Pentester by day and security researcher by night, Matei has spent the past sleepless years (since 2017) living by the motto that “Everything is vulnerable” and has tried to prove that to other people as well by finding and reporting +100 0-day vulnerabilities in softwares of well known vendors (e.g. Oracle, JetBrains, Cisco, VMWare, multiple Apache Projects and many more).

5.0 Shades of Java Exploitation

This presentation focuses on a pentester’s view on how to approach and exploit Java applications by presenting 5 interesting types of Java vulnerabilities that (usually) lead to Remote Code Execution, the tools that help us exploit them and real-life examples of the attacks in actions (CVEs with relevant Proof of Concept).

The 5 topics we will be discussing are:

• Java Debug Wire Protocol – If NMAP says JDWP, you say PWNED.
• Deserialization – There are as may ways to serve/insert serialized objects in Java as there are stars in the sky.
• LDAP – Yep, someone thought it would be a great idea to add complex Java objects and remote “javaCodebase” support to the good ol’ Lightweight Directory Access Protocol. What could go … wrong?
• RMI – How hard can it be to exploit a protocol that doesn’t even support authentication? Answer: Depends ¯\_(ツ)_/¯
• JMX – Can do everything RMI can + other cool features (e.g. authentication), but, with great features comes great exploitability.

We will also touch upon subjects as:

• Why “java.lang.Runtime” does not support pipes or special shell characters (e.g. “|”, “>”, etc.) and how to encode our commands
  A quick peek on how to use tools such as ysoserial, RMG, mjet, and others
• Analyzing and understanding
• Deserialization error messages