How do gadget chains work in relation to Java Deserialization attacks?


I would love a detailed explanation how user-controlled input goes from readObject to RCE. Java-specific.

The background

This is my attempt to add specificity to the OP question as requested in the answer here.

I have been slowly but surely breaking into web app security (from a network/infra pentesting and binary exploitation background), and am currently trying to wrap my brain around deserialization attacks, particularly Java. I have taken a few intro Java classes, and am familiar with the basic concepts of OOP, but have never done serious development work. Most of my coding experience is sysadmin-related or exploit writing (bash & python scripting), as well as reading code particularly in vuln writeups and more recently, SAST/DAST WAPTs and code reviews (new to this).

At this point, I am well aware that an application deserializing untrusted user input is very dangerous, especially in Java. However, most resources I’ve encountered thus far gloss over how the untrusted input actual results in code execution. This is what I am very interested in at a detailed level. I feel many others are in a similar position to me and would benefit from this answer.

Research I’ve done to try to understand it myself

I’ve watched Robert Seacord’s video and read portions of his whitepaper. This resource appeared really good but I think they assumed more OOP prerequisite knowledge. Ironically, someone asks a similar question to mine in Seacord’s video (I got excited at that point), but he seems to avoid discussing in-depth as he feels it would require responsible disclosure (my excitement…died).

I’ve also done some hands-on labs such as nickstaDB’s DeserLab with the associated blog post. I was able to get code execution, but don’t quite understand how I got there. The blog helped me understand a lot about the structure of the byte stream, but not how code actually gets run when readObject gets called on the stream. It references Property-Oriented Programming, and compares it to ROP which I am very familiar with. But there is still a gap in my understanding.


I’m also interested in why Robert Seacord felt that going in-depth on a gadget chain would mean he would have to responsibly disclose the gadget chain in some way. I have not heard of that being necessary for other languages such as .NET deserialization gadgets. I well understand ethics and responsible disclosure, I am wondering why or what characteristics of this technique could require disclosure, versus ROP techniques given they compare POP gadgets to ROP. Usually, an overarching technique (ex. ROP) doesn’t need to be responsibly disclosed, but an actual vulnerability does (ex. an overflow that led to exploitation using ROP).

Can a Demon make a gadget with an Exploit or Embed they can’t perform?

Can a demon make a gadget to perform an exploit or embed that their character doesn’t have? I can see two arguments:

  • No: If you don’t know the supernatural ability, you don’t know how to create it.
  • Yes: I can’t fly, but I can make a paper airplane that does, or eventually make a hang glider. Gadget fabrication is an extended action, and investing time and materials allows me to create that ability.

CPU frequency in Intel Power Gadget

  • Which core’s frequency and temperature are shown by the Intel Power Gadget tool?

  • How can I observe the frequency of all the independent cores on my MacBook?

  • Can the Intel Power Gadget be configured to do so? (I was not able to find the required setting/extension)

There’s already a discussion on observing CPU frequencies using the Terminal here:

  • Is there a way to see current CPU frequency in macOS from terminal (not Intel power gadget).

However, I cannot draw any conclusion/method of achieving this from the above. An equivalent for cpu-frequtils would have been nice to have on macOS.

Is it reasonably possible to enable vulnerabilities via gadget chains?

The meta question here is that I’m trying to understand the risks to multitenant java applications from gadget chains.

For example, we’re all familiar with the deserialization gadget that allows the creation of arbitrary java objects which can lead to RCE.

However, let’s say your json deserializaer (or whatever) is securely configured. Is it possible to create gadget chains which re-configure jackson at runtime to be insecurely configured?

More generally, is it reasonably possible to take any specific vulnerability which has been patched but develop a gadget chain to enable it?

Eg, let’s say you have a vulnerability X -> leads to Y (say, RCE).

If you could find a chain of gadgets that lead to X (say X1 -> X2 -> X) than you therefore have X1 -> X2 -> X -> Y

And for fun, let’s say X2 isn’t available, is it reasonable to try to build a chain that does something like XA2 -> XB2 -> XC2 -> X2

And therefore your path would be X1 -> XA2 -> XB2 -> XC2 -> X2 -> X -> Y?

Is this a reasonable way to look at this problem?

The reason I ask is that we build systems where we think we are safe because X isn’t immediately a risk. Or even because X1 -> X2 -> X are all patched properly, when in fact if it’s possible to decompose any vulnerability into a chain of gadgets, than we are always at risk and therefore most of our security will become the difficulty in getting past security boundaries (escaping a VM, a container, etc).

Given the number of statics in java and java 3rd party libraries, it seems to me that it could be vulnerable to a very large class of gadget chains. In other words, you don’t have to craft an attack in just one request, but can do it via a series of requests.

Is this analysis correct?

Aspect sizes are absolutely gadget

Aspect sizes are absolutely gadget too massive! It’s with Keto Bliss aid of and massive effortless to get caught in to a meal and clear your plate with no even knowing you might be over-consuming, this is in designated right of you might be susceptible to consume speedy. Don’t forget utilizing smaller dinner plates, and devour a full glass of water earlier to sitting Keto Bliss complete way proper all Keto Bliss way down to massive substances as this can likely help your physique signal Keto Bliss mind that you are full.

Drink extra Water

Does it exist any gadget that catches and copies all the digital information?

When I was watching Prison Break there was a device that was catching all the digital data and copying it. Do similar info-gathering devices really exist?

The device must be within several feet of the object it needs to read, and sometimes has difficulty reading data through safes and other metal objects. For a file as large as Scylla, it may take several minutes to copy the entire file. If the transfer is interrupted, it must start from the beginning of the file, it cannot pick up where it left off.

This is the process of copying Scylla

default gadget settings only has a toggle for "Restore all default settings (in all sections)" meaning not just gadgets. Equivalent of killing my full account settings to tie my tie exactly. I know technology asks a lot, but maybe you can spare me the ordeal of troubleshooting so I can focus again.

Please do not suggest defaults, our question is specific to’s feature-set alone.

Can somebody copy/paste their default “Gadgets” tab/section checkbox settings? Otherwise if I can get some encouragement to open a second account for testing purposes, I have never done that before and could then answer the question myself (and feel like a “karma ****” …I do not mind being but the asterisked judgement is another story), however I do/did not ever go beyond a second account except for, leaves too many questions (telling somebody is then security).

(Question title written as Broken English programmer code like suggests at the top of my feed, I have heard that called computerese. If I try to talk with my voice there are other questions, so UNIX style.)