Java Object Deserialization

  • Resolved cdavisgf

    (@cdavisgf)


    3 years, 5 months ago

    One of my clients has run a third party security scan of their site and it came back with a critical error of Java Object Deserialization. It is on the contact form message field.

    I’m not sure why CF7 would be deserializing a java object, or if this I’m just looking in the wrong direction, but figured I would reach out for help.

    It could be that this is not on the plugin level, but at the server level, but I’m trying to check on all avenues.

    Thanks for any help you might be able to give. The relevant portion of the scan is copied below.

    Identification
PAYLOAD
H4sIAOHyi2MAA61WTWwbRRR+Yydexzhtkua
/haQpgSSlu02cEooj0vzQ1sUhQTbpwQdrvB6cLfvX2VnqcOCAhMQVwYUjEoID4RAJiYoDEteeewIhISFxQAIO5YBU8fNmdxMnISVuiSXvzL7fmfe+995u
/gKtHoe+G/QNqvrCMNVVbjjcEBuv+MxnH3x7
/ov7c29vxSGWgxbPeJPlIaU7lks5FQ4X0JuXmprU1BZ36Nm6CwAxNHzW4TWVulRfZyrqWY7tqRVGbangqQu4a2j9+NG7P3sjH1+NQWyPl5vwFpA8JF3uuIyLDQFdoVeT//uHobXtrJgZQdwV0OL5wfbEa+jWYd6sFrxVHR8+jJdXzbXWXwzrF86iGLRi3qanWPVPoquC0rhaZ5ZpUMC+Ha9v1lW
/szc8ycUjkoL1s2FVmi5d9q8J4Do6VUcH2TCZySK+XIFWubAimO1XmCYiXSgslSJR1k3r42lXaFYZFScvmobVsU4vJkLXkobO8/wZ7M9aghxmDv
/Hn88DRS38O9NRq34WxkNlEeqy0sHmv749EsvhDRE5M3/nrq6+RnYFMCuIwosCkAqMKPEWgw2PcoOYa4x5G/9XcEgFyjUD7IqZCUFusUdNnrZ8Pv3/vve9
/e4FAYtawDYGb+Nj4GoGWRbw1geN5w2ZhfIoyWwSz7+holqJxfI+ILWLd8AicKAi
/UoxiuEo3TIdWCaRzts14ECKGQhfyG54THk5zQxkvDMgVWq0x4T15gJUsgbYgOa853CLAx
/KIAQ0xoCEGtBADWoABbRsDWoABbWllOVs6UNoyG7LhebDCuFaItlSi9iq1qybjWRmSZNXRfQvxQuDcQ7lH1fXQDl5
/4f8fhkDqxbrO3KCsFHiawCcPF49DT1AVlrZUXJ6vG14OSUFXOZoYGpE5iYNHOQUBJYolgfmjiGTB8bnOLhsSxukIgaos0jSk4DEFxghkHgGwBC41mxHu28KwmDZf8RD/mJuF0xDDfoY+8D8IrZDAVZF9EJIBDVODzzRSNFwJrq0TXwLZCkTa8ZkIiCocw2c6FIDjMIUrtinoRimpPCcniqTtV8wEisMhM1KUux7oDfgE+qAfNQZwH55Rmj0Zmc0/qPZnrELzvOv6bF6KHTArWaqeNBAmeaMLUH9CuVG/jx8sA6PKyW/hPFpHkUZ/ehuCvgnwie3buy2yuzi19Ocawo9xaBukx0e/0f0kkTnWYKAAA=

PROOF
The scanner injected the following delays in the payloads : [3, 5, 8] (seconds) and noticed the following response
times : [3.491512, 5.495505, 8.050464] (seconds).

OUTPUT
The scanner was able to inject a crafted Java Object which was deserialized by the remote application by using the
Apache Commons BeanUtils gadget. The payload used can be viewed in the HTTP request provided in attachment.
Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Takayuki Miyoshi

    (@takayukister)

    3 years, 5 months ago

    The Contact Form 7 plugin does not use Java. I guess the security scan report has nothing to do with WordPress or its plugins.

    Thread Starter cdavisgf

    (@cdavisgf)

    3 years, 5 months ago

    That’s what I thought also, I looked over the code and don’t see any calls to deserialize() to even run. The client keeps wanting an answer and I’m completely stumped on this one. As far as I know even if you deserialize a java object then it would not even run, but I’m not sure if you can serialize some JS and if it would run on the front end, but I don’t have any reason to think this would be happening either.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Java Object Deserialization’ is closed to new replies.