Rhino Security Labs

Technical Blog

Java Deserialization Exploitation With
Customized Ysoserial Payloads

David Yesland

During a recent application assessment at Rhino we identified a Java deserialization vulnerability which ended up leading to unauthenticated remote code execution. Exploitation of the vulnerability turned out to not be as simple as…

CVE-2019-0227: Expired Domain to Remote Code Execution in Apache Axis

NVIDIA Arbitrary File Writes to Command Execution
CVE-2019-5674

Exploiting CVE-2018-1335:
Command Injection in Apache Tika

David Yesland

This post is a walk-through of steps taken to go from an undisclosed CVE for a command injection vulnerability in the Apache tika-server to a complete exploit. The CVE is https://nvd.nist.gov/vuln/detail/CVE-2018-1335. Since Apache Tika is…