Share
## https://sploitus.com/exploit?id=6963E43F-92C7-577E-9453-EF79881059AF
# AWS Advanced JDBC Wrapper - Deserialization RCE via Cache Poisoning
## Vulnerability Summary
The `RemoteQueryCachePlugin` in `aws-advanced-jdbc-wrapper` uses unsafe Java deserialization (`ObjectInputStream.readObject()`) to deserialize cached query results from Valkey/Redis. An attacker with cache write access can inject a malicious serialized payload to achieve **Remote Code Execution** on application servers.
**Vulnerable Repository:** https://github.com/aws/aws-advanced-jdbc-wrapper
**Vulnerable Code:** `wrapper/src/main/java/software/amazon/jdbc/plugin/cache/CachedResultSet.java`
```java
public static ResultSet deserializeFromByteArray(byte[] data) throws SQLException {
try (ObjectInputStream ois = new ObjectInputStream(bis)) {
CachedResultSetMetaData metadata = (CachedResultSetMetaData) ois.readObject(); // UNSAFE!
}
}
```
## Attack Flow
```
βββββββββββββββββββ 1. Write to cache ββββββββββββββββ
β Attacker β βββββββββββββββββββββββββββΆβ Redis β
β (cache access) β β Cache β
βββββββββββββββββββ ββββββββ¬ββββββββ
β
2. App reads from cache β
βΌ
ββββββββββββββββ
β Victim App β
β (Java) β
ββββββββ¬ββββββββ
β
3. ObjectInputStream.readObject()
β
βΌ
π₯ RCE
```
## Proof of Concept
### Prerequisites
- Docker and Docker Compose
- Java 11+ (for ysoserial)
- Python 3 with `redis` package
### Step 1: Start the Vulnerable Environment
```bash
# Start PostgreSQL, Redis, and victim Java app
docker-compose up -d
# Wait for services to be ready
docker-compose logs -f victim-app
```
You should see:
```
[*] Connecting to database via AWS JDBC Wrapper...
[*] Executing cached query: SELECT 1
[+] Result: 1
[*] Sleeping 5 seconds before next query...
```
### Step 2: Run the Exploit
```bash
# Install dependencies
pip install redis
# Run exploit (requires Java for ysoserial)
python3 exploit.py
```
### Step 3: Verify RCE
Check your webhook: https://webhook.site/25ce9523-a606-4147-a549-b95795f250c9
The `/etc/passwd` from the victim container will appear within 5 seconds.
## Impact
**Cache Write Access β Remote Code Execution**
An attacker with only cache write access (low privilege) achieves:
- RCE on every application server using this cache
- Access to AWS IAM credentials, secrets, customer data
- Lateral movement to internal services
### Attack Scenarios
1. **Shared Cache**: Multiple apps share Redis. Compromise one β RCE on all.
2. **Misconfigured Redis**: Exposed without auth (common).
3. **SSRF to Cache**: SSRF in another component β cache poisoning.
## Remediation
Replace unsafe Java serialization with JSON:
```java
// UNSAFE:
ObjectInputStream ois = new ObjectInputStream(bis);
metadata = (CachedResultSetMetaData) ois.readObject();
// SAFE:
ObjectMapper mapper = new ObjectMapper();
metadata = mapper.readValue(data, CachedResultSetMetaData.class);
```
## Files
- `docker-compose.yml` - Full test environment
- `java-app/` - Vulnerable victim application
- `exploit.py` - Cache poisoning exploit
- `poison_cache.py` - Generic cache poisoning utility
## References
- CWE-502: Deserialization of Untrusted Data
- https://github.com/frohoff/ysoserial