Merge pull request #2068 from HackTricks-wiki/research_update_src_pentesting-web_deserialization_basic-java-deserialization-objectinputstream-readobject_20260329_130858

Research Update Enhanced src/pentesting-web/deserialization/...

Author: carlospolop

src/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md

@@ -100,57 +100,74 @@ As you can see in this very basic example, the “vulnerability” here appears
 
 ---
 
-## 2023-2025: What’s new in Java deserialization attacks?
+## 2023-2025: What changed in real-world Java deserialization bugs?
 
-* 2023 – CVE-2023-34040: Spring-Kafka deserialization of error-record headers when `checkDeserExWhen*` flags are enabled allowed arbitrary gadget construction from attacker-published topics. Fixed in 3.0.10 / 2.9.11. ¹
-* 2023 – CVE-2023-36480: Aerospike Java client trusted-server assumption broken – malicious server replies contained serialized payloads that were deserialized by the client → RCE. ²
-* 2023 – CVE-2023-25581: `pac4j-core` user profile attribute parsing accepted `{#sb64}`-prefixed Base64 blobs and deserialized them despite a `RestrictedObjectInputStream`. Upgrade ≥ 4.0.0.
-* 2023 – CVE-2023-4528: JSCAPE MFT Manager Service (port 10880) accepted XML-encoded Java objects leading to RCE as root/SYSTEM.
-* 2024 – Multiple new gadget chains were added to ysoserial-plus(mod) including Hibernate5, TomcatEmbed, and SnakeYAML 2.x classes that bypass some old filters.
+Recent cases are a good reminder that `ObjectInputStream` bugs are no longer just “upload a `.ser` file to a legacy HTTP endpoint”:
+
+* **Broker / queue consumers**: Spring-Kafka (`CVE-2023-34040`) showed that deserializing exception headers from attacker-controlled topics is enough if the consumer enables the unusual `checkDeserExWhen*` flags.
+* **Client-side trust of remote servers**: the Aerospike Java client (`CVE-2023-36480`) deserialized objects received from the server. The vendor response was notable: newer clients removed Java runtime serialization/deserialization support instead of trying to preserve it behind a weak filter.
+* **“Restricted” streams are often still too broad**: `pac4j-core` (`CVE-2023-25581`) tried to protect deserialization with `RestrictedObjectInputStream`, but the accepted class set was still large enough to make gadget abuse possible.
+
+The offensive lesson is that the dangerous trust boundary is often **not** “user uploads a blob”, but “some component the developer considered trusted can inject bytes into a stream that eventually reaches `readObject()`”.
+
+If you need low-noise reachability checks before spending time on full gadget research, use the dedicated Java pages for:
+
+{{#ref}}
+java-dns-deserialization-and-gadgetprobe.md
+{{#endref}}
+
+## `readObject()` anti-patterns that still create gadget entrypoints
+
+Even if your class itself is not an obvious RCE gadget, the following patterns are enough to make it exploitable when attacker-controlled objects are embedded in the graph:
+
+1. Calling overridable methods or interface methods from `readObject()` (`pet.eat()` in the PoC above is the classic example).
+2. Performing lookups, reflection, class loading, expression evaluation, or JNDI operations during deserialization.
+3. Iterating over attacker-controlled collections or maps, which may trigger `hashCode()`, `equals()`, comparators, or transformers as side effects.
+4. Registering `ObjectInputValidation` callbacks that perform dangerous post-processing.
+5. Assuming “private `readObject()`” is enough protection. It only controls dispatch semantics; it does **not** make deserialization safe.
 
 ## Modern mitigations you should deploy
 
 1. **JEP 290 / Serialization Filtering (Java 9+)**  
-   *Add an allow-list or deny-list of classes:*  
+   Use an allow-list and explicit graph limits:
    ```bash
-   # Accept only your DTOs and java.base, reject everything else
-   -Djdk.serialFilter="com.example.dto.*;java.base/*;!*"
+   -Djdk.serialFilter="com.example.dto.*;java.base/*;maxdepth=5;maxrefs=1000;maxbytes=16384;!*"
    ```
-   Programmatic example:
+2. **Apply a filter on every untrusted stream, not just globally**:
    ```java
-   var filter = ObjectInputFilter.Config.createFilter("com.example.dto.*;java.base/*;!*" );
-   ObjectInputFilter.Config.setSerialFilter(filter);
-   ```
-2. **JEP 415 (Java 17+) Context-Specific Filter Factories** – use a `BinaryOperator<ObjectInputFilter>` to apply different filters per execution context (e.g., per RMI call, per message queue consumer).
-3. **Do not expose raw `ObjectInputStream` over the wire** – prefer JSON/Binary encodings without code execution semantics (Jackson after disabling `DefaultTyping`, Protobuf, Avro, etc.).
-4. **Defense-in-Depth limits** – Set maximum array length, depth, references:
-   ```bash
-   -Djdk.serialFilter="maxbytes=16384;maxdepth=5;maxrefs=1000"
+   try (var ois = new ObjectInputStream(input)) {
+       var filter = ObjectInputFilter.Config.createFilter(
+           "com.example.dto.*;java.base/*;maxdepth=5;maxrefs=1000;!*"
+       );
+       ois.setObjectInputFilter(filter);
+       return (Message) ois.readObject();
+   }
    ```
-5. **Continuous gadget scanning** – run tools such as `gadget-inspector` or `serialpwn-cli` in your CI to fail the build if a dangerous gadget becomes reachable.
+3. **JEP 415 (Java 17+) Context-Specific Filter Factories**  
+   Prefer this when the same JVM has multiple deserialization contexts (RMI, cache replication, message consumers, admin-only imports) and each one needs a different allow-list.
+4. **Keep `readObject()` boring**  
+   Only call `defaultReadObject()` / explicit field reads, then perform strict invariant checks. Do not do I/O, logging that dereferences attacker-controlled objects, dynamic lookups, or method calls on deserialized sub-objects.
+5. **If possible, remove Java native serialization from the design**  
+   The Aerospike fix is a good model: when the feature is not essential, deleting `readObject()` / `writeObject()` usage is often safer than trying to maintain perfect filters forever.
 
-## Updated tooling cheat-sheet (2024)
+## Detection and research workflow
 
-* `ysoserial-plus.jar` – community fork with > 130 gadget chains:
-  ```bash
-  java -jar ysoserial-plus.jar CommonsCollections6 'calc' | base64 -w0
-  ```
-* `marshalsec` – still the reference for JNDI gadget generation (LDAP/RMI).  
-* `gadget-probe` – fast black-box gadget discovery against network services.
-* `SerialSniffer` – JVMTI agent that prints every class read by `ObjectInputStream` (useful to craft filters).
-* **Detection tip** – enable `-Djdk.serialDebug=true` (JDK 22+) to log filter decisions and rejected classes.
+* `ysoserial` remains the baseline for gadget validation and quick RCE/URLDNS probes.
+* `marshalsec` is still useful when the sink pivots into JNDI/LDAP/RMI territory.
+* `GadgetInspector` is useful when you have the target jars and need to look for application-specific gadget chains.
+* Java 17 added the `jdk.Deserialization` Flight Recorder event, which is useful for seeing where `ObjectInputStream` is actually used and whether filters are being applied.
 
 ## Quick checklist for secure `readObject()` implementations
 
-1. Make the method `private` and add the `@Serial` annotation (helps static analysis).
-2. Never call user-supplied methods or perform I/O in the method – only read fields.
-3. If validation is needed, perform it **after** deserialization, outside of `readObject()`.
-4. Prefer implementing `Externalizable` and do explicit field reads instead of default serialization.
-5. Register a hardened `ObjectInputFilter` even for internal services (compromise-resilient design).
+1. Make the method `private` and annotate serialization hooks with `@Serial` so compilers can catch mis-declared signatures.
+2. Call `defaultReadObject()` first unless you have a strong reason to manually read the full object graph.
+3. Treat every nested object as attacker-controlled until validated.
+4. Never invoke methods on deserialized collaborators from inside `readObject()`.
+5. Pair the code review with an `ObjectInputFilter` review; “safe-looking `readObject()` code” is not enough if the stream still accepts arbitrary classes.
 
 ## References
 
-1. Spring Security Advisory – CVE-2023-34040 Java Deserialization in Spring-Kafka (Aug 2023)
-2. GitHub Security Lab – GHSL-2023-044: Unsafe Deserialization in Aerospike Java Client (Jul 2023)
+- [OpenJDK JEP 415: Context-Specific Deserialization Filters](https://openjdk.org/jeps/415)
+- [GitHub Security Lab: GHSL-2022-085 / CVE-2023-25581 (`pac4j-core` deserialization leading to RCE)](https://securitylab.github.com/advisories/GHSL-2022-085_pac4j/)
 
 {{#include ../../banners/hacktricks-training.md}}