Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Deserialization vulnerabilities

GreenDog
November 21, 2017
Technology
1
670

Deserialization vulnerabilities

Explanation of attacks on deserialization libs.
Python Pickle, Node.js node-serialize, Java XMLDecoder, Java Jackson, Java Native Deserialization

GreenDog

November 21, 2017
Tweet

More Decks by GreenDog

See All by GreenDog
Weird proxies/2 and a bit of magic
greendog
2
7.6k
Reverse proxies & Inconsistency
greendog
2
3.7k
MITM Attacks on HTTPS: Another Perspective
greendog
1
620

Other Decks in Technology

See All in Technology
初学者が1ヶ月ほどAWS CDKを勉強してみた - AWS CDK Conference Japan 2023
sakaguchi
0
570
Keynote: Kishore Gopalakrishna, StarTree - The Rise of Real-Time Analytics | RTA Summit 2023
startree
PRO
0
120
心理的安全性に対して個人とチームで取り組んできたこと
hiro_torii
1
300
Get started with OSS contributions
sinsoku
2
520
SWEBOK V3からV4への改訂に見るソフトウェアエンジニアリングの発展とソフトウェア保守・進化
washizaki
0
200
複数AWSアカウントに リソース構築する時 どうしてますか?
honma12345
0
360
開発生産性を採用の武器にする
naoto_pq
0
490
Amazon VPC Lattice を使い始める前におさえておきたいポイント n 選 / Introduction to VPC Lattice
hayaok3
1
710
トラブルシューティングから Linux カーネルに潜り込む
hiboma
7
1.2k
ShowNet2022 Topology
shownet
PRO
0
640
Design insights from unit tests @ itkonekt 2023
victorrentea
0
110
TrivyでAWSセキュリティをシフトレフトしよう
bitkey
PRO
1
380

Featured

See All Featured
4 Signs Your Business is Dying
shpigford
171
20k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
7
990
Making the Leap to Tech Lead
cromwellryan
118
7.8k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
9
770
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
110
17k
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
130
8.9k
VelocityConf: Rendering Performance Case Studies
addyosmani
317
22k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
270
12k
Facilitating Awesome Meetings
lara
35
4.8k
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.1k
Fantastic passwords and where to find them - at NoRuKo
philnash
33
2k
The Illustrated Children's Guide to Kubernetes
chrisshort
25
44k

Transcript

  1. Deserialization vulns
    Aleksei “GreenDog” Tiurin
    https://twitter.com/antyurin

    View Slide

  2. Basics:
    Class -> Object
    Properties
    Methods
    Deserialization vulns

    View Slide

  3. Serialization / Deserialization. What is it?
    Pic from https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf
    Deserialization vulns

    View Slide

  4. Various representations of objects:
    - JSON
    - XML
    - YAML
    - Binary
    - …
    Java has ~ 30 libs (formats, speed, capabilities, size, etc)
    Deserialization vulns

    View Slide

  5. Easy, at first glance?
    Deserialization vulns

    View Slide

  6. Not so easy:
    - Very Complex objects
    - Constructor?
    - Multiple constructors?
    Deserialization vulns

    View Slide

  7. Not so easy:
    - Don’t know exact class
    User webUser = objectMapper.readValue(json_str, User.class);
    Host webHost = objectMapper.readValue(json_str, Host.class);
    Deserialization vulns

    View Slide

  8. Not so easy:
    - Arbitrary objects with classes from client
    - Call methods
    Deserialization vulns

    View Slide

  9. Not so easy:
    - Very Complex objects
    object inside object inside object = Matryoshka
    - Constructor? Multiple constructors?
    - Don’t know exact class
    - Arbitrary objects with classes from client
    - Call methods
    - Language features and limitations
    - etc
    Deserialization vulns

    View Slide

  10. A lot of libs with various features and implementations
    Deserialization vulns

    View Slide

  11. Python Pickle
    Deserialization vulns

    View Slide

  12. Python Pickle - do whatever you want
    - Arbitrary objects
    - Call methods *
    Deserialization vulns

    View Slide

  13. Java XMLDecoder
    Deserialization vulns

    View Slide

  14. Java XMLDecoder - XMLJAVA
    - Arbitrary objects
    - Call arbitrary methods
    Deserialization vulns

    View Slide

  15. Node.js node-serialize
    - Arbitrary objects
    - Function is an object
    Deserialization vulns

    View Slide

  16. Node.js node-serialize
    Example from:
    https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
    Deserialization vulns

    View Slide

  17. Node.js node-serialize – How to implement it secure?
    - Execute methods (insecure implemention)
    - Use Immediately invoked function expression (just add ())
    Deserialization vulns

    View Slide

  18. Java Jackson (JSON)
    - Bean-based
    - Default empty constructor
    Deserialization vulns

    View Slide

  19. Java Jackson
    - Bean-based
    - Default empty constructor
    - Strict type check
    => Safe by default
    Deserialization vulns

    View Slide

  20. Java Jackson
    - Don’t know exact class ?
    => Not so safe if it’s too wide
    Deserialization vulns

    View Slide

  21. Java Jackson
    - Don’t know exact class ?
    => Not so safe if it’s too wide
    - Classes with danger stuff in setters
    https://github.com/mbechler/marshalsec
    https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
    Deserialization vulns

    View Slide

  22. Java Native Binary
    - Field-based/Reflection API
    - No method calls?
    • java.lang.Object->hashCode(), java.lang.Object->equals(), and
    • java.lang.Comparable->compareTo()
    Deserialization vulns

    View Slide

  23. Java Native Binary
    - Field-based/Reflection API
    - No method calls?
    • java.lang.Object->hashCode()
    • java.lang.Object->equals()
    • java.lang.Comparable->compareTo()
    • finalize()
    • …
    Deserialization vulns

    View Slide

  24. Java Native Binary
    - Create then Cast
    => Any object of known classes
    You can implement your own before-deserialization type checker
    Deserialization vulns

    View Slide

  25. Java Native Binary
    - No constructor – readObject
    Deserialization vulns

    View Slide

  26. Java Native Binary
    Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf
    Deserialization vulns

    View Slide

  27. Java Native Binary
    - No constructor – readObject
    OJDBC lib / OraclePooledConnection:
    - Serialize object
    - Send it
    - readObject
    - SSRF
    - Exception in Casting
    Deserialization vulns
    SSRF via connection string
    IP:port:anything_here
    Binary_data+your
    Text
    Here

    View Slide

  28. Java Native Binary
    - Dynamic Proxy support
    => More gadgets (classes)
    Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-
    your-java-endpoints.pdf
    Deserialization vulns

    View Slide

  29. Java Native Binary
    - ysoserial https://github.com/frohoff/ysoserial
    CommonsCollections 3.1
    CommonsCollections 4.0
    Jdk7u21
    Spring Framework 4.1.4
    Hibernate
    … ~ 30 gadget chains
    - https://github.com/pwntester/JRE8u20_RCE_Gadget
    JRE8u20
    Deserialization vulns

    View Slide

  30. Java Native Binary
    - Look ahead deserialization
    - Type check before deserialization
    - white list
    - black list
    Deserialization vulns

    View Slide

  31. Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-
    endpoints.pdf
    Deserialization vulns

    View Slide

  32. Java Native Binary - Everything is broken
    - RMI
    - JMX
    - JNDI + Won’t fix JRE DoSes
    - JMS + JVM langs: Scala, Groovy, Kotlin…
    - AFM
    - *Faces(ViewStates)

    Deserialization vulns

    View Slide

  33. Conclusion
    - We control serialized object
    - Basic requirements
    - Set class/object
    - Call method
    - Attacks on business logic
    - Language independent (Ruby, PHP, .NET, etc)
    Deserialization vulns

    View Slide

  34. Questions?
    https://github.com/GrrrDog/ZeroNights-WebVillage-2017
    Cheat sheet about Java Deserialization attacks:
    https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
    Deserialization vulns

    View Slide