Exploiting the Java Deserialization Vulnerability
In the security industry, we know that operating on untrusted inputs is a significant area of risk; and for penetration testers and attackers, a frequent source of high-impact issues. Serialization is no exception to this rule, and attacks against serialization schemes are innumerable. Unfortunately, developers enticed by the efficiency and ease of reflection-based and native serialization continue to build software relying on these practices.
The research presented within this document describes the methods that Synopsys employs for post-exploitation in network-hardened environments using RCE payloads. Previously published attack-oriented research focuses mostly on white box validation and timing-based blind attacks. We expand on this work by demonstrating the use of non-timing related side-channel communication and workarounds for challenges faced during exploitation.