Exploiting arbitrary class loading on the JVM

[Music] So uh hello Tao um and welcome to this talk my first ever BS size uh conference talk uh about arbitrary class loading on the JVM or arbitrary class loading on the uh JVM uh presented by yours truly. Um, so besides being vertically challenged and uh moderately handsome, I do have a few personality traits. Um, so about myself, I am a security researcher at uh Worly Labs based in Cape Town. Um, I am I have a lot of aliases, right? Uh, first and foremost would be Lord, Hicks Lord. Uh, I was a teenager, came up with it on a whim, I suppose. Uh, and then there's Kazamir for my gaming ID. And, uh, most recently, Rootkit Zaddy. Um,

uh, but if we're keeping it professional, then it's just Root Kid Ted. So, just just so that there's no funniness with business partners and all that. Um, but yeah, I'm a hacker, exploit developer, reverse engineer at heart, anything to do with memory corruption or C-based uh, vulnerabilities or, you know, any kind of exploit development. Uh, that probably has my name on it, you know, get really passionate about that kind of stuff. I am 23 years old in age. Uh I use the postcrimment operator there because uh I'm you know turning 24 in a few days. And uh of course if you haven't noticed, I'm hoping it's evident, but I'm also a Jim bro. Stay conscientious of my health and uh you

know, keeping it very cute, very demure. Uh um and so uh I'm also an anime enjoyer, right? Not really an otaku. I don't really watch as much lately. Um, I'm a gamer, as you might have heard from the gamer tag. Mostly into Tekken, but I do play a lot of single player games. And, uh, I am a man of culture. That is, I am in love with BMWs. If you're a Mercedes fan, I regret to inform you that this talk might not be the the one for you. Um, but so, um, you know, we're not here to talk about me essentially. Those are just the cliff notes. I do uh I hope I'm more than just the the points that I was

able to convey with this slide. We're here to talk about a vulnerability that we're that was uh discovered on an assessment a couple years ago. Uh more specifically that one uh CVE 202324824. Besides being a wonderful um very descriptive uh title for a slide, this refers to a vulnerability that we found in a grey log uh grey logs uh grey log 2 server or their implementation of their server. Um and it's essentially an arbitrary class loading vulnerability. Uh and uh you know Greylog were you know just a shout out to them. They were um you know they were really nice about this whole thing and they they know about the vulnerability. they've given us the okay to talk about it uh and they

have patched it. So, you know, just a shout out to them for letting me actually talk about this. Uh but so what the actual vulnerability u uh pertained to was that there was a way for an authenticated user to um essentially uh load an arbitrary class um with uh if they if it had permission to um change the cluster configuration uh of the grey log server. And if you're not familiar with Grey Log itself, they're like uh the their software is essentially like for logging system events and a whole bunch of other stuff that I can't remember, but uh yeah, essentially they're a logging software and um yeah, well, let's get into it actually. So, um

how this how we actually discovered the vulnerability was that we're on an assessment uh and uh you know, we're in the enumeration phase, right? which typically involves just like you know looking around the application poking around if I press this button what does it do blah blah blah and then we came across this particular request right uh and um there was something funny about it right if you look at the exact endpoint or the highlighted section of the screenshot you'll notice that actually looks a bit like a class no orglo 2 users user configuration so this was a bit weird right why why is there a class name in the endpoint that we're sending our request to um and so that

you know made us uh look further into the code and then we found the exact endpoint uh that controlled or that dictated exactly what happens with that class. So uh key point here there's a call to class for name which essentially creates an object out of the class that we've just specified. Uh and then there's a call to pass config object right those two are very important for understanding the vulnerability. Uh at this stage we didn't know it was a vulnerability so just bear with me. Um and so if you look at the implementation of parse config object, you'll find that there's a call to object mapper uh read value. And essentially what that does is it

instantiates the class for uh that we've just specified in the body of the uh in the uh uh endpoint um like in the endpoint uh the class that we defined there. It essentially goes and tries to instantiate that class with the body that we've provided in the request. Um so now we need to we're like looking to understand the vulnerability right like so we need to understand what's possible with the vulnerability like what can we do with this what are any of the limitations that come with this vulnerability and what are the requirements needed for successful exploitation of the vulnerability. Um and so in order to answer the first question, right, we look into uh how

exactly the object mapper works, right? Uh and so this is part of the Jackson databind library. And uh essentially there's a there's a little example there that we um that I used to sort of understand gain a better understanding of how exactly Jackson databind works. And um so what's happening there is that we we have the object mapper uh variable which stores a new a new uh object of type object mapper. Uh and then we have a string which is basically the JSON content that we're going to feed to the mapper. Uh and then uh just you know a fictitious class called person.class but essentially it could just be a class with um the two attributes name and age.

Right? Right. So in this case, I use myself and my age as the the details that I was going to feed to the object mapper. And uh what read value does is it's going to try and instantiate a class with those specific properties. Uh and uh yeah, that's that's basically the gist of it. So read value takes two parameters. The the actual JSON content and the the class or the object value of the class that we're trying to uh instantiate. Uh both of which we control based on the request that we just saw, right? So it basically comes down to this, right? Trade offer to the greylock server. I receive arbitrary class loading. You receive a class name and a

JSON object. Also, you have absolutely no say in the matter. But so we look at the limitations next, right? Can we just call runtime.getruntime.exec for the uninitiated. That's really just a way of saying can we execute system commands uh just like by abusing this vulnerability. And the answer is not quite right. Uh the problem is the class needs to be instantiable with the payload that we provide in the body of the request. Right? That is we can't directly go and invoke uh commands from different objects. Uh and the other thing is that uh we need concrete object right concrete objects. So that means no calling static functions, no calling uh constructors that are uh of a an

abstract object, right? we need them to be concrete objects with single argument uh constructors. Uh just another thing that I forgot to mention about Jackson is that um when it actually creates the object uh what happens is you can either specify like a JSON object with the properties that you want that object to have or you can specify if it has a single argument constructor you can specify the value that gets passed to that constructor for instantiation. Right? So what that boils down to is we can't call runtime.getr get runtime exec because that doesn't have a constructor uh that has a single argument uh parameter uh that has a single argument rather uh but you can do something like

calling java IO file right because that is an object that takes a single parameter in this case a string that references a file on the system in this case I use etsy password because you know I was testing on a Linux machine and that's you know probably the one with which most hackers are familiar um so the nice thing about this is that since we can specify any class right that doesn't limit us to just the classes that are on the uh grey log 2 server class path so essentially any standard library is also included here so the scope has been broadened quite a bit so you know if we update it trade offer I get arbitrary class loading you as the

grey log server receive a class name and a JSON object and you kind of have a little bit of a say in the matter given that we can't call any any class or any uh object that exists within the class path. Um so now we need to understand exactly what's required to actually exploit this thing. Right? So of course it you know grey log is is a multiplatform piece of software. So you know you could run it on Windows, you could run it on Linux and there are a few discrepancies between the two but the main thing for exploitation is that it needs to be of uh the the Greylock server needs to be running on version

two up to 5.2.3 within that range. If it's within that range then it is susceptible to the vulnerability that we will uh or rather the types of exploitation of this vulnerability that we will discuss later on. And then the other thing that you need is a user with sufficient permissions to actually edit cluster configurations on the server. Now cluster configurations really just come down to you know like a setting that you can change on the Greylock server. It's not too important to understand exactly how cluster configurations work here. So now uh we get into the actual part the actual um exploitation part of this right the part that gets me the most giddy because you know it's kind of like

my passion I would say my life's work but you know I've only lived 23 years so I guess it wouldn't really count to much um but so um my best friend taught me this this uh saying in in Mandarin Chinese which means bitterness before sweetness but effectively it just means like it comes down to there's going to be a little bit of pain before we can actually reap the benefits of our rewards. Right? So, the way I went about exploiting this vulnerability and the way it typically goes when it comes to exploitation as a whole is that there's a ton of research that goes into it, right? Lots of trial and error, lots of trying things and failing, lots of

pulling your hair out and discovering new words in different languages. Um, uh, swear words, I mean, in different languages. Um, and, uh, yeah, it's a lot of frustration, right? And eventually you get to a point where you've gathered you understand the the vulnerability so well that uh it almost feels like um you know you could you could describe the software to the people that designed it better than they can kind of thing, right? Um so yeah, you get like a a lot of research that and a lot of frustration before you actually reap the benefits of your award uh of the benefits of your efforts. Uh, and so, uh, the other thing I'd like to convey

here is that for me, exploitation is kind of like like kung fu, which is, uh, essentially just kung fu, but like how you actually say it. Um, and, um, and so the way I think of it is that it's kind of it's a like a a nice little combination of art and uh, science, right? A lot of it is methodical. A lot of it is like uh, science-based. you know, you have your hypothesis, your test case, your result, and you confirm that information, but at the same time, it requires a little bit of creativity, right? Uh I think, you know, obviously when when you get to a point where, you know, you're working with a

vulnerability and you want to get to a point where you're trying to pop a shell, you're essentially solving for a problem that wasn't meant to be solved. And in so doing, you are in some way engaging in a form of art. But at the same time that takes a lot of methodical approach and like a you know like a scientific formula in which you you test something you see the result and then you know you basically go from that corroborate triage all that kind of stuff. Um but so yeah um this is essentially one of my favorite dog arts. Voodoo is reserved for heritage day. Um and uh yeah so this is a very broad

topic as well. Uh there is a little bit of assumed knowledge but I will try my best to make it accessible to everyone. Um um yeah hopefully you like the illustration as well. I I really do liken this to Gung Fu because yeah I don't know if you guys have seen that movie with uh with Jackie Chan and uh was it the the karate kid but like the the the one with uh Will Smith's kid you know he says kung fu is in everything we do. I feel like exploitation is is in everything we do. I'm not talking about like I'm not talking about like pre-1800s America kind of exploitation. I mean, you know, this I like to think

of it like it's okay. I feel like I I can say this, you know. Um but so when it comes to the arts of exploitation, I find that this, you know, generally um we follow the same procedures. Right? Now this is in the context of a Java based application but I feel like if it were something you know more uh I want to say common when you think of exploitation like uh memory corruption vulnerabilities um then you know we all it's like it follows the same structure you basically figure out like okay is there a a base test case you know in the case of memory corruption or like a buffer overflow we first want to find out okay can I

overflow the buffer right can I overwrite the stackinary can I reach the return pointer kind of thing once you trigger that you find out Okay, what can I overwrite this stack the, um, return pointer with? And so, um, from there, it's really just like a series of questions that you ask to eventually get to a point where you can say, okay, I figured out all the moving parts. I have every single piece of the puzzle. Now, I just need to put it together. And that's essentially what I try to do here. Right? The first thing is, can we trigger the vulnerability with a base test case? And then after we figure that out um is it are there any classes or

rather what classes are available to me uh to actually use in my exploitation? And then from that uh could any of the classes that are available to me be used to do something interesting do something that the server was actually not supposed to do. Uh and then the last question which you might argue should probably be first is are there any existing Java exploit chains? The reason I put that last is because I'm a very like try and invent reinvent the wheel kind of guy. Uh and that is um you know I find that you know if something exists already like it's cool and stuff but I don't think it should ever invalidate the efforts that one can make to sort of

either you know make an attempt at doing something and then learn something new. Perhaps it brings a perspective that you didn't previously consider or you might find a new way to um sorry I forgot to turn off my notifications so I suppose we'll be reading my chats together. Um but so yeah it might also bring into uh it might you might find a way to do something a little bit better than you know the the previous or existing way to do it. Um so yeah essentially that's that's what uh those are the questions that I wanted to answer that I set out to answer when developing an exploit for this right so the first thing triggering

the vulnerability base test case right this is essentially the flow of it right I mentioned before that we can call something like java io file with string parameter etsy password how this looks in the request is as follows right the first highlighted section is the class as we've seen and then the body contains the actual uh string that is passed to that object object. So in this case, it's going to go and then if you remember correctly from pass object, it's going to now map that object to um that value essentially call Java IO file with that string as a constructor and then uh we should be able to get the contents back. Now the result of this is

that we were in fact able to read the contents of Etsy password. Uh given that this is a Linux machine, that would have worked. If it was Windows, you'd probably try something like uh I don't know something in the system 32 folder or some such. Uh but the point is um you know we're able to actually get the contents of that file which is which is great. It's wonderful but like it doesn't it doesn't make sense. Hang on. It just like because because the only the we know that the vulnerability is really just an arbitrary class loading thing. But how does it actually go and retrieve the file? Right? This might be what you're wondering. Uh at least

that's what I was wondering initially. Um and so it comes down to this. Right? Uh what we've done is that we've created an object of type java io file right we've given it a string which is a path to an existing file in the system and really all java IO file is is it's a file handler wrapper thing that has a reference to a file on the system but it doesn't actually store the contents of that file right but then at the bottom there you'll see that there's actually a uh like what this what this controller does is that it creates uh it calls uh the response accepted and then it passes the config config object as as a as a

parameter to the request or the the response um that is returned. And so what happens is we have this strange interplay between um uh Jackson databind and jersey response builder wherein if you pass the Jersey response builder a Java IO file or like a file wrapper, it'll go and actually fetch the contents of that file and then return it in the response uh in the response uh body. Uh and so yeah, it's like this weird and beautiful interplay between the two. It's kind of unfortunate, but we have confirmed that the test case works, right? And so now we need to actually look for other classes that might aid us in exploitation of the vulnerability. So

what I set out to do initially or I think what everyone sets out to do is just pop a shell. But in this case, um I would want to you know get like a a reverse shell going kind of thing, right? Uh and so in order to do that, we need to get all of the classes. We need to understand is that actually possible? what classes can we call that have the requirements of exactly one argument in the constructor and um that has like some kind of side effect right so there's a tool to do this that I used called urine right it was developed by the beautiful man in the background sorry for reading my chats like I said

but um uh it was his invention essentially and uh yeah it's just an open- source u tool for static code analysis uh which was designed with the purpose of or for the purpose of uh vulnerability research. Um it is um basically like a it combines a bunch of graphs that are generated from a codebase, right? So so a whole bunch of different graphs namely the abstract syntax tree which is like based on what the code looks like and then there's the control flow graph which specifies like um how the program gets from one point to another in the code. And then there's the um program dependence graph which just defines uh what like how each each parts

of the code um interacts with each other essentially like um what you need to get from point A to point B kind of thing. Um and so this was sorry just another thing it's it's it supports a lot of languages. So you know if you want to uh use urine on like a C codebase or Java codebase or Python or Cotlin you know it has support for multiple languages. Um but so all of those graphs are combined into one which is known as the CPG and essentially you can query the CPG uh that is generated from a specific codebase uh to gather insights into the code and how it works right so in this case this is the query that I ran uh and

essentially we're just looking for so if you're using a jar you'll find that all constructors really just conform to the format of init right and so from there we look for all of the ones that have exactly one parameter and then uh I I ended up saving it to a file um but you That's that's still a lot of entries, right? That's around 2,000 entries that we need to look through. Uh and the truth is ain't nobody got time for that. So, what I did was I went and I refined the query, narrowed it down, and um I kind of refined the the criteria a little bit, right? What we're really interested in is a constructor that has

some kind of side effect. Ideally like the the absolute silver bullet would have been any constructors that have an implicit or explicit call to runtime get runtime exec or process builder or something that actually starts a process on the target uh on the target machine. Um or if that's not possible, which let's be honest, that is a bit of a long shot, right? There's no constructor that I know of that actually does that. Uh but you know, is still a possibility, it exists, so we search for it. But you know, anything else that uh creates like an outbound connection to the um that creates an outbound connection to an attacker controlled server or that writes data to the disk. Um because

let's be honest, if you have like an arbitrary file, write or write what where then you RC is like almost guaranteed at that point. um or something that opens up the application to other attack vectors like cross-ite scripting uh xe uh local file inclusion etc right buffer overflows are included also it's very unlikely but it's still definitely you know a thing that you should look out for so after refining the the the urine queries uh we got to a point where it's uh the number of um entries that we have to look for that we have to look through is in the low hundreds right this is acceptable This pleases the nut where I am an element of the nut. You

get the point. Okay. So now we actually get into a point where um so just you know for context um after having found all of these classes this this part involved a rigorous sort of um trial and error stage of like trying to you know this back and forth looking at like a class that was specified or returned by the year query and uh the source code that's involved in it and then like you know trying to see if I can trigger something interesting and so really I'm about to show you like the highlights and then we'll like increase the intensity and level of leapness as we proceed through the rest of the talk. But so the first

of which is the file alteration observer, right? I hadn't ever worked with this uh until I you know found this in the in the results that year returned. But essentially what it would do is that it would you'd give it a directory and then would scan all the files and directory or subdirectories within that directory and then uh so it's supposed to essentially just like alert you if there's a change, right? Uh this probably wasn't going to work, but what it does do is that one it takes a single parameter. Good. you like this. Uh two, uh it returns the full absolute path to the directory that you specify. So if you just put a period, i.e.

current directory, it'll show you where in the greylock server you are, right? So this is what it looks like in action. I have blurred that out, but really it's just rootkit daddy. I just I wasn't know I didn't know if you guys would be comfortable with seeing my uh rootkit daddy just reflecting over there, but you guys have context now, so I feel like it's okay to say. Um but so yeah, right over there you can see I've I've specified file alteration observer with the uh current directory as the body of the request and so as a as a response we get the full path to where we are on the Greylock server. Um this is cool, right?

We have a little bit of um enumeration going on just like some light info leakage. But let's take it further, right? Um so another thing that I discovered was that there was actually a class or a piece of code. This was done with manual inspection because at some point you just look like hey is there something that just calls process builder or u runtime.getr runtime exec and so this was one of them right this is like this would have been super helpful. Essentially what you can what you notice is that there's a a method called sh which as you might have guessed uh opens up a shell takes takes a command that you've specified and then just executes

and then shows you the result. That would have been perfect. That literally would have been like it would have halfed the development time or the exploit development time. Um and uh the problem is that it didn't have any constructors that we could invoke. um no single parameter constructors and uh they're all static essentially. So yeah, that was kind of disappointing. Um but we move, we take the hits, we keep running. Um and so we get to the next thing that I discovered that was really cool. The Linux OS processes uh object from the Oshi software package. I'm not going to say the whole thing, but yes, you get the point. Um so this one was a

lot more interesting, right? uh it basically just uh represents an entire Linux process. Uh I'm not sure if there's a Windows equivalent. I never really looked into it. Um but essentially again it meets the requirement of one parameter. And the other thing is that it lists it gives a lot of details about the process on the Linux machine, right? Things like P, CPU usage, um the exact command line used to actually start the process and all it takes is an integer value, right? So there's a little bit of guesswork unless you're familiar with the process ID space that uh a specific system uses. But uh the nice thing is that if there's um rate limiting or rather a lack of

rate limiting then you can essentially just spam all the processes from one up to whatever number makes you feel happy uh and essentially you'll get all of these details uh like as seen in the example slide. Um so yeah in this case you can see the exact command line that was used to start the Greylock server context that P belongs to uh the the process in which the Greylock server was running. Um and so yeah there's a lot of details there. Um the group ID the user who started it the exact command line. This is cool. This is cool. We're getting a little bit more uh interesting output right. Um and so yeah I mean it's

another process enumeration type or rather it's another enumeration type of uh usage of this primitive. Um but wait there is more right the next thing is Java assist tools web server right this is just a simple HTTP server that serves Java class files and uh it takes another single integer argument right um so you might be thinking or at least what I was thinking at the time is um this kind of seems like it's leading up to a point where we can pull files off the server which is like it's cool but we can already do that right the the first base test case kind of allows us to do that kind of thing. Exactly. So what would be

the point of this? But then we take a look at the responses from the server, right? If you specify a port 8084 in this case, uh, and then uh, you know, send the request, the the server responds with a 202 accepted and then it returns some JSON data that honestly isn't that useful to us, right? Um but then you know you can also confirm that we've started up a listener or it it actually bound to the port at the very least. Uh because if you look at the screenshot that's before the first one is the output of end mapap before the request is sent and then later on is what happens after. So we know that it

is actually binding to the port. Um but then you take a look at the response if you specify a port that's already in use. Port 9000 is already in use. So in this case it responds with a 43 I think. Yeah 43 and uh you know a little error that says okay well there was a problem doing this or whatever. Um but but what does it mean right we get characteristic responses based on the port uh if it's based on whether or not the port is actually available for binding. Um, and so what this means is that we get like a a bootleg kind of ugly slightly noisy um port scanner. And the nice thing about

this port scanner in in detail is that like it won't just specify open ports that are uh accessible to everyone on the network. This also includes local host ports. So uh often times you'll find like my SQL or something running like on on local host or only accessible by you know the same machine. this will give us information about that all without having having to send a single TCP packet to any of the other ports except port 9000. So I mean I think that that was pretty good. You know it's a nice win. Um, and so there was another primitive that actually opened up the application to a uh to XXT vulnerabilities and that was in the

validator resources u um object and essentially what it did was you could specify a URL which um because validator resources expects a path or a URL to an XML file, right? Uh and what it does is if you specify URL, it'll go to that server, pull the file and then you know try and pass the XML. But the thing is by default it doesn't it doesn't incorporate any of the existing default XML protection mechanisms. So in this case if you specify an attacker control server hi I'm attacker and then um you specify a file at that server uh what you can do is now effectively you know have the applica have the application be open to uh XML or X XML based attacks.

So in this case, uh yeah, this was just me testing to see like, hey, is this thing actually going to try and fetch um and uh I noticed that it did. And so what happened was I built these uh this little exploit or not, you can call it an exploit, but really I just uh configured these two files, the XML file, which in turn calls a DDT file, and the DDT file tries to read from the proxis kernel host name, which essentially is just the host name of the system. Uh this is a proof of concept, so I didn't get too gnarly with it. And so I started up an htt HTTP server on port 4443 and uh you can see that

actually it went ahead and read the contents of that file. Now again we already have a primitive where we can read from the file um and you know essentially read from any file depending on the permissions of the user who started the grey log application. But um you know this is still just a nice thing to have. And essentially if you want to go the loud and dumb route you could also um uh use like a DOSS attack against the application because you know the boolean laughs attack is still a thing. So if you want to you know be gnarly and sort of uh have the application or the server stop responding for a minute or two or

three or however long you want to uh keep the DOS going or the DOS going then you can go ahead and you know exploit it that way. Um so yeah there were a bunch of other primitives that uh that came with this. The histogram log writer is essentially an object that let us write any file to the system. Again uh restricted by the permissions of the user who started the grey log service. Um but we couldn't really specify what to write. So it's really just like a write where but not a write what where. um can it can be useful if certain programs depend on the existence of certain files but uh you know in this ca in this case like with

the default setup it wasn't quite a thing uh and then there were a few uh SSRF potential uh objects essentially they just send out get requests much like the validator resources object um but you know nothing nothing too crazy there essentially you could just make the server send a request um you know it's pretty it's cool stuff but uh not really like the real stuff it's not what we're after at this Um, so what about rce? That's the real question, right? Like can we pop this server um using this method of exploitation? And unfortunately, it just got to a point where I was looking through these things and I didn't find a single one that had uh a process builder or or you

know, just some form of command execution. And I looked for exploit chains and I still couldn't find anything. Right. um the existing ones required packages that weren't included in the Greylog uh server package list. So, you know, it was a bit difficult at this stage. And so, I ended up feeling like this. It was tough. It was tough days. I was really thinking, you know what? I think I'll just present this stuff and then call it a day. Um yeah, it was a very a very difficult time in my life. Um but so I got to a point where I'm like wait hang on let's go back to the implementation of uh Jerseys uh Jersey

databines um um object instantiation technique right um so essentially it came down to none of the constructors have what I needed but Jackson databind does in fact call certain getters implicitly and certain setters implicitly depending on how you actually create the object right So remember before in all those instances where we got a you know a JSON object that detailed the attributes of an object that we just instantiated in some of those the getters and setters were invoked implicitly right. So essentially what I what I did was I started including getters in the um in my in my search for classes that could be used to achieve rce and what I ended up finding was this class. Right? It seems pretty

useless at first, right? It does take a um a single parameter in in one of its constructors. Uh and all it does is it just sets the printer name, right? Um the Unix print service class that is. Um and so it's like it seems pretty useless, but then you get to a point where you're looking at this getter. Get printer is accepting jobs BSD, right? So it's lining specific. Yes. And so, uh, what the thing that drew my attention there was that there's a string variable called command. Seems awfully suspicious. And, uh, it it it invokes LPC status and then, you know, it just sort of plugs printer right in there. And I was like, oh, wow, look at that.

It's plugging printer right in there. And I like, wait, it's plugging printer, which I control, right in there. And so immediately after that, it does an exec cmd. And so after looking into that, you can see that really it's just invoking a shell command to do this. Uh, and so we exploit like so. And so what it ended up doing was I just invoked PHP, but really you can get like a ton of other payloads that you can use um to to get a shell. You know, rev shells is a thing. And so uh yeah, this PHP payload worked for me. And so we get to a point where, you know, we're at the demo. Now, it does pain me horribly to

let you know that I will not be sacrificing any chickens for the demo today. Um, especially as a black man, you know how we love chicken. Um, uh, I have instead prepared a demo, uh, that we will, uh, we'll watch, uh, it's uploaded to my YouTube, but it's private, so like and subscribe either way. Uh so so the first thing that happens is I check the version of the of Java and start the grey log machine. And so as you can see the greylog server is up and running and then next up I just test the connection to make sure that it is in fact running and is reachable. Don't actually log in. Don't want you guys to

see my really secure passwords. Uh and so this is the exploit I wrote for it. Uh I will be posting this at some point later in future u later in future I'll be point u uh uploading this to my GitHub at some point in future um once I have a go ahead but uh yeah this is just like some um an introduction to the things that the exploit does really just like doing the login getting the authentication token checking if the grey log server is in the vulnerable range uh actually sending the payload um yeah this is all configurable with uh the uh arguments that the exploit takes um and yeah some quality of stuff uh arg

parser for the win and then we get to the the VM. I decided to run the exploit from my Windows VM uh because this needs to be on a Linux system. So you know over there you can see the arguments that the exploit takes and um yeah essentially the command that's used to invoke the exploit. So as you can see it tries to authenticate, gathers the information it requires, sends the payload and then eventually boom we have shell [Applause] Yeah. Um, so just a quick thing about this exploit. Um, this on later pre on later versions of uh the Greylog 2 server uh Java 8 is no longer compatible, right? So you need to you

need to use Java 9. And so that might uh if you end up running this exploit there, you'll see in the error logs of that uh of the later version of grey log that you choose to use, you'll see something like oh unable to uh make whatever accessible to whatever because it does not opens blah blah blah right and that is a result of the JPMS or the full name I can never remember this thing Java platform module system right that was introduced in Java 9 onwards. So essentially the rce vector of this thing will be eliminated if you try and run this on like anything Java 5 or rather over I I was using like Java 4

something for the actual exploit. Um but yeah so the the the versions of Java that use that require Java 9 and above won't be susceptible to this kind of thing. Um and yeah so really that that meme kind of sums it up, right? Um you shall not pass little bro. Um but so it it only eliminates the RC vector, but like um for one, the thing to consider there's still a surprising amount of systems out out in the wild that are running legacy software or legacy code. Um some still probably running like this exact version of Greylog. Um which yeah, it's just not a good idea. Uh you should always keep your software up to date. Um but uh the

other primitives or the other methods of exploitation are still very much doable, right? the the bootleg vault scanner, the uncontrolled file write, the uh pulling of arbitrary files on the system, again restricted by the permissions of the user that uh started the process. Um that's all still very much doable, right? Up to versions 2 uh 5.2.3. Um but so yeah, that pretty much concludes the talk. Um essentially, just keep your keep your software updated. Source, dude, I literally just showed you my exploit. Um, but so yeah, I mean I'm opening the floor up now for questions if there are any. Um, yeah, ask away if there are any questions. [Applause] No questions. Sorry, I did have one more

slide after that. I don't want to. Okay. All right. Yeah. Sorry. This is a a little selfplug if you're Yeah, I I did mention I'm a gamer before. So, you know, thank you for coming to my talk. Uh yeah, post the source code on my GitHub. Link is over there if you uh want to check it out. I'm Ted Tobani on LinkedIn. So, you know, let's connect and uh yeah, root kid. >> Um I just have a question. So, you say you're going to post the code onto GitHub. Did you use your own offline lab to do this in? >> Yeah. Yeah, very much. >> Would you also be able to post that as well, so we have something to test

against? >> Um, yeah, I believe so. I mean, it's it's open source, right? So, literally everything that I use, you can just like >> Okay. As long as the configs are there and I don't have to like message you and be like, "Hey, Teddy." >> Yeah. Yeah. >> I don't know how to Google. >> Yeah. >> Okay. Cool, man. I love the talk and I love the name. >> Oh, thank you so much. I worked hard for it. Um, just another disclaimer, a little a little humble brag. I did not use chat GPT at all for the exploit.

[Applause]