The study of vulnerability CVE-2017-3066. Java deserialization# CVE-2017-3066
## Description
Adobe ColdFusion uses message format the Action (AMF). The AMF Protocol is a custom binary serialization Protocol. It has two formats: AMF0 and AMF3. Action message consists of headers and bodies. There are several implementations of AMF in different languages. For Java we have Adobe BlazeDS (now Apache BlazeDS) which is also used in Adobe ColdFusion.
Adobe Coldfusion is affected to a Java Deserialisation Flaw in its Apache BlazeDS Library when it handles untrusted Java Objects which further gives Attacker the permission to attack remotely as a Remote Code Execution Vulnerability.
## Vulnerable Version
## Update Version
## Comparison of vulnerable and updated version
WinMerge
Update files:
The flex-messaging-core.jar library contains the class flex.messaging.validators.ClassDeserializationValidator that performs validation. Therefore, it was separately decompiled using the Java Decompiler and once again launched for comparison in WinMerge.
## Install
Install and Exploiting: <https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2017-3066>
## Suricata
In the file "test.rules " presents a rule for the Suricata utility. The rule allows network traffic to detect exploitable vulnerabilities.
The rule is connected in the `/etc/suricata/suricata file.yaml`:
```
default-rule-path: /etc/suricata
rule-files:
- test.rules
```
RUN:
```
suricata -c /etc/suricata/suricata.yaml –I ens33
```
Log `/var/log/suricata/fast.log`
Signature 79 73 6F 73 65 72 69 61 = ysoserial
[4.0K] /data/pocs/eb66d1095ff5f660b0b6ce0d6e41942982c8b504
├── [1.7K] README.md
├── [4.0K] screen
│ ├── [114K] add_check.PNG
│ ├── [ 71K] Update_flex.PNG
│ ├── [ 27K] update_version.PNG
│ └── [ 45K] vuln_version.PNG
└── [ 149] test.rules
1 directory, 6 files