Return of the Rhino — Analysis of MozillaRhino gadgetchain (also the writeup of HITB linkextractor)

  • HITB SECCONF “linkextractor” writeup
  • MozillaRhino revisited, rework, renew
  • Limitiation of deserialization in JDK 17+
  • At the first time of the check, you can see that the filterInfo.depth == 1, and the className == “ctf.linkextractor.entities.User”, so it will get passed the check.
  • At the second time of the check, the className == “java.util.HashSet” (the “pages” field in the User class), but the filterInfo.depth == 2, the check will be skipped and the return result is UNDECIDED
  • The problem with MozillaRhino1:
  • The problem with MozillaRhino2
  • Find a method with no argument to trigger RCE, with the parent Class is serializable
  • Find another suspicious Function.call() method

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store