Deserialization vulnerabilities

Transcript

1. Deserialization vulns Aleksei “GreenDog” Tiurin https://twitter.com/antyurin

2. Basics: Class -> Object Properties Methods Deserialization vulns

3. Serialization / Deserialization. What is it? Pic from https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf Deserialization

   vulns

4. Various representations of objects: - JSON - XML - YAML

   - Binary - … Java has ~ 30 libs (formats, speed, capabilities, size, etc) Deserialization vulns

5. Easy, at first glance? Deserialization vulns

6. Not so easy: - Very Complex objects - Constructor? -

   Multiple constructors? Deserialization vulns

7. Not so easy: - Don’t know exact class User webUser

   = objectMapper.readValue(json_str, User.class); Host webHost = objectMapper.readValue(json_str, Host.class); Deserialization vulns

8. Not so easy: - Arbitrary objects with classes from client

   - Call methods Deserialization vulns

9. Not so easy: - Very Complex objects object inside object

   inside object = Matryoshka - Constructor? Multiple constructors? - Don’t know exact class - Arbitrary objects with classes from client - Call methods - Language features and limitations - etc Deserialization vulns

10. A lot of libs with various features and implementations Deserialization

    vulns

11. Python Pickle Deserialization vulns

12. Python Pickle - do whatever you want - Arbitrary objects

    - Call methods * Deserialization vulns

13. Java XMLDecoder Deserialization vulns

14. Java XMLDecoder - XMLJAVA - Arbitrary objects - Call arbitrary

    methods Deserialization vulns

15. Node.js node-serialize - Arbitrary objects - Function is an object

    Deserialization vulns

16. Node.js node-serialize Example from: https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/ Deserialization vulns

17. Node.js node-serialize – How to implement it secure? - Execute

    methods (insecure implemention) - Use Immediately invoked function expression (just add ()) Deserialization vulns

18. Java Jackson (JSON) - Bean-based - Default empty constructor Deserialization

    vulns

19. Java Jackson - Bean-based - Default empty constructor - Strict

    type check => Safe by default Deserialization vulns

20. Java Jackson - Don’t know exact class ? => Not

    so safe if it’s too wide Deserialization vulns

21. Java Jackson - Don’t know exact class ? => Not

    so safe if it’s too wide - Classes with danger stuff in setters https://github.com/mbechler/marshalsec https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/ Deserialization vulns

22. Java Native Binary - Field-based/Reflection API - No method calls?

    • java.lang.Object->hashCode(), java.lang.Object->equals(), and • java.lang.Comparable->compareTo() Deserialization vulns

23. Java Native Binary - Field-based/Reflection API - No method calls?

    • java.lang.Object->hashCode() • java.lang.Object->equals() • java.lang.Comparable->compareTo() • finalize() • … Deserialization vulns

24. Java Native Binary - Create then Cast => Any object

    of known classes You can implement your own before-deserialization type checker Deserialization vulns

25. Java Native Binary - No constructor – readObject Deserialization vulns

26. Java Native Binary Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf Deserialization vulns

27. Java Native Binary - No constructor – readObject OJDBC lib

    / OraclePooledConnection: - Serialize object - Send it - readObject - SSRF - Exception in Casting Deserialization vulns SSRF via connection string IP:port:anything_here Binary_data+your Text Here …

28. Java Native Binary - Dynamic Proxy support => More gadgets

    (classes) Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning- your-java-endpoints.pdf Deserialization vulns

29. Java Native Binary - ysoserial https://github.com/frohoff/ysoserial CommonsCollections 3.1 CommonsCollections 4.0

    Jdk7u21 Spring Framework 4.1.4 Hibernate … ~ 30 gadget chains - https://github.com/pwntester/JRE8u20_RCE_Gadget JRE8u20 Deserialization vulns

30. Java Native Binary - Look ahead deserialization - Type check

    before deserialization - white list - black list Deserialization vulns

31. Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java- endpoints.pdf Deserialization vulns

32. Java Native Binary - Everything is broken - RMI -

    JMX - JNDI + Won’t fix JRE DoSes - JMS + JVM langs: Scala, Groovy, Kotlin… - AFM - *Faces(ViewStates) … Deserialization vulns

33. Conclusion - We control serialized object - Basic requirements -

    Set class/object - Call method - Attacks on business logic - Language independent (Ruby, PHP, .NET, etc) Deserialization vulns

34. Questions? https://github.com/GrrrDog/ZeroNights-WebVillage-2017 Cheat sheet about Java Deserialization attacks: https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet Deserialization

    vulns