fdu-sec / jdd Goto Github PK

Efficient Detection of Java Deserialization Gadget Chains via Bottom-up Gadget Search and Dataflow-aided Payload Construction

B Chen, L Zhang, X Huang, Y Cao, K Lian, Y Zhang, M Yang

IEEE Symposium on Security and Privacy (SP), 2024

JDK 8

Dependencies: See pom.xml for specific dependencies

1. git clone https://github.com/BofeiC/JDD.git

2. run runner/SearchGadgetChains.main

• inputPath: test project path

• outputDir: output directory. E.g. IOCDs

• outPutDirName：Name of the folder where IOCDs are stored

• prioritizedGadgetChainLimit: Output N highest prioritized gadget chains

• protocol: currently supports jdk, hessian, json (e.g. jackson, ...).

  • needSerializable: please adjust them together with protocol.
    • jdk: needSerializable = true
    • hessian: needSerializable = false or true
    • json: needSerializable = false or true

• sinkRules:

  • available options: classLoad,invoke,jndi,exec,secondDes,custom,file (e.g., sinkRules = invoke,jndi)
    • A version that facilitates custom additions and modifications may come online later
    • Some sinks (in custom) that have not been added/tested after refactoring

JDD is developed solely for academic research and to advance defensive techniques. It is not intended for unauthorized system attacks. The developers disclaim any liability for misuse of the software. Please use it responsibly.

The use of JDD for illegal attacks or profit is prohibited.

If you use JDD or some of our code logic, or some of the interesting cases found by JDD, please cite our paper as follows:

@inproceedings{chen2024efficient,
  title={Efficient Detection of Java Deserialization Gadget Chains via Bottom-up Gadget Search and Dataflow-aided Payload Construction},
  author={Chen, Bofei and Zhang, Lei and Huang, Xinyou and Cao, Yinzhi and Lian, Keke and Zhang, Yuan and Yang, Min},
  booktitle={2024 IEEE Symposium on Security and Privacy (SP)},
  pages={150--150},
  year={2024},
  organization={IEEE Computer Society}
}

• JDK
• Hessian(e.g. native hessian, sofa-hessian, hessian-lite...)
• Json (use this protocol pattern to detect fragments linked after Method.invoke)
• or similar protocols

Some of the fragments detected by JDD can be generalized across different deserialization protocols, e.g., we used JDD to detect a number of exploitable gadget chains in protocols outside the scope of the paper and obtained some new CVEs.

We've recently refactored JDD, resulting in improved performance in some applications. However, some features remain unstable, and we are actively working on fixing them.

• If you need the dataset, please send us an email ([email protected]) with the purpose. Thanks for understanding.

In the email, please include a justification letter (PDF format) on official letterhead. The justification letter needs to acknowledge the “JDD” project from Fudan University and clearly state the reason for requesting the dataset. Also, confirm that the dataset will not be shared with others without our permission. We emphasize that we will ignore emails that do not follow the above instructions.

We also produce a proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. You can build on this tool to understand payload construction more easily. This software was created purely for the purpose of academic research and the development of effective defense techniques. It is also forbidden to use it for any illegal attack or profit. The link is: https://github.com/BofeiC/JDD-PocLearning

The test applications are located in the testExample directory. You can change the test application by changing the inputPath in the configuration file.

test application example 1: Groovy

sun.reflect.'annotation'.AnnotationInvocationHandler: void readObject(java.io.ObjectInputStream)
Proxy Map: entrySet()
org.codehaus.groovy.runtime.ConversionHandler: java.lang.Object invoke(java.lang.Object,java.lang.reflect.Method,java.lang.Object[])
org.codehaus.groovy.runtime.ConvertedClosure: java.lang.Object invokeCustom(java.lang.Object,java.lang.reflect.Method,java.lang.Object[])
groovy.lang.Closure: java.lang.Object call(java.lang.Object[])

One of unknown gadget chain detected by JDD.

java.util.concurrent.ConcurrentHashMap: void readObject(java.io.ObjectInputStream)
groovy.lang.GString: int hashCode()
groovy.lang.GString: java.lang.String toString()
groovy.lang.GString: java.io.Writer writeTo(java.io.Writer)
groovy.lang.Closure: java.lang.Object call()

In this application, JDD detected gadget chains that do not require the dynamic proxy feature, which expands the range of protocols that can be attacked. The known gadget chain could only be used in protocols that support dynamic proxies (e.g. JDK, but could not be used in Hessian).

test application example 2: Vaadin Known chain

javax.management.BadAttributeValueExpException: void readObject(java.io.ObjectInputStream)
com.vaadin.data.util.PropertysetItem: java.lang.String toString()
com.vaadin.data.util.NestedMethodProperty: java.lang.Object getValue()
java.lang.reflect.Method: java.lang.Object invoke(java.lang.Object,java.lang.Object[])

One of unknown gadget chain detected by JDD.

java.util.concurrent.ConcurrentHashMap: void readObject(java.io.ObjectInputStream)
java.util.AbstractMap$SimpleEntry: boolean equals(java.lang.Object)
java.util.AbstractMap: boolean access$000(java.lang.Object,java.lang.Object)
java.util.AbstractMap: boolean eq(java.lang.Object,java.lang.Object)
com.sun.org.apache.xpath.internal.objects.XStringForFSB: boolean equals(java.lang.Object)
com.vaadin.data.util.AbstractProperty: java.lang.String toString()
com.vaadin.data.util.LegacyPropertyHelper: java.lang.String legacyPropertyToString(com.vaadin.data.Property)
com.vaadin.data.util.MethodProperty: java.lang.Object getValue()
java.lang.reflect.Method: java.lang.Object invoke(java.lang.Object,java.lang.Object[])