Share
## https://sploitus.com/exploit?id=6963E43F-92C7-577E-9453-EF79881059AF
# AWS Advanced JDBC Wrapper - Deserialization RCE via Cache Poisoning

## Vulnerability Summary

The `RemoteQueryCachePlugin` in `aws-advanced-jdbc-wrapper` uses unsafe Java deserialization (`ObjectInputStream.readObject()`) to deserialize cached query results from Valkey/Redis. An attacker with cache write access can inject a malicious serialized payload to achieve **Remote Code Execution** on application servers.

**Vulnerable Repository:** https://github.com/aws/aws-advanced-jdbc-wrapper

**Vulnerable Code:** `wrapper/src/main/java/software/amazon/jdbc/plugin/cache/CachedResultSet.java`

```java
public static ResultSet deserializeFromByteArray(byte[] data) throws SQLException {
    try (ObjectInputStream ois = new ObjectInputStream(bis)) {
      CachedResultSetMetaData metadata = (CachedResultSetMetaData) ois.readObject();  // UNSAFE!
    }
}
```

## Attack Flow

```
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”     1. Write to cache      β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚   Attacker      β”‚ ──────────────────────────▢│   Redis      β”‚
β”‚ (cache access)  β”‚                             β”‚   Cache      β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜                             β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”˜
                                                       β”‚
                     2. App reads from cache           β”‚
                                                       β–Ό
                                                β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
                                                β”‚  Victim App  β”‚
                                                β”‚  (Java)      β”‚
                                                β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”˜
                                                       β”‚
                              3. ObjectInputStream.readObject()
                                                       β”‚
                                                       β–Ό
                                                   πŸ’₯ RCE
```

## Proof of Concept

### Prerequisites

- Docker and Docker Compose
- Java 11+ (for ysoserial)
- Python 3 with `redis` package

### Step 1: Start the Vulnerable Environment

```bash
# Start PostgreSQL, Redis, and victim Java app
docker-compose up -d

# Wait for services to be ready
docker-compose logs -f victim-app
```

You should see:
```
[*] Connecting to database via AWS JDBC Wrapper...
[*] Executing cached query: SELECT 1
[+] Result: 1
[*] Sleeping 5 seconds before next query...
```

### Step 2: Run the Exploit

```bash
# Install dependencies
pip install redis

# Run exploit (requires Java for ysoserial)
python3 exploit.py
```

### Step 3: Verify RCE

Check your webhook: https://webhook.site/25ce9523-a606-4147-a549-b95795f250c9

The `/etc/passwd` from the victim container will appear within 5 seconds.

## Impact

**Cache Write Access β†’ Remote Code Execution**

An attacker with only cache write access (low privilege) achieves:
- RCE on every application server using this cache
- Access to AWS IAM credentials, secrets, customer data
- Lateral movement to internal services

### Attack Scenarios

1. **Shared Cache**: Multiple apps share Redis. Compromise one β†’ RCE on all.
2. **Misconfigured Redis**: Exposed without auth (common).
3. **SSRF to Cache**: SSRF in another component β†’ cache poisoning.

## Remediation

Replace unsafe Java serialization with JSON:

```java
// UNSAFE:
ObjectInputStream ois = new ObjectInputStream(bis);
metadata = (CachedResultSetMetaData) ois.readObject();

// SAFE:
ObjectMapper mapper = new ObjectMapper();
metadata = mapper.readValue(data, CachedResultSetMetaData.class);
```

## Files

- `docker-compose.yml` - Full test environment
- `java-app/` - Vulnerable victim application
- `exploit.py` - Cache poisoning exploit
- `poison_cache.py` - Generic cache poisoning utility

## References

- CWE-502: Deserialization of Untrusted Data
- https://github.com/frohoff/ysoserial