6 comments

[ 3.0 ms ] story [ 22.2 ms ] thread
Usually sites let you read a sentance or two before asking you to subscribe with a "popup"... this one doesn't even wait that long.
> We can’t see a path to exploit this without a valid private key. On paper, that should kill the bug dead.

The juicy theory bit:

    The vendor accidentally signed evil. Imagine this:
    When you activate your GoAnywhere product, your installation generates a serialized license request.
    It’s sent to the vendor’s license server (my.goanywhere.com)
    If someone slipped a malicious object inside that request and the vendor blindly signed it, attackers would now have a perfectly valid signed payload that works everywhere.
That would be wild if true. Basically this is a object serialization vulnerability exploited in the wild right now, but it only deserializes signed objects, so the author is speculating if their private key leaked, or even better, if the company signed the malicous payload themselves lol
Bugdoors like this will be the norm in a few years from now. Why spend the money and time and effort needed to pass something like chatcontr0l when you can just bugcontrol everything
The idea that the session ViewState is a static encryption shared across all installs (unless I misread that)... speaks poorly of the software product in general.
Ah, my most hated enemy. Java Serialization.

I know that some JDK devs will argue that it's one thing that made Java popular. And I'm sure they are right. But man oh man if it's not one of the biggest footguns in the current JDK. It also constantly gets in the way of Java language development. They had to figure out, for example, "How do I serialize a lambda"? Which should really tell you just how ridiculous this thing is.

If there's one breaking change to the JDK that I'd welcome, it's the removal of Java serialization. But that will never happen because WAY too many companies depend on it.