An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities

Nowadays, an increasing number of applications uses deserialization. This technique, based on rebuilding the instance objects from serialized byte streams, can be dangerous since it open application to attacks such as remote code execution (RCE) if data deserialize is originating untrusted source. Deserialization vulnerabilities are so critical that they in OWASP's list top 10 security risks for web applications. mainly caused by faults development process and flaws their dependencies, i.e., libraries used these No previous work has studied deserialization in-depth: How performed? weaknesses introduced patched? And how long present codebase? To yield a deeper understanding this important kind vulnerability, we perform two main analyses: one attack gadgets, exploitable pieces code, Java libraries, For first analysis, conduct exploratory large-scale study running 256515 experiments which vary versions each 19 publicly available exploits. Such rely combination gadgets or multiple libraries. A gadget method using fields attacker-controlled. Our goal precisely identify library containing understand have been patched. We observe modification innocent-looking detail class -- making public already introduce gadget. Furthermore, noticed among 37.5% not patched, leaving future attacks. second manually analyze 104 CVEs patched real-life Results indicate always completely workaround solution proposed. With solution, still vulnerable itself unchanged.