Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Deserialization vulnerabilities

GreenDog
November 21, 2017

Deserialization vulnerabilities

Explanation of attacks on deserialization libs.
Python Pickle, Node.js node-serialize, Java XMLDecoder, Java Jackson, Java Native Deserialization

GreenDog

November 21, 2017
Tweet

More Decks by GreenDog

Other Decks in Technology

Transcript

  1. Deserialization vulns
    Aleksei “GreenDog” Tiurin
    https://twitter.com/antyurin

    View Slide

  2. Basics:
    Class -> Object
    Properties
    Methods
    Deserialization vulns

    View Slide

  3. Serialization / Deserialization. What is it?
    Pic from https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf
    Deserialization vulns

    View Slide

  4. Various representations of objects:
    - JSON
    - XML
    - YAML
    - Binary
    - …
    Java has ~ 30 libs (formats, speed, capabilities, size, etc)
    Deserialization vulns

    View Slide

  5. Easy, at first glance?
    Deserialization vulns

    View Slide

  6. Not so easy:
    - Very Complex objects
    - Constructor?
    - Multiple constructors?
    Deserialization vulns

    View Slide

  7. Not so easy:
    - Don’t know exact class
    User webUser = objectMapper.readValue(json_str, User.class);
    Host webHost = objectMapper.readValue(json_str, Host.class);
    Deserialization vulns

    View Slide

  8. Not so easy:
    - Arbitrary objects with classes from client
    - Call methods
    Deserialization vulns

    View Slide

  9. Not so easy:
    - Very Complex objects
    object inside object inside object = Matryoshka
    - Constructor? Multiple constructors?
    - Don’t know exact class
    - Arbitrary objects with classes from client
    - Call methods
    - Language features and limitations
    - etc
    Deserialization vulns

    View Slide

  10. A lot of libs with various features and implementations
    Deserialization vulns

    View Slide

  11. Python Pickle
    Deserialization vulns

    View Slide

  12. Python Pickle - do whatever you want
    - Arbitrary objects
    - Call methods *
    Deserialization vulns

    View Slide

  13. Java XMLDecoder
    Deserialization vulns

    View Slide

  14. Java XMLDecoder - XMLJAVA
    - Arbitrary objects
    - Call arbitrary methods
    Deserialization vulns

    View Slide

  15. Node.js node-serialize
    - Arbitrary objects
    - Function is an object
    Deserialization vulns

    View Slide

  16. Node.js node-serialize
    Example from:
    https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
    Deserialization vulns

    View Slide

  17. Node.js node-serialize – How to implement it secure?
    - Execute methods (insecure implemention)
    - Use Immediately invoked function expression (just add ())
    Deserialization vulns

    View Slide

  18. Java Jackson (JSON)
    - Bean-based
    - Default empty constructor
    Deserialization vulns

    View Slide

  19. Java Jackson
    - Bean-based
    - Default empty constructor
    - Strict type check
    => Safe by default
    Deserialization vulns

    View Slide

  20. Java Jackson
    - Don’t know exact class ?
    => Not so safe if it’s too wide
    Deserialization vulns

    View Slide

  21. Java Jackson
    - Don’t know exact class ?
    => Not so safe if it’s too wide
    - Classes with danger stuff in setters
    https://github.com/mbechler/marshalsec
    https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
    Deserialization vulns

    View Slide

  22. Java Native Binary
    - Field-based/Reflection API
    - No method calls?
    • java.lang.Object->hashCode(), java.lang.Object->equals(), and
    • java.lang.Comparable->compareTo()
    Deserialization vulns

    View Slide

  23. Java Native Binary
    - Field-based/Reflection API
    - No method calls?
    • java.lang.Object->hashCode()
    • java.lang.Object->equals()
    • java.lang.Comparable->compareTo()
    • finalize()
    • …
    Deserialization vulns

    View Slide

  24. Java Native Binary
    - Create then Cast
    => Any object of known classes
    You can implement your own before-deserialization type checker
    Deserialization vulns

    View Slide

  25. Java Native Binary
    - No constructor – readObject
    Deserialization vulns

    View Slide

  26. Java Native Binary
    Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf
    Deserialization vulns

    View Slide

  27. Java Native Binary
    - No constructor – readObject
    OJDBC lib / OraclePooledConnection:
    - Serialize object
    - Send it
    - readObject
    - SSRF
    - Exception in Casting
    Deserialization vulns
    SSRF via connection string
    IP:port:anything_here
    Binary_data+your
    Text
    Here

    View Slide

  28. Java Native Binary
    - Dynamic Proxy support
    => More gadgets (classes)
    Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-
    your-java-endpoints.pdf
    Deserialization vulns

    View Slide

  29. Java Native Binary
    - ysoserial https://github.com/frohoff/ysoserial
    CommonsCollections 3.1
    CommonsCollections 4.0
    Jdk7u21
    Spring Framework 4.1.4
    Hibernate
    … ~ 30 gadget chains
    - https://github.com/pwntester/JRE8u20_RCE_Gadget
    JRE8u20
    Deserialization vulns

    View Slide

  30. Java Native Binary
    - Look ahead deserialization
    - Type check before deserialization
    - white list
    - black list
    Deserialization vulns

    View Slide

  31. Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-
    endpoints.pdf
    Deserialization vulns

    View Slide

  32. Java Native Binary - Everything is broken
    - RMI
    - JMX
    - JNDI + Won’t fix JRE DoSes
    - JMS + JVM langs: Scala, Groovy, Kotlin…
    - AFM
    - *Faces(ViewStates)

    Deserialization vulns

    View Slide

  33. Conclusion
    - We control serialized object
    - Basic requirements
    - Set class/object
    - Call method
    - Attacks on business logic
    - Language independent (Ruby, PHP, .NET, etc)
    Deserialization vulns

    View Slide

  34. Questions?
    https://github.com/GrrrDog/ZeroNights-WebVillage-2017
    Cheat sheet about Java Deserialization attacks:
    https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
    Deserialization vulns

    View Slide