Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Deserialization vulnerabilities

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for GreenDog GreenDog
November 21, 2017
Technology
1
1.1k

Deserialization vulnerabilities

Explanation of attacks on deserialization libs.
Python Pickle, Node.js node-serialize, Java XMLDecoder, Java Jackson, Java Native Deserialization

Avatar for GreenDog

GreenDog

November 21, 2017
Tweet

More Decks by GreenDog

See All by GreenDog
How to break SAML if I have paws?
Avatar for GreenDog greendog
1
2.9k
Weird proxies/2 and a bit of magic
Avatar for GreenDog greendog
3
10k
Reverse proxies & Inconsistency
Avatar for GreenDog greendog
3
5.7k
MITM Attacks on HTTPS: Another Perspective
Avatar for GreenDog greendog
2
860

Other Decks in Technology

See All in Technology
会社紹介資料 / Sansan Company Profile
Avatar for Sansan, Inc. sansan33
PRO
15
400k
茨城の思い出を振り返る ~CDKのセキュリティを添えて~ / 20260201 Mitsutoshi Matsuo
Avatar for SHIFT EVOLVE shift_evolve
PRO
1
110
生成AI時代にこそ求められるSRE / SRE for Gen AI era
Avatar for ymotongpoo ymotongpoo
4
2k
Bill One 開発エンジニア 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
4
17k
ブロックテーマでサイトをリニューアルした話 / 2026-01-31 Kansai WordPress Meetup
Avatar for Toro_Unit (Hiroshi Urabe) torounit
0
350
制約が導く迷わない設計 〜 信頼性と運用性を両立するマイナンバー管理システムの実践 〜
Avatar for ないとー bwkw
2
750
最速で価値を出すための プロダクトエンジニアのツッコミ術
Avatar for Kazuto Ohara kaacun
1
510
usermode linux without MMU - fosdem2026 kernel devroom
Avatar for Hajime Tazaki thehajime
0
190
GSIが複数キー対応したことで、俺達はいったい何が嬉しいのか?
Avatar for Makky12 smt7174
3
120
Werner Vogelsが14年間 問い続けてきたこと
Avatar for Yusuke Shimizu yusukeshimizu
2
300
無ければ作る! バイブコーディングで作ったものを一気に紹介 
Avatar for tatsuya1970 tatsuya1970
0
110
All About Sansan – for New Global Engineers
Avatar for Sansan, Inc. sansan33
PRO
1
1.3k

Featured

See All Featured
Max Prin - Stacking Signals: How International SEO Comes Together (And Falls Apart)
Avatar for Tech SEO Connect techseoconnect
PRO
0
76
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
59
6.3k
Heart Work Chapter 1 - Part 1
Avatar for Lake Fama lfama
PRO
5
35k
Reflections from 52 weeks, 52 projects
Avatar for Jefferson Lam jeffersonlam
356
21k
BBQ
Avatar for Matthew Crist matthewcrist
89
10k
What's in a price? How to price your products and services
Avatar for Michael Herold michaelherold
247
13k
Joys of Absence: A Defence of Solitary Play
Avatar for Sebastian Deterding codingconduct
1
280
Odyssey Design
Avatar for Ryan Kendrick rkendrick25
PRO
1
480
Game over? The fight for quality and originality in the time of robots
Avatar for Wayne Barker wayneb77
1
93
The Limits of Empathy - UXLibs8
Avatar for Cassini Nazir cassininazir
1
210
Why Our Code Smells
Avatar for Brandon Keepers bkeepers
PRO
340
58k
How Software Deployment tools have changed in the past 20 years
Avatar for Geshan Manandhar geshan
0
32k

Transcript

  1. Deserialization vulns Aleksei “GreenDog” Tiurin https://twitter.com/antyurin

  2. Basics: Class -> Object Properties Methods Deserialization vulns

  3. Serialization / Deserialization. What is it? Pic from https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf Deserialization

    vulns

  4. Various representations of objects: - JSON - XML - YAML

    - Binary - … Java has ~ 30 libs (formats, speed, capabilities, size, etc) Deserialization vulns

  5. Easy, at first glance? Deserialization vulns

  6. Not so easy: - Very Complex objects - Constructor? -

    Multiple constructors? Deserialization vulns

  7. Not so easy: - Don’t know exact class User webUser

    = objectMapper.readValue(json_str, User.class); Host webHost = objectMapper.readValue(json_str, Host.class); Deserialization vulns

  8. Not so easy: - Arbitrary objects with classes from client

    - Call methods Deserialization vulns

  9. Not so easy: - Very Complex objects object inside object

    inside object = Matryoshka - Constructor? Multiple constructors? - Don’t know exact class - Arbitrary objects with classes from client - Call methods - Language features and limitations - etc Deserialization vulns

  10. A lot of libs with various features and implementations Deserialization

    vulns

  11. Python Pickle Deserialization vulns

  12. Python Pickle - do whatever you want - Arbitrary objects

    - Call methods * Deserialization vulns

  13. Java XMLDecoder Deserialization vulns

  14. Java XMLDecoder - XMLJAVA - Arbitrary objects - Call arbitrary

    methods Deserialization vulns

  15. Node.js node-serialize - Arbitrary objects - Function is an object

    Deserialization vulns

  16. Node.js node-serialize Example from: https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/ Deserialization vulns

  17. Node.js node-serialize – How to implement it secure? - Execute

    methods (insecure implemention) - Use Immediately invoked function expression (just add ()) Deserialization vulns

  18. Java Jackson (JSON) - Bean-based - Default empty constructor Deserialization

    vulns

  19. Java Jackson - Bean-based - Default empty constructor - Strict

    type check => Safe by default Deserialization vulns

  20. Java Jackson - Don’t know exact class ? => Not

    so safe if it’s too wide Deserialization vulns

  21. Java Jackson - Don’t know exact class ? => Not

    so safe if it’s too wide - Classes with danger stuff in setters https://github.com/mbechler/marshalsec https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/ Deserialization vulns

  22. Java Native Binary - Field-based/Reflection API - No method calls?

    • java.lang.Object->hashCode(), java.lang.Object->equals(), and • java.lang.Comparable->compareTo() Deserialization vulns

  23. Java Native Binary - Field-based/Reflection API - No method calls?

    • java.lang.Object->hashCode() • java.lang.Object->equals() • java.lang.Comparable->compareTo() • finalize() • … Deserialization vulns

  24. Java Native Binary - Create then Cast => Any object

    of known classes You can implement your own before-deserialization type checker Deserialization vulns

  25. Java Native Binary - No constructor – readObject Deserialization vulns

  26. Java Native Binary Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf Deserialization vulns

  27. Java Native Binary - No constructor – readObject OJDBC lib

    / OraclePooledConnection: - Serialize object - Send it - readObject - SSRF - Exception in Casting Deserialization vulns SSRF via connection string IP:port:anything_here Binary_data+your Text Here …

  28. Java Native Binary - Dynamic Proxy support => More gadgets

    (classes) Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning- your-java-endpoints.pdf Deserialization vulns

  29. Java Native Binary - ysoserial https://github.com/frohoff/ysoserial CommonsCollections 3.1 CommonsCollections 4.0

    Jdk7u21 Spring Framework 4.1.4 Hibernate … ~ 30 gadget chains - https://github.com/pwntester/JRE8u20_RCE_Gadget JRE8u20 Deserialization vulns

  30. Java Native Binary - Look ahead deserialization - Type check

    before deserialization - white list - black list Deserialization vulns

  31. Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java- endpoints.pdf Deserialization vulns

  32. Java Native Binary - Everything is broken - RMI -

    JMX - JNDI + Won’t fix JRE DoSes - JMS + JVM langs: Scala, Groovy, Kotlin… - AFM - *Faces(ViewStates) … Deserialization vulns

  33. Conclusion - We control serialized object - Basic requirements -

    Set class/object - Call method - Attacks on business logic - Language independent (Ruby, PHP, .NET, etc) Deserialization vulns

  34. Questions? https://github.com/GrrrDog/ZeroNights-WebVillage-2017 Cheat sheet about Java Deserialization attacks: https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet Deserialization

    vulns