So would the signed 'object' contain code? Or is it just data? And even if it is code, does deserializing mean execution? I guess it could mean execution at some other stage in the process.
What is the end-goal of this... would it be data exfiltration vs ransomware.
You've created a class which an attacker can plug in any object which implements `SerializableFunction` into `bar`. That includes externally created functions!
It often results in remote code/command execution, its data that de-serializes into java objects. But during the instantiation or sometimes deconstruction of objects, code can be executed. Popular tool for java: https://github.com/frohoff/ysoserial
cogman10|5 months ago
That means if the shape of your object is something like
You've created a class which an attacker can plug in any object which implements `SerializableFunction` into `bar`. That includes externally created functions!Here's an article detailing exactly how that works: https://www.baeldung.com/java-serialize-lambda
lyu07282|5 months ago
cwsx|5 months ago
The end-goal is to gain complete access to the system - the outcome (data theft or ransomware) is customers choice