Deserialization vulnerabilities
- 3. Serialization / Deserialization. What is it?
Pic from https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf
Deserialization vulns
- 4. Various representations of objects:
- JSON
- XML
- YAML
- Binary
- …
Java has ~ 30 libs (formats, speed, capabilities, size, etc)
Deserialization vulns
- 6. Not so easy:
- Very Complex objects
- Constructor?
- Multiple constructors?
Deserialization vulns
- 7. Not so easy:
- Don’t know exact class
User webUser = objectMapper.readValue(json_str, User.class);
Host webHost = objectMapper.readValue(json_str, Host.class);
Deserialization vulns
- 8. Not so easy:
- Arbitrary objects with classes from client
- Call methods
Deserialization vulns
- 9. Not so easy:
- Very Complex objects
object inside object inside object = Matryoshka
- Constructor? Multiple constructors?
- Don’t know exact class
- Arbitrary objects with classes from client
- Call methods
- Language features and limitations
- etc
Deserialization vulns
- 10. A lot of libs with various features and implementations
Deserialization vulns
- 12. Python Pickle - do whatever you want
- Arbitrary objects
- Call methods *
Deserialization vulns
- 14. Java XMLDecoder - XMLJAVA
- Arbitrary objects
- Call arbitrary methods
Deserialization vulns
- 17. Node.js node-serialize – How to implement it secure?
- Execute methods (insecure implemention)
- Use Immediately invoked function expression (just add ())
Deserialization vulns
- 21. Java Jackson
- Don’t know exact class ?
=> Not so safe if it’s too wide
- Classes with danger stuff in setters
https://github.com/mbechler/marshalsec
https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
Deserialization vulns
- 22. Java Native Binary
- Field-based/Reflection API
- No method calls?
• java.lang.Object->hashCode(), java.lang.Object->equals(), and
• java.lang.Comparable->compareTo()
Deserialization vulns
- 23. Java Native Binary
- Field-based/Reflection API
- No method calls?
• java.lang.Object->hashCode()
• java.lang.Object->equals()
• java.lang.Comparable->compareTo()
• finalize()
• …
Deserialization vulns
- 24. Java Native Binary
- Create then Cast
=> Any object of known classes
You can implement your own before-deserialization type checker
Deserialization vulns
- 26. Java Native Binary
Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf
Deserialization vulns
- 27. Java Native Binary
- No constructor – readObject
OJDBC lib / OraclePooledConnection:
- Serialize object
- Send it
- readObject
- SSRF
- Exception in Casting
Deserialization vulns
SSRF via connection string
IP:port:anything_here
Binary_data+your
Text
Here
…
- 28. Java Native Binary
- Dynamic Proxy support
=> More gadgets (classes)
Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-
your-java-endpoints.pdf
Deserialization vulns
- 29. Java Native Binary
- ysoserial https://github.com/frohoff/ysoserial
CommonsCollections 3.1
CommonsCollections 4.0
Jdk7u21
Spring Framework 4.1.4
Hibernate
… ~ 30 gadget chains
- https://github.com/pwntester/JRE8u20_RCE_Gadget
JRE8u20
Deserialization vulns
- 30. Java Native Binary
- Look ahead deserialization
- Type check before deserialization
- white list
- black list
Deserialization vulns
- 32. Java Native Binary - Everything is broken
- RMI
- JMX
- JNDI + Won’t fix JRE DoSes
- JMS + JVM langs: Scala, Groovy, Kotlin…
- AFM
- *Faces(ViewStates)
…
Deserialization vulns
- 33. Conclusion
- We control serialized object
- Basic requirements
- Set class/object
- Call method
- Attacks on business logic
- Language independent (Ruby, PHP, .NET, etc)
Deserialization vulns