![](\"https:\/\/varutra-1a3b6.kxcdn.com\/wp-content\/uploads\/2017\/11\/Java-Deserialization-1-1024x535.png\" "\\"Java")
<\/p>\n<\/p>\n
Thick client is the kind of application which is installed on the client side and major of its processing is done at the client side only which is independent of the server. Like we installed some players or .EXE files in our windows system.<\/p>\n
<\/p>\n
Thin client is the browser based application which is having database (server) only in the back end & there is no need to install thin client applications at the client side. Also they are lightweight and do not occupy more space at the client system, whereas Thick client needs more storage space in order to install it on client side.<\/p>\n
<\/p>\n
Java serialization offers an object to convert itself into a stream of bytes that includes object data to store it into the file systems or to transfer it to another remote system.<\/p>\n
After serialize input (stream of bytes) is written to a file, it can be read from the file after deserialization process like stream of bytes then converted to the object again into the memory.<\/p>\n
<\/p>\n
Classes ObjectInputStream<\/strong> and ObjectOutputStream<\/strong> are high level streams that contain the methods of serialization and deserialization.<\/p>\n <\/p>\n The Apache Commons Collection (ACC) Library is the main reason behind the successful RCE attack. This library has the dangerous class InvokerTransformer which an attacker abused to gain access to remote system.<\/p>\n The InvokerTransformer\u2019s goal is to transform objects in a collection by invoking a method. Attackers take advantage of this functionality and manage to call any method they want.<\/p>\n To create malicious method attacker uses readily available tool called ysoserial<\/p>\n Here is the link to the tool: https:\/\/github.com\/frohoff\/ysoserial<\/a><\/p>\n The attack can be summarized as:<\/p>\n <\/p>\n Step 1:<\/strong> First we should know what is the IP and Port the Thick client is communicating to, in order to intercept the request\/response using burp suite.<\/p>\n In cmd ping the thick client URL to know the IP.<\/p>\n In our case lets the assume the URL for thick client is http:\/\/thickclient:8081 and after pinging this URL we got the IP 192.168.0.1 and port is 8081<\/p>\n Make the changes in the burp proxy<\/p>\n <\/p>\n Step 2:<\/strong> Edit the host file in your system so that the server host (http:\/\/thickclient:8081 in our case) points to local host and our burp proxy can intercept the request.<\/p>\n <\/p>\n Step 3:<\/strong> Run the thick client and intercept the request in burp<\/p>\n <\/p>\n Step 4:<\/strong> Now, we will replace this serialized data with our malicious serialized data, which will be de serialized server side and our command will be executed. For this purpose we will use a tool called ysoserial (download: https:\/\/github.com\/frohoff\/ysoserial<\/a>)<\/p>\n Run this tool with following syntax and create our malicious serialized payload (the IP should be your system IP and port I am using here is 4444)<\/p>\n The output will be somewhat like below<\/p>\n <\/p>\n Step 5:<\/strong> Now on another side listen to incoming connection from server where our malicious data will get execute. We are using netcat tool for this. You can get this tool here: https:\/\/nmap.org\/download.html<\/a><\/p>\n <\/p>\n Step 6:<\/strong> Now our payload is created in a file (test.out in my case), we will use Burps \u2018paste from file\u2019 option to paste our malicious payload in the intercepted login request as follows and will then execute our malicious data.<\/p>\n <\/p>\n Step 7:<\/strong> Now to check whether our command got executed or not on the server, netcat to the connection and you can see in below screenshot that we got incoming connection form the server, meaning our malicious code get executed on the server.<\/p>\n <\/p>\n Further Reading:<\/p>\n <\/p>\n Author Attack & PenTest Team,<\/em><\/p>\n Varutra Consulting<\/em><\/p>","protected":false},"excerpt":{"rendered":" Thick Client? What do you mean by that? Thick client is the kind of application which is installed on the client side and major of…<\/p>\n","protected":false},"author":3,"featured_media":17895,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"aside","meta":{"om_disable_all_campaigns":false,"inline_featured_image":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[140,289,266,121],"tags":[98,117,99,119,120,122],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t![\"Java](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2017\/11\/6-1.png\")
<\/a><\/p>\nWhy it is vulnerable?<\/strong><\/h3>\n
\n
How to Perform this Attack?<\/strong><\/h3>\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n\n
\nPranav Jagtap.<\/p>\n