We present a tool to automatically extract gadget chains from arbitrary combinations of classes on the Java class path - outside the lab environment. The aim is to demonstrate that patching chains makes no sense: deserializing arbitrary attacker-controlled objects is the vulnerability, not the chain.

When a program is found to write past the bounds of its buffer,
developers will eagerly fix the buffer overflow, whether proven to be
exploitable or not. In contrast, when it is found to deserialize
arbitrary attacker-controlled objects, you will find that developers
would like to hold on to this particularly flexible way of passing
objects between processes because it is a feature they love and
cherish. Without a gadget-chain that shows conclusively that the bug
is exploitable, your warnings will fall on deaf ears. This
double-standard is so prevalent that you will even see CVE assignments
to gadget chains in the Java world, something that seems absurd in the
C/C++ world. If dependencies are up to date such that no known chains
are available to the attacker, then we're good, right?

In this talk, we aim to show that it is dangerous to patch gadget
chains rather than restricting deserialization. To this end, we
present "gadgetfx", a tool that is capable of extracting gadget chains
from the concrete combination of Java libraries and custom code on the
classpath of the target application. Building on existing
proof-of-concept work and a decade of experience in creating code
analysis tooling, we provide a tool that is capable of dealing with
large real-world code bases while at the same time, performing
sufficient analysis to produce valid chains. We discuss all the major
headaches associated with building such a tool and demonstrate its
efficacy on real-world applications.

Filmed at BSides Cape Town 2023
AV Sponsored by BITM Cyber Security