Deserialization vulnerabilities

0eb5ff24722856be0e9c4f66faf363be?s=47 GreenDog
November 21, 2017

Deserialization vulnerabilities

Explanation of attacks on deserialization libs.
Python Pickle, Node.js node-serialize, Java XMLDecoder, Java Jackson, Java Native Deserialization

0eb5ff24722856be0e9c4f66faf363be?s=128

GreenDog

November 21, 2017
Tweet

Transcript

  1. Deserialization vulns Aleksei “GreenDog” Tiurin https://twitter.com/antyurin

  2. Basics: Class -> Object Properties Methods Deserialization vulns

  3. Serialization / Deserialization. What is it? Pic from https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf Deserialization

    vulns
  4. Various representations of objects: - JSON - XML - YAML

    - Binary - … Java has ~ 30 libs (formats, speed, capabilities, size, etc) Deserialization vulns
  5. Easy, at first glance? Deserialization vulns

  6. Not so easy: - Very Complex objects - Constructor? -

    Multiple constructors? Deserialization vulns
  7. Not so easy: - Don’t know exact class User webUser

    = objectMapper.readValue(json_str, User.class); Host webHost = objectMapper.readValue(json_str, Host.class); Deserialization vulns
  8. Not so easy: - Arbitrary objects with classes from client

    - Call methods Deserialization vulns
  9. Not so easy: - Very Complex objects object inside object

    inside object = Matryoshka - Constructor? Multiple constructors? - Don’t know exact class - Arbitrary objects with classes from client - Call methods - Language features and limitations - etc Deserialization vulns
  10. A lot of libs with various features and implementations Deserialization

    vulns
  11. Python Pickle Deserialization vulns

  12. Python Pickle - do whatever you want - Arbitrary objects

    - Call methods * Deserialization vulns
  13. Java XMLDecoder Deserialization vulns

  14. Java XMLDecoder - XMLJAVA - Arbitrary objects - Call arbitrary

    methods Deserialization vulns
  15. Node.js node-serialize - Arbitrary objects - Function is an object

    Deserialization vulns
  16. Node.js node-serialize Example from: https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/ Deserialization vulns

  17. Node.js node-serialize – How to implement it secure? - Execute

    methods (insecure implemention) - Use Immediately invoked function expression (just add ()) Deserialization vulns
  18. Java Jackson (JSON) - Bean-based - Default empty constructor Deserialization

    vulns
  19. Java Jackson - Bean-based - Default empty constructor - Strict

    type check => Safe by default Deserialization vulns
  20. Java Jackson - Don’t know exact class ? => Not

    so safe if it’s too wide Deserialization vulns
  21. Java Jackson - Don’t know exact class ? => Not

    so safe if it’s too wide - Classes with danger stuff in setters https://github.com/mbechler/marshalsec https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/ Deserialization vulns
  22. Java Native Binary - Field-based/Reflection API - No method calls?

    • java.lang.Object->hashCode(), java.lang.Object->equals(), and • java.lang.Comparable->compareTo() Deserialization vulns
  23. Java Native Binary - Field-based/Reflection API - No method calls?

    • java.lang.Object->hashCode() • java.lang.Object->equals() • java.lang.Comparable->compareTo() • finalize() • … Deserialization vulns
  24. Java Native Binary - Create then Cast => Any object

    of known classes You can implement your own before-deserialization type checker Deserialization vulns
  25. Java Native Binary - No constructor – readObject Deserialization vulns

  26. Java Native Binary Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf Deserialization vulns

  27. Java Native Binary - No constructor – readObject OJDBC lib

    / OraclePooledConnection: - Serialize object - Send it - readObject - SSRF - Exception in Casting Deserialization vulns SSRF via connection string IP:port:anything_here Binary_data+your Text Here …
  28. Java Native Binary - Dynamic Proxy support => More gadgets

    (classes) Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning- your-java-endpoints.pdf Deserialization vulns
  29. Java Native Binary - ysoserial https://github.com/frohoff/ysoserial CommonsCollections 3.1 CommonsCollections 4.0

    Jdk7u21 Spring Framework 4.1.4 Hibernate … ~ 30 gadget chains - https://github.com/pwntester/JRE8u20_RCE_Gadget JRE8u20 Deserialization vulns
  30. Java Native Binary - Look ahead deserialization - Type check

    before deserialization - white list - black list Deserialization vulns
  31. Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java- endpoints.pdf Deserialization vulns

  32. Java Native Binary - Everything is broken - RMI -

    JMX - JNDI + Won’t fix JRE DoSes - JMS + JVM langs: Scala, Groovy, Kotlin… - AFM - *Faces(ViewStates) … Deserialization vulns
  33. Conclusion - We control serialized object - Basic requirements -

    Set class/object - Call method - Attacks on business logic - Language independent (Ruby, PHP, .NET, etc) Deserialization vulns
  34. Questions? https://github.com/GrrrDog/ZeroNights-WebVillage-2017 Cheat sheet about Java Deserialization attacks: https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet Deserialization

    vulns