Deserialization vulns

Aleksei “GreenDog” Tiurinhttps://twitter.com/antyurin

Basics:

Class -> Object

PropertiesMethods

Deserialization vulns

Serialization / Deserialization. What is it?

Pic from https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf

Deserialization vulns

Various representations of objects:- JSON- XML

- YAML

- Binary

- …

Java has ~ 30 libs (formats, speed, capabilities, size, etc)

Deserialization vulns

Easy, at first glance?

Deserialization vulns

Not so easy:

- Very Complex objects

- Constructor?

- Multiple constructors?

Deserialization vulns

Not so easy:

- Don’t know exact class User webUser = objectMapper.readValue(json_str, User.class);

Host webHost = objectMapper.readValue(json_str, Host.class);

Deserialization vulns

Not so easy:

- Arbitrary objects with classes from client

- Call methods

Deserialization vulns

Not so easy:

- Very Complex objects object inside object inside object = Matryoshka

- Constructor? Multiple constructors?

- Don’t know exact class

- Arbitrary objects with classes from client

- Call methods

- Language features and limitations

- etc

Deserialization vulns

A lot of libs with various features and implementations

Deserialization vulns

Python Pickle

Deserialization vulns

Python Pickle - do whatever you want

- Arbitrary objects

- Call methods *

Deserialization vulns

Java XMLDecoder

Deserialization vulns

Java XMLDecoder - XMLJAVA

- Arbitrary objects

- Call arbitrary methods

Deserialization vulns

Node.js node-serialize

- Arbitrary objects

- Function is an object

Deserialization vulns

Node.js node-serialize

Example from:

https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/

Deserialization vulns

Node.js node-serialize – How to implement it secure?

- Execute methods (insecure implemention)- Use Immediately invoked function expression (just add ())

Deserialization vulns

Java Jackson (JSON)

- Bean-based

- Default empty constructor

Deserialization vulns

Java Jackson

- Bean-based

- Default empty constructor

- Strict type check

=> Safe by default

Deserialization vulns

Java Jackson

- Don’t know exact class ?

=> Not so safe if it’s too wide

Deserialization vulns

Java Jackson

- Don’t know exact class ?

=> Not so safe if it’s too wide

- Classes with danger stuff in settershttps://github.com/mbechler/marshalsec

https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/

Deserialization vulns

Java Native Binary

- Field-based/Reflection API- No method calls?

• java.lang.Object->hashCode(), java.lang.Object->equals(), and

• java.lang.Comparable->compareTo()

Deserialization vulns

Java Native Binary

- Field-based/Reflection API- No method calls?

• java.lang.Object->hashCode()

• java.lang.Object->equals()

• java.lang.Comparable->compareTo()

• finalize()

• …

Deserialization vulns

Java Native Binary

- Create then Cast

=> Any object of known classes

You can implement your own before-deserialization type checker

Deserialization vulns

Java Native Binary

- No constructor – readObject

Deserialization vulns

Java Native Binary

Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf

Deserialization vulns

Java Native Binary

- No constructor – readObject

OJDBC lib / OraclePooledConnection:

- Serialize object

- Send it

- readObject

- SSRF

- Exception in Casting

Deserialization vulns

SSRF via connection string

IP:port:anything_here

Binary_data+your

Text

Here

…

Java Native Binary

- Dynamic Proxy support

=> More gadgets (classes)

Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf

Deserialization vulns

Java Native Binary

- ysoserial https://github.com/frohoff/ysoserialCommonsCollections 3.1

CommonsCollections 4.0

Jdk7u21

Spring Framework 4.1.4

Hibernate

… ~ 30 gadget chains

- https://github.com/pwntester/JRE8u20_RCE_GadgetJRE8u20

Deserialization vulns

Java Native Binary

- Look ahead deserialization- Type check before deserialization

- white list

- black list

Deserialization vulns

Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf

Deserialization vulns

Java Native Binary - Everything is broken

- RMI

- JMX

- JNDI + Won’t fix JRE DoSes

- JMS + JVM langs: Scala, Groovy, Kotlin…

- AFM

- *Faces(ViewStates)

…

Deserialization vulns

Conclusion

- We control serialized object

- Basic requirements- Set class/object

- Call method

- Attacks on business logic

- Language independent (Ruby, PHP, .NET, etc)

Deserialization vulns

Questions?

https://github.com/GrrrDog/ZeroNights-WebVillage-2017

Cheat sheet about Java Deserialization attacks:https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet

Deserialization vulns