Published on May 10th, 2016 📆 | 3505 Views ⚑
0RuhrSec 2016: "Java deserialization vulnerabilities – The forgotten bug class", Matthias Kaiser
https://www.ispeech.org
Abstract. Java deserialization vulnerabilities are a bug class on its own. Although several security researchers have published details in the past, still the bug class is fairly unknown. This talk is about finding and exploiting deserialization flaws in Java. Details on a new gadget will be disclosed, allowing Remote Code Execution. And several vulnerabilities discovered by Code White will be shown as Case Studies including a 0day.
Biography. Matthias is the Head of Vulnerability Research at Code White. He enjoys bug-hunting in Java Software because it's so easy. He found vulnerabilities in products of Oracle, IBM, SAP, Symantec, Apache, Adobe, Atlassian, etc. Currently, he enjoys researching deserialization and looking into COM/OLE.
2016-05-10 11:41:41
source
Gloss