Deserialization vulns
Aleksei “GreenDog” Tiurin
https://twitter.com/antyurin
Slide 2
Slide 2 text
Basics:
Class -> Object
Properties
Methods
Deserialization vulns
Slide 3
Slide 3 text
Serialization / Deserialization. What is it?
Pic from https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf
Deserialization vulns
Slide 4
Slide 4 text
Various representations of objects:
- JSON
- XML
- YAML
- Binary
- …
Java has ~ 30 libs (formats, speed, capabilities, size, etc)
Deserialization vulns
Slide 5
Slide 5 text
Easy, at first glance?
Deserialization vulns
Slide 6
Slide 6 text
Not so easy:
- Very Complex objects
- Constructor?
- Multiple constructors?
Deserialization vulns
Slide 7
Slide 7 text
Not so easy:
- Don’t know exact class
User webUser = objectMapper.readValue(json_str, User.class);
Host webHost = objectMapper.readValue(json_str, Host.class);
Deserialization vulns
Slide 8
Slide 8 text
Not so easy:
- Arbitrary objects with classes from client
- Call methods
Deserialization vulns
Slide 9
Slide 9 text
Not so easy:
- Very Complex objects
object inside object inside object = Matryoshka
- Constructor? Multiple constructors?
- Don’t know exact class
- Arbitrary objects with classes from client
- Call methods
- Language features and limitations
- etc
Deserialization vulns
Slide 10
Slide 10 text
A lot of libs with various features and implementations
Deserialization vulns
Slide 11
Slide 11 text
Python Pickle
Deserialization vulns
Slide 12
Slide 12 text
Python Pickle - do whatever you want
- Arbitrary objects
- Call methods *
Deserialization vulns
Node.js node-serialize
- Arbitrary objects
- Function is an object
Deserialization vulns
Slide 16
Slide 16 text
Node.js node-serialize
Example from:
https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
Deserialization vulns
Slide 17
Slide 17 text
Node.js node-serialize – How to implement it secure?
- Execute methods (insecure implemention)
- Use Immediately invoked function expression (just add ())
Deserialization vulns
Java Jackson
- Bean-based
- Default empty constructor
- Strict type check
=> Safe by default
Deserialization vulns
Slide 20
Slide 20 text
Java Jackson
- Don’t know exact class ?
=> Not so safe if it’s too wide
Deserialization vulns
Slide 21
Slide 21 text
Java Jackson
- Don’t know exact class ?
=> Not so safe if it’s too wide
- Classes with danger stuff in setters
https://github.com/mbechler/marshalsec
https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
Deserialization vulns
Slide 22
Slide 22 text
Java Native Binary
- Field-based/Reflection API
- No method calls?
• java.lang.Object->hashCode(), java.lang.Object->equals(), and
• java.lang.Comparable->compareTo()
Deserialization vulns
Java Native Binary
- Create then Cast
=> Any object of known classes
You can implement your own before-deserialization type checker
Deserialization vulns
Slide 25
Slide 25 text
Java Native Binary
- No constructor – readObject
Deserialization vulns
Slide 26
Slide 26 text
Java Native Binary
Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf
Deserialization vulns
Slide 27
Slide 27 text
Java Native Binary
- No constructor – readObject
OJDBC lib / OraclePooledConnection:
- Serialize object
- Send it
- readObject
- SSRF
- Exception in Casting
Deserialization vulns
SSRF via connection string
IP:port:anything_here
Binary_data+your
Text
Here
…
Slide 28
Slide 28 text
Java Native Binary
- Dynamic Proxy support
=> More gadgets (classes)
Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-
your-java-endpoints.pdf
Deserialization vulns
Conclusion
- We control serialized object
- Basic requirements
- Set class/object
- Call method
- Attacks on business logic
- Language independent (Ruby, PHP, .NET, etc)
Deserialization vulns