New Exploit Technique In Java Deserialization Attack

Conference:  BlackHat EU 2019



The presentation discusses the risks associated with Java and how to find vulnerabilities using their method. They also mention their platform for Java availability discovery.
  • Java dissolution and JSON tag pose risks
  • Their method can find Java vulnerabilities
  • They have a platform for Java availability discovery
  • They do not plan to discuss their platform this year
The presenters found a lot of Java vulnerabilities in just one hour using their method.


Java deserialization attack has been proposed around 2015 by Foxglove Security Team. Afterward, another attack surface named Marshalsec Attack has been developed. It allows an attacker to gain Remote Command Execution, which affects a number of applications. It's one of the most crucial security issues in Java security history.Many security researchers and developers mitigate Java deserialization attack by maintaining a deserialization blacklist. Taking Weblogic as an example, by maintaining the blacklist of deserialization constantly to mitigate deserialization attack. So far it is really hard to find gadget chains which can be exploited and gain Remote Command Execution. We found a serious flaw in Java deserialization from another perspective, and we will mainly talk about it in this presentation.We found a new attack vector in the fundamental classes of JDK. Actually, It's really prevalent in Java applications, which involves most of the request library, such as URLClassLoader, official HTTP request class, Apache HTTP client and so on. Combining this attack vector, we found a lot of new gadget chains that can be utilized, according to these gadget chains and the attack vector, we can bypass all of the blacklists and gain Remote Code Execution.In our depth research, we analyzed more than 10000+ Java third-party libraries and found many cases which can be exploited in real-world attack scenarios. In this talk, we will bat around the principle and exploit technique of these vulnerabilities. Also, we will present how to pwn target server by our new exploit technique. It can not only improve the effect of java deserialization vulnerability but also enhance other Java security issues impact, and we will discuss profound impacts of the attack vector in the java security field.