Teddy Thobane
Teddy is a Johannesburg-based security researcher with a background in breaking, making, and occasionally breaking the things he just made. With a BSc in Computer Science and experience across web, infrastructure, and binary exploitation, he now spends his days reverse engineering JVMs and his nights debating whether fuzzing counts as a personality trait.
Previously part of the SensePost crew, and currently working at Whirly Labs, Teddy's research blends deep technical insight with a sharp instinct for exploitation — especially when arbitrary class loading is involved. If there's a gadget chain, he'll find it. If there's a way to pop a shell, best believe he's trying his best to hit ret.
Session
Java remains to be the bedrock of enterprise software. Its widespread use makes it a valuable target for attackers to pursue, and for pentesters to understand. Despite that, opportunities to test Java applications seem fewer than they should be, so we're excited to discuss the results of this research.
In this talk, we provide insights into the exploitation of arbitrary class loading on the JVM, focusing on an illustrative vulnerability we discovered in the Graylog server (CVE-2024-24824) to facilitate the discussion. We will provide an overview of the methodologies we used to find it, highlighting the tools and techniques that proved effective in our research.
We will explore the various exploitation opportunities this vulnerability allowed, including XXE and SSRF attacks, among others. Furthermore, we will also discuss the limitations we encountered that prevented us from exploiting it further.
By sharing our findings, we aim to enhance the understanding of arbitrary class loading vulnerabilities in Java applications and foster a dialogue on the importance of robust security practices in software development.