securityboulevard.com
Understanding ysoserial's CommonsCollections1 exploit
Last year, ysoserial was released by frohoff and gebl. It is a fantastic piece of work. The tool provides options to generate several different types of serialized objects, which when deserialized, can result in arbitrary code execution if the right classes are present in the classpath. In this blog post, I will discuss the CommonsCollections1 exploit, and its working, available in the ysoserial toolkit.All code snippets used in this post are sourced from ysoserialAn OverviewThe CommonsCollections1 exploit builds a custom AnnotationInvocationHandler object that contains an InvokerTransformer (Apache Commons Collections class) payload, and outputs the serialized object. When the serialized object is deserialized, the code path from AnnotationInvocationHandler's readObject leads to InvokerTransformer's payload, causing code execution.The image below shows the custom AnnotationInvocationHandler object used for RCE.Image 1: The serialized AnnotationInvocationHandlerWhat makes the exploit effective is that it only relies on the classes present in Java and Apache Commons Collections. The CommonsCollections1 leverages following classes from JDK and Commons Collections.From JDKAnnotationInvocationHandlerProxyMapOverrideInvocationHandlerRuntimeFrom Commons Collections:LazyMapTransformerChainedTransformerInvokerTransformerSo, as long a Java software stack contains Apache commons Collections library (
Gursev Singh Kalra