A Journey From JNDI/LDAP Manipulation to Remote Code Execution Dream Land

by Alvaro Munoz, Oleksandr Mirosh Sept. 14, 2017 via www.blackhat.com submitted by belen_caty

This talk will present a new type of vulnerability named "JNDI Reference Injection" found on malware samples attacking Java Applets (CVE-2015-4902). The same principles can be applied to attack web applications running JNDI lookups on names controlled by attackers. As we will demo during the talk, attackers will be able to use different techniques to run arbitrary code on the server performing JNDI lookups.


Steven Ulm 4 weeks, 1 day ago

Very useful presentation! Thank you Alvaro and Oleksandr for uploading it to SecurityDocs!