YoVDO

Remote Code Execution via Java Native Deserialization

Offered By: SyScan360 via YouTube

Tags

SyScan360 Courses Cybersecurity Courses Remote Code Execution (RCE) Courses Vulnerability Assessment Courses Remote Code Execution Courses

Course Description

Overview

Explore remote code execution vulnerabilities in Java deserialization during this 41-minute conference talk from SyScan360'16 Singapore. Delve into various aspects of Java serialization and deserialization, including XML and binary deserialization. Examine specific vulnerabilities like CVE-2011-2894 in Spring and commons-fileupload, as well as CVE-2014-9515 in Dozer. Learn about property-oriented programming and the commons-collection gadget. Gain insights into where vulnerabilities typically occur and discover tools for future research in this critical area of application security.

Syllabus

Introduction
Outline
Java (de)serialization
RCE - XML deserialization
XMLDecoder
XStream in Jenkins
RCE - binary deserialization
CVE-2011-2894: Spring
commons-fileupload
Restlet + DFI
Dozer XML + Binary Mapper
Dozer CVE-2014-9515
MBeanServerinvocationHandler
Property-oriented programming
Gadget: commons-collection
Tools & future research
Where lies the vulnerability?


Taught by

SyScan360

Related Courses

SyScan360'16 Singapore - Memory Corruption Is For Wussies
SyScan360 via YouTube
Virtualization System Vulnerability Discovery Technology
SyScan360 via YouTube
OSX El Capitan - Sinking The Ship
SyScan360 via YouTube
SyScan360'16 Singapore - Key Value Injections Here
SyScan360 via YouTube
How to Own Any Windows Network via Group Policy Hijacking Attacks
SyScan360 via YouTube