Remote Code Execution via Java Native Deserialization

Explore remote code execution vulnerabilities in Java deserialization during this 41-minute conference talk from SyScan360'16 Singapore. Delve into various aspects of Java serialization and deserialization, including XML and binary deserialization. Examine specific vulnerabilities like CVE-2011-2894 in Spring and commons-fileupload, as well as CVE-2014-9515 in Dozer. Learn about property-oriented programming and the commons-collection gadget. Gain insights into where vulnerabilities typically occur and discover tools for future research in this critical area of application security.

Introduction
Outline
Java (de)serialization
RCE - XML deserialization
XMLDecoder
XStream in Jenkins
RCE - binary deserialization
CVE-2011-2894: Spring
commons-fileupload
Restlet + DFI
Dozer XML + Binary Mapper
Dozer CVE-2014-9515
MBeanServerinvocationHandler
Property-oriented programming
Gadget: commons-collection
Tools & future research
Where lies the vulnerability?