Serialization questions

[NewDwarf]

I noticed that you use customized implementation of the Jython1 payload generator.
https://github.com/frohoff/ysoserial/blob/8eb5cbfbf6c47a23682f6186bea9baf6439e57b9/src/main/java/ysoserial/payloads/Jython1.java#L95

What was the main reason don't use the original ysoserial's implementation by the command
java -jar ysoserial-0.0.6-SNAPSHOT-all.jar Jython1 "payload.py;/tmp/payload.py" > bingo.obj

And the second question is what is dependancy of using the specific serialization engine to generate the serialized object and the victim process?
ysoserial.jar has a lot of different engines like:

...
FileUpload1         @mbechler                   commons-fileupload:1.3.1, commons-io:2.4
     Groovy1             @frohoff                    groovy:2.3.9
     Hibernate1          @mbechler
     Hibernate2          @mbechler
     JBossInterceptors1  @matthias_kaiser            javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
     JRMPClient          @mbechler
     JRMPListener        @mbechler
     JSON1               @mbechler                   json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
     JavassistWeld1      @matthias_kaiser            javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
     Jdk7u21             @frohoff
     Jython1             @pwntester, @cschneider4711 jython-standalone:2.5.2
     MozillaRhino1       @matthias_kaiser            js:1.7R2
     MozillaRhino2       @_tint0                     js:1.7R2
     Myfaces1     
...   

Say, for ghidra you use Jython1 but not Jdk7u21 payload generator or something else.

[zhuowei]

What was the main reason don't use the original ysoserial's implementation

I implemented my payload generator from scratch because:

1. I wanted to learn how Java deserialization bugs work
2. Jython1 only supports Jython 2.7.1b2: I didn't see the pull request adding Jython 2.7.2 support until I already wrote mine

what is dependancy of using the specific serialization engine

Each Java serialization attack targets a specific class; for the attack to work, that class must be in the target app's classpath. I know Jython 2.7.2 is available in Ghidra, so I targeted that.

[NewDwarf]

@zhuowei
What are the main conditions to deserialize the untrusted serialized object by the victim app in terms of security? In other words, what mechanisms protect against deserializing untrusted code?

How deserializing is dispatched by the victim app if the deserializer located in the Java class is not invoked in normal conditions?
How did you find that exactly jython-standalone-2.7.2.jar file can be used to run exploit?

[zhuowei]

In other words, what mechanisms protect against deserializing untrusted code?

nothing (See the "javaSerializedObject" section in HPE's Black Hat presentation)

JNDI will try to deserialize any object you provide in LDAP. As long as the classes are on the classpath, it'd work. You just need to create a set of objects that, when deserialized, runs arbitrary code.

How did you find that exactly jython-standalone-2.7.2.jar file can be used to run exploit?

I looked at the list of existing exploits on ysoserial, saw that Jython is vulnerable, looked at the patch, saw that it only patchd PyFunction while PyMethod had the exact same vulnerability, and wrote mine.

[NewDwarf]

Nice explanation! Thanks a lot!