Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
lyu07282 2 days ago

> We can’t see a path to exploit this without a valid private key. On paper, that should kill the bug dead.

The juicy theory bit:

    The vendor accidentally signed evil. Imagine this:
    When you activate your GoAnywhere product, your installation generates a serialized license request.
    It’s sent to the vendor’s license server (my.goanywhere.com)
    If someone slipped a malicious object inside that request and the vendor blindly signed it, attackers would now have a perfectly valid signed payload that works everywhere.
That would be wild if true. Basically this is a object serialization vulnerability exploited in the wild right now, but it only deserializes signed objects, so the author is speculating if their private key leaked, or even better, if the company signed the malicous payload themselves lol
deskamess 2 days ago | parent [-]

So would the signed 'object' contain code? Or is it just data? And even if it is code, does deserializing mean execution? I guess it could mean execution at some other stage in the process.

What is the end-goal of this... would it be data exfiltration vs ransomware.

cogman10 a day ago | parent | next [-]

Java object serialization can be super dangerous as it just works on any class that implements serializable.

That means if the shape of your object is something like

    class Foo implements Serializable {
      SerializableFunction bar;
      
      void doBar() {
        bar.apply();
      }
    }
You've created a class which an attacker can plug in any object which implements `SerializableFunction` into `bar`. That includes externally created functions!

Here's an article detailing exactly how that works: https://www.baeldung.com/java-serialize-lambda

cwsx a day ago | parent | prev | next [-]

> What is the end-goal of this... would it be data exfiltration vs ransomware.

The end-goal is to gain complete access to the system - the outcome (data theft or ransomware) is customers choice

lyu07282 2 days ago | parent | prev [-]

It often results in remote code/command execution, its data that de-serializes into java objects. But during the instantiation or sometimes deconstruction of objects, code can be executed. Popular tool for java: https://github.com/frohoff/ysoserial