SlideShare a Scribd company logo

Deserialization vulnerabilities

Download as PPTX, PDF
G
GreenD0g

Explanation of attacks on deserialization libs. Python Pickle, Node.js node-serialize, Java XMLDecoder, Java Jackson, Java Native Deserialization

Related slideshows

Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!
 
1 of 34
Deserialization vulns Aleksei “GreenDog” Tiurin https://twitter.com/antyurin
Basics: Class -> Object Properties Methods Deserialization vulns
Serialization / Deserialization. What is it? Pic from https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf Deserialization vulns
Various representations of objects: - JSON - XML - YAML - Binary - … Java has ~ 30 libs (formats, speed, capabilities, size, etc) Deserialization vulns
Easy, at first glance? Deserialization vulns
Not so easy: - Very Complex objects - Constructor? - Multiple constructors? Deserialization vulns
Not so easy: - Don’t know exact class User webUser = objectMapper.readValue(json_str, User.class); Host webHost = objectMapper.readValue(json_str, Host.class); Deserialization vulns
Not so easy: - Arbitrary objects with classes from client - Call methods Deserialization vulns
Not so easy: - Very Complex objects object inside object inside object = Matryoshka - Constructor? Multiple constructors? - Don’t know exact class - Arbitrary objects with classes from client - Call methods - Language features and limitations - etc Deserialization vulns
A lot of libs with various features and implementations Deserialization vulns
Python Pickle Deserialization vulns
Python Pickle - do whatever you want - Arbitrary objects - Call methods * Deserialization vulns
Java XMLDecoder Deserialization vulns
Java XMLDecoder - XMLJAVA - Arbitrary objects - Call arbitrary methods Deserialization vulns
Node.js node-serialize - Arbitrary objects - Function is an object Deserialization vulns
Node.js node-serialize Example from: https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/ Deserialization vulns
Node.js node-serialize – How to implement it secure? - Execute methods (insecure implemention) - Use Immediately invoked function expression (just add ()) Deserialization vulns
Java Jackson (JSON) - Bean-based - Default empty constructor Deserialization vulns
Java Jackson - Bean-based - Default empty constructor - Strict type check => Safe by default Deserialization vulns
Java Jackson - Don’t know exact class ? => Not so safe if it’s too wide Deserialization vulns
Java Jackson - Don’t know exact class ? => Not so safe if it’s too wide - Classes with danger stuff in setters https://github.com/mbechler/marshalsec https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/ Deserialization vulns
Java Native Binary - Field-based/Reflection API - No method calls? • java.lang.Object->hashCode(), java.lang.Object->equals(), and • java.lang.Comparable->compareTo() Deserialization vulns
Java Native Binary - Field-based/Reflection API - No method calls? • java.lang.Object->hashCode() • java.lang.Object->equals() • java.lang.Comparable->compareTo() • finalize() • … Deserialization vulns
Java Native Binary - Create then Cast => Any object of known classes You can implement your own before-deserialization type checker Deserialization vulns
Java Native Binary - No constructor – readObject Deserialization vulns
Java Native Binary Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf Deserialization vulns
Java Native Binary - No constructor – readObject OJDBC lib / OraclePooledConnection: - Serialize object - Send it - readObject - SSRF - Exception in Casting Deserialization vulns SSRF via connection string IP:port:anything_here Binary_data+your Text Here …
Java Native Binary - Dynamic Proxy support => More gadgets (classes) Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning- your-java-endpoints.pdf Deserialization vulns
Java Native Binary - ysoserial https://github.com/frohoff/ysoserial CommonsCollections 3.1 CommonsCollections 4.0 Jdk7u21 Spring Framework 4.1.4 Hibernate … ~ 30 gadget chains - https://github.com/pwntester/JRE8u20_RCE_Gadget JRE8u20 Deserialization vulns
Java Native Binary - Look ahead deserialization - Type check before deserialization - white list - black list Deserialization vulns
Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java- endpoints.pdf Deserialization vulns
Java Native Binary - Everything is broken - RMI - JMX - JNDI + Won’t fix JRE DoSes - JMS + JVM langs: Scala, Groovy, Kotlin… - AFM - *Faces(ViewStates) … Deserialization vulns
Conclusion - We control serialized object - Basic requirements - Set class/object - Call method - Attacks on business logic - Language independent (Ruby, PHP, .NET, etc) Deserialization vulns
Questions? https://github.com/GrrrDog/ZeroNights-WebVillage-2017 Cheat sheet about Java Deserialization attacks: https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet Deserialization vulns

More Related Content

Deserialization vulnerabilities