Automated Discovery of Deserialization Gadget Chains

Conference:  Defcon 26



The talk discusses the importance of understanding gadget chains in deserialization vulnerabilities and introduces a tool for automatically finding gadget chains.
  • Gadget chains are important to understand in deserialization vulnerabilities
  • Existing applications with clients make updating IPC mechanisms difficult
  • Tools like Y so serial and Marshal SEC can help identify known gadget chains
  • Jugal is a tool for programmatically querying data types on a class path
  • The speaker introduces a tool for automatically finding gadget chains
  • The tool was able to find a sophisticated gadget chain in a proof of concept
  • Better tools are needed to understand risk profiles in applications
The speaker shares an anecdote about a gadget chain that was able to copy private keys into a web app resource directory and exfiltrate secrets off of a box. The tool was able to identify this gadget chain and even found that it was more dangerous than originally thought.


Although vulnerabilities stemming from the deserialization of untrusted data have been understood for many years, unsafe deserialization continues to be a vulnerability class that isn't going away. Attention on Java deserialization vulnerabilities skyrocketed in 2015 when Frohoff and Lawrence published an RCE gadget chain in the Apache Commons library and as recently as last year's Black Hat, Muñoz and Miroshis presented a survey of dangerous JSON deserialization libraries. While much research and automated detection technology has so far focused on the discovery of vulnerable entry points (i.e. code that deserializes untrusted data), finding a "gadget chain" to actually make the vulnerability exploitable has thus far been a largely manual exercise. In this talk, I present a new technique for the automated discovery of deserialization gadget chains in Java, allowing defensive teams to quickly identify the significance of a deserialization vulnerability and allowing penetration testers to quickly develop working exploits. At the conclusion we will also be releasing a FOSS toolkit which utilizes this methodology and has been used to successfully develop many deserialization exploits in both internal applications and open source projects.