Critical
Reference:SA-CONTRIB-2016-039
Researcher:Nicky Bloor (@NickstaDB)
Links:

Description

The third-party ‘Coder’ module for the Drupal content management system had multiple vulnerabilities that could be combined to trigger the execution of arbitrary code on the target server. At the time of discovery this module was reportedly used by around 5,000 websites.

Remediation

Upgrade the module to at least version 7.x-1.3 or 7.x-2.6. The coder module is a development module and should not be published to production environments.