Exploiting Java RMI services in 2019

Recordings

https://www.youtube.com/watch?v=c5cgsq0dTxE

View Recording

Slides

https://github.com/mogwailabs/rmi-deserialization

View Slides

Abstract

Java RMI based services were one of the major victims of the “Java Deserialization Apocalypse” in 2015. Oracle mitigated the problem by introducing multiple filters, however, under certain conditions, a attacker might still be able to exploit these services and gain RCE on the target.

Outline

  1. Intro
  2. Basics - RMI and Serialization 101 (to provide the necessary background that everybody needs to understand the rest)
  3. Exploiting RMI services on outdated systems (Showing how easy it is to gain RCE on a vulnerable RMI service if mitigations were not applied)
  4. JEP 290: Introduction to the mitigations provided by Oracle: How they work and at which level they apply.
  5. Ways how attacker might be able to bypass these mitigations
  6. Conclusions (offense a defense side)

Hans-Martin Münch

@h0ng10

Hans-Martin Münch is the CEO of MOGWAI LABS GmbH, an infosec boutique with a strong emphasis on offensive security, based in Neu-Ulm. He also teaches the elective course “penetration testing” at the university of applied sciences Ulm.