Professional Documents
Culture Documents
Deserialize My Shorts
Deserialize My Shorts
2
Serializing Objects
a.k.a. “marshaling”, “pickling”, “freezing”, ”flattening”
snapshots one or more “live”, in-memory objects into a flat, serial stream of data that can be
stored or transmitted for reconstitution and use by a different process or the same process at
some point
Formats
− Binary: Java Serialization, Ruby Marshal, Protobuf, Thrift, Avro, MS-NRBF, Android Binder/Parcel, IIOP
− Hybrid/Other: PHP Serialization, Python pickle, Binary XML/JSON
− Readable: XML, JSON, YAML
Platform/Formats may have multiple implementations and/or sub-formats
3
Purposes and Mediums
Why and where
Remote/Interprocess Communication (RPC/IPC)
− Communicating data to different system/process
− Wire protocols, web services, message brokers
Caching/Persistence
− Communicating data to process’ future self
− Databases, cache servers, file systems
Tokens
− Communicating data to different system/process and back
− HTTP cookies, HTML form parameters, API auth tokens
4
Crash Course:
Java (de)serialization
5
Java Serialization API
readObject() and writeObject() are open-ended/polymorphic* *yes, that is scary
java.io.ObjectOutputStream java.io.ObjectInputStream
public void writeObject(Object) public Object readObject()
public void writeUTF(String) public String readUTF()
public void writeInt(int) public int readInt()
public void writeFloat(float) public float readFloat()
public void writeBoolean(boolean) public boolean readBoolean()
public void writeByte(byte) public byte readByte()
… …
6
Java Serialized Form
Uncustomized, default, simple (de)serialization
Stream starts with magic & version:
− ObjectStreamConstants.STREAM_MAGIC (short, 0xACED);
− ObjectStreamConstants.STREAM_VERSION (short, 0x0005);
Polymorphic values’ serialized form prefixed with “type code”
− ObjectStreamConstants.TC_*: 0x70-0x7E
− TC_NULL=0x70, TC_REFERENCE=0x71, TC_CLASSDESC=0x72, TC_OBJECT=0x73, TC_STRING=0x74,
TC_ARRAY=0x75, TC_CLASS=0x76, TC_LONGSTRING=0x7C, TC_PROXYCLASSDESC=0x7D,
TC_ENUM=0x7E
String (UTF-8) serialized form:
− String length (int), String bytes*
Boolean serialized form:
− value (byte, 1=True, 0=False)
7
Java Serialized Form
Uncustomized, default, simple (de)serialization • Refs: Later representations of
same object substituted with
Object serialized form: incrementing “handles” to save
− TC_OBJECT (byte, 0x73) space and preserve referential
− Class Description (or ref) relationships
• TC_REFERENCE (byte, 0x71)
− TC_CLASSDESC (byte, 0x72)
• Handle number (int)
− Class Name (String) • > 0x7e0000
− Serial Version UID (long)
− Field Descriptions*
• Field Type Codes:
− Field Type Code (byte) 'B'=byte, 'C'=char, 'D'=double,
− Field Name (String) 'F'=float, 'I'=int, 'J'=long,
− Field Type (String, for non-primitive) 'L'=class/interface, 'S'=short,
'Z'=boolean, '['=array,
− Field values*
− [Primitive serialized form] | [Object serialized form] | ref
− Causes recursive calls to writeObject()/readObject() or read*()/write*()
8
Java Serialization Caveats
9
Java Serialization Format
0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje
0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I..
0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som
0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/
0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp..
0000050: 0001 7400 0548 656c 6c6f ..t..Hello
10
Java Serialization Format
0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje
0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I..
0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som
0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/
0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp..
0000050: 0001 7400 0548 656c 6c6f ..t..Hello
11
Java Serialization Format
0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje
0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I..
0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som
0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/
0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp..
0000050: 0001 7400 0548 656c 6c6f ..t..Hello
12
Java Serialization Format
0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje
0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I..
0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som
0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/
0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp..
0000050: 0001 7400 0548 656c 6c6f ..t..Hello
13
Java Serialization Format
className:
(utf)
0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje
0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I..
0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som
0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/
0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp..
0000050: 0001 7400 0548 656c 6c6f ..t..Hello
14
Java Serialization Format
primitiveDesc:
prim_typecode fieldName
0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje
0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I..
0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som
0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/
0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp..
0000050: 0001 7400 0548 656c 6c6f ..t..Hello
15
Java Serialization Format
objectDesc:
obj_typecode fieldName className1
0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje
0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I..
0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som
0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/
0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp..
0000050: 0001 7400 0548 656c 6c6f ..t..Hello
16
Java Serialization Format
0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje
0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I..
0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som
0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/
0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp..
0000050: 0001 7400 0548 656c 6c6f ..t..Hello
17
Java Serialization Format
0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje
0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I..
0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som
0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/
0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp..
0000050: 0001 7400 0548 656c 6c6f ..t..Hello
18
Customizing Java Serialization
Implement interfaces/methods on class to be (de)serialized
java.io.Serializable
− void writeObject(ObjectOutputStream): customize object serialization
− Use ObjectOutputStream write*(), defaultWriteObject(), and/or putFields()
− void readObject(ObjectInputStream): customize object deserialization
− Use ObjectInputStream read*(), defaultReadObject(), and/or readFields()
− Object writeReplace(): provide stand-in object for serialization
− Object readResolve(): provide stand-in object for deserialization
java.io.Externalizable: fully customized and explicit serialization
− void readExternal(ObjectInput): manually read fields from stream
− void writeExternal(ObjectOutput): manually write fields to stream
19
Some sequences to recognize
20
21
Property-Oriented Programming / Object Injection
Rube-Goldberg-esque
Gadget chains are generally carrier-medium, application, and OS/platform agnostic
− Relies only on code available to application
− Not necessarily code used by application
Gadget Classes
− Target common libraries/frameworks. Library sprawl FTW.
− “Proxy” gadgets versatile
− Deserialization hook methods for self-execution
Gadget hunting and chain construction is an art
− Can be frustrating and tedious
− Rich IDEs help, but custom tools are better
− https://github.com/frohoff/inspector-gadget (out of scope for talk)
23
A Simple Java Gadget Chain
ObjectInputStream.readObject()
“calc.exe”
24
Time-Lapse of Deserialization
ObjectInputStream.readObject() called
ObjectInputStream
readObject()
defaultReadObject()
25
Time-Lapse of Deserialization
CacheManager instance allocated
ObjectInputStream
readObject()
CacheManager
defaultReadObject()
readObject()
26
Time-Lapse of Deserialization
CacheManager.readObject() called
ObjectInputStream
readObject()
CacheManager
defaultReadObject()
readObject()
27
Time-Lapse of Deserialization
ObjectInputStream.defaultReadObject() called
ObjectInputStream
readObject()
CacheManager
defaultReadObject()
readObject()
28
Time-Lapse of Deserialization
CommandTask instance allocated and referenced by CacheManager.initHook field
ObjectInputStream
readObject()
CacheManager
defaultReadObject()
readObject()
CommandTask
run()
29
Time-Lapse of Deserialization
CommandTask.run() called
ObjectInputStream
readObject()
CacheManager
defaultReadObject()
readObject()
CommandTask
run()
30
Time-Lapse of Deserialization
Runtime.exec() called
ObjectInputStream
readObject()
CacheManager
defaultReadObject()
readObject()
CommandTask
Runtime
run()
“calc.exe”
exec()
31
Time-Lapse of Deserialization
Target program run
ObjectInputStream
readObject()
CacheManager
defaultReadObject()
readObject()
CommandTask
Runtime
run()
“calc.exe”
exec()
32
A Java + Commons-Collections Gadget Chain
33
Call Chain
34
Gadget Chain Construction Code and Call Tree
35
Demos
36
ysoserial
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization
Contains multiple gadget chain payloads and a few exploits
Create payload to execute calc.exe using CommonsCollections1 chain:
$ java -jar ysoserial-0.0.1-all.jar CommonsCollections1 calc.exe | xxd | head -3
0000000: aced 0005 7372 0032 7375 6e2e 7265 666c ....sr.2sun.refl
0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41 ect.annotation.A
0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174 nnotationInvocat
37
Code Execution via Java Serializable
JSF (MyFaces) ViewState form parameters deserialized
38
39
RMIRegistry
40
41
Imperfect Mitigations
42
This is not a
new problem
43
This is not a
language problem
44
This is not a
format problem
45
We have
trust issues
46
We have
trust issues.
47
Out-of-scope related must-see/read stuff
Google or see references
Other languages/platforms
− PHP unserialize()
− Python pickle
− Ruby/Rails deserialization fiasco (YAML, XML, JSON, Marshal)
− Recent stuff: “Instagram’s Million Dollar Bug”
Java
− JSF EL Injection
− Recent stuff: “RCE in Oracle NetBeans Opensource Plugins”, “Reliable OS Shell with EL Injection”
− Commons FileUpload
− XMLDecoder/Xstream/Kryo
− Recent stuff: “Serialization Must Die”
− Recent Serializable: SerialDOS
Only covering Remote Code Execution via Java Serializable/Externalizable API today
− Original AppSecCali 2015 “Marshalling Pickles” talk covers some of the others
48
49
2011/9/9 — Spring Vulnerabilities
Wouter Coekarts (@WouterCoekaerts)
50
2011/9 — 2013/3 (18 months)
51
2013/03/05 — IBM Cognos BI RCE
Pierre Ernst
52
Timeline of Java Serializable Pwnage
Vulnerable (or Likely) Products/Projects Gadgets/Chains
? ?: Many JSF impls without encryption/signing enabled * very much not to scale
2011/9/9 Wouter Coekaerts: Spring AOP
2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858
53
Timeline of Java Serializable Pwnage
Vulnerable (or Likely) Products/Projects Gadgets/Chains
? ?: Many JSF impls without encryption/signing enabled * very much not to scale
2011/9/9 Wouter Coekaerts: Spring AOP
2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858
54
2013/3 — 2013/12 (9 months)
55
2013/12/16 — Deserialization Spring RCE
Alvaro Muñoz (@pwntester)
56
2013/12 — 2015/1 (14 months)
57
2015/1/28 — Marshalling Pickles, ysoserial
Gabe Lawrence (@gebl) and Chris Frohoff (@frohoff) — AppSec California 2015
58
2015/1/28 — Marshalling Pickles, ysoserial
Gabe Lawrence (@gebl) and Chris Frohoff (@frohoff) — AppSec California 2015
59
Timeline of Java Serializable Pwnage
Vulnerable (or Likely) Products/Projects Gadgets/Chains
? ?: Many JSF impls without encryption/signing enabled * very much not to scale
2011/9/9 Wouter Coekaerts: Spring AOP
2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858
2015/1/28 @frohoff: Commons Collections, Groovy, Spring Beans/Core
60
Timeline of Java Serializable Pwnage
Vulnerable (or Likely) Products/Projects Gadgets/Chains
? ?: Many JSF impls without encryption/signing enabled * very much not to scale
2011/9/9 Wouter Coekaerts: Spring AOP
2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858
2015/1/28 @frohoff: Commons Collections, Groovy, Spring Beans/Core
61
2015/1 — 2015/10 (9 months)
62
2015/1 — 2015/10 (9 months)
63
2015/10/28 — Exploiting Deserialization Vulnerabilities in Java
Matthias Kaiser (@matthias_kaiser) — HackPra WS 2015
64
2015/10/28 — Exploiting Deserialization Vulnerabilities in Java
Matthias Kaiser (@matthias_kaiser) — HackPra WS 2015
65
2015/10/28 — Exploiting Deserialization Vulnerabilities in Java
Matthias Kaiser (@matthias_kaiser) — HackPra WS 2015
66
2015/11/6 — What Do WebLogic, WebSphere, …
Stephen Breen (@breenmachine)
My Birthday
67
2015/11/6-10 — Social Media Kills My Phone Battery
Misunderstanding and misinformation abound
68
2015/11/8-16 — Evasive Maneuvers by Dev Community
Innovative Solutions and (Some) Sensible Responses
69
Timeline of Java Serializable Pwnage
Vulnerable (or Likely) Products/Projects Gadgets/Chains
? ?: Many JSF impls without encryption/signing enabled * very much not to scale
2011/9/9 Wouter Coekaerts: Spring AOP
2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858
2015/1/28 @frohoff: Commons Collections, Groovy, Spring Beans/Core
2015/10/27 @matthias_kaiser: Atlassian Bamboo CVE-2015-8360
2015/11/4 @mwulftange and @matthias_kaiser: Commvault Edge Server CVE-2015-7253
2015/11/6 @matthias_kaiser: Oracle WebLogic CVE-2015-4852
2015/11/6 @breenmachine: JBoss AS CVE-2015-7501, WebSphere CVE-2015-7450, Jenkins CVE-2015-8103, OpenNMS
2015/11/9 Joel Bernstein: Apache SOLR (SOLR-8262)
2015/11/12 Andrew Purtell: Apache HBase (HBASE-14799)
2015/11/13 @matthias_kaiser and @mwulftange: Symantec Endpoint Protection Manager CVE-2015-6555
2015/11/17 n/a: Unify OpenScape (various) CVE-2015-8237, CVE-2015-8238
70
Timeline of Java Serializable Pwnage
Vulnerable (or Likely) Products/Projects Gadgets/Chains
? ?: Many JSF impls without encryption/signing enabled * very much not to scale
2011/9/9 Wouter Coekaerts: Spring AOP
2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858
2015/1/28 @frohoff: Commons Collections, Groovy, Spring Beans/Core
2015/10/27 @matthias_kaiser: Atlassian Bamboo CVE-2015-8360
2015/11/4 @mwulftange and @matthias_kaiser: Commvault Edge Server CVE-2015-7253
2015/11/6 @matthias_kaiser: Oracle WebLogic CVE-2015-4852
2015/11/6 @breenmachine: JBoss AS CVE-2015-7501, WebSphere CVE-2015-7450, Jenkins CVE-2015-8103, OpenNMS
2015/11/9 Joel Bernstein: Apache SOLR (SOLR-8262)
2015/11/12 Andrew Purtell: Apache HBase (HBASE-14799)
2015/11/13 @matthias_kaiser and @mwulftange: Symantec Endpoint Protection Manager CVE-2015-6555
2015/11/17 n/a: Unify OpenScape (various) CVE-2015-8237, CVE-2015-8238
71
2016/1/21-22 — JNDI/JRMP Remote Loading Gadget
@zerothoughts
72
2016/1/25 — PayPal Remote Code Execution
Michael Stepankin and Mark Litchfield
73
2016/1/26-2/24 — JDK <7u21, Beanutils Gadget Chains
Chris Frohoff (@frohoff)
74
2016/2/24 — serianalyzer, Gadgets, Clients, etc.
Moritz Bechler (@mbechler)
75
2016/3/4 — Serial Killer & The Perils of Java Deser.
Alvaro Muñoz (@pwntester) and Christian Schneider (@cschneider4711) — RSAC 2016
76
2016/3/4 — Serial Killer & The Perils of Java Deser.
Alvaro Muñoz (@pwntester) and Christian Schneider (@cschneider4711) — RSAC 2016
77
Timeline of Java Serializable Pwnage
Vulnerable (or Likely) Products/Projects Gadgets/Chains
? ?: Many JSF impls without encryption/signing enabled * very much not to scale
2011/9/9 Wouter Coekaerts: Spring AOP
2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858
2015/1/28 @frohoff: Commons Collections, Groovy, Spring Beans/Core
2015/10/27 @matthias_kaiser: Atlassian Bamboo CVE-2015-8360
2015/11/4 @mwulftange and @matthias_kaiser: Commvault Edge Server CVE-2015-7253
2015/11/6 @matthias_kaiser: Oracle WebLogic CVE-2015-4852
2015/11/6 @breenmachine: JBoss AS CVE-2015-7501, WebSphere CVE-2015-7450, Jenkins CVE-2015-8103, OpenNMS
2015/11/9 Joel Bernstein: Apache SOLR (SOLR-8262)
2015/11/12 Andrew Purtell: Apache HBase (HBASE-14799)
2015/11/13 @matthias_kaiser and @mwulftange: Symantec Endpoint Protection Manager CVE-2015-6555
2015/11/17 n/a: Unify OpenScape (various) CVE-2015-8237, CVE-2015-8238
2016/1/25 Michael Stepankin and Mark Litchfield: PayPal 2016/1/22 @zerothoughts: Spring-TX
2016/1/26 @frohoff: JDK 7u21, variation on Commons Collections
2016/2/9 n/a: Adobe Experience Manager CVE-2016-0958 2016/2/24 @frohoff: Beanutils
2016/2/24 @mbechler: Jenkins CVE-2016-0788 2016/2/29 @mbechler: Hibernate, MyFaces, C3P0, net.sf.json, ROME, variation on Spring, JRMPClient,
JRMPListener
2016/3/4 @pwntester and @cschneider4711: Beanshell, Jython, lots of bypasses
2016/3/9 @matthias_kaiser: variation on Commons Collections
2016/3/16 n/a: TomEE (#2) CVE-2016-0779
78
Timeline of Java Serializable Pwnage
Vulnerable (or Likely) Products/Projects Gadgets/Chains
? ?: Many JSF impls without encryption/signing enabled * very much not to scale
2011/9/9 Wouter Coekaerts: Spring AOP
2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858
2015/1/28 @frohoff: Commons Collections, Groovy, Spring Beans/Core
2015/10/27 @matthias_kaiser: Atlassian Bamboo CVE-2015-8360
2015/11/4 @mwulftange and @matthias_kaiser: Commvault Edge Server CVE-2015-7253
2015/11/6 @matthias_kaiser: Oracle WebLogic CVE-2015-4852
2015/11/6 @breenmachine: JBoss AS CVE-2015-7501, WebSphere CVE-2015-7450, Jenkins CVE-2015-8103, OpenNMS
2015/11/9 Joel Bernstein: Apache SOLR (SOLR-8262)
2015/11/12 Andrew Purtell: Apache HBase (HBASE-14799)
2015/11/13 @matthias_kaiser and @mwulftange: Symantec Endpoint Protection Manager CVE-2015-6555
2015/11/17 n/a: Unify OpenScape (various) CVE-2015-8237, CVE-2015-8238
2016/1/25 Michael Stepankin and Mark Litchfield: PayPal 2016/1/22 @zerothoughts: Spring-TX
2016/1/26 @frohoff: JDK 7u21, variation on Commons Collections
2016/2/9 n/a: Adobe Experience Manager CVE-2016-0958 2016/2/24 @frohoff: Beanutils
2016/2/24 @mbechler: Jenkins CVE-2016-0788 2016/2/29 @mbechler: Hibernate, MyFaces, C3P0, net.sf.json, ROME, variation on Spring, JRMPClient,
JRMPListener
2016/3/4 @pwntester and @cschneider4711: Beanshell, Jython, lots of bypasses
2016/3/9 @matthias_kaiser: variation on Commons Collections
2016/3/16 n/a: TomEE (#2) CVE-2016-0779
79
* very much not to scale
80
* very much not to scale
81
* very much not to scale
82
Recent — Qualcomm Red Team Exercise
A colleague tried something new
Performed some new targeted scanning on internal network
Scripted ysoserial against various listeners
− Attempted multiple payload types
− Executed DNS lookup (logged at DNS server) with name of payload type
Results
− Discovered undisclosed vulnerabilities in 6 products (i.e. 0days)
83
Recent — Deser Vulnerability Reported to Qualcomm
84
Recent — ysoserial dev activity picking up
86
Mitigation
87
Gadget Whack-a-Mole
DO NOT rely on this!
Fundamental vulnerability is in doing unsafe deserialization, not in having gadgets available
More will be always found
Transitive dependencies cause library sprawl
Cross-library gadget chains
Auto-detection difficult
88
Fundamental vulnerability
is in doing unsafe
deserialization
89
Fundamental vulnerability
is in doing unsafe
deserialization
90
Abstenence
Avoid magic
Avoid open-ended (de)serialization when possible
− If the serialization includes a class name, it’s probably bad
− ObjectInputStream.readObject() is not safe
− Lots of non-open-ended JVM serialization frameworks available
− https://github.com/eishay/jvm-serializers/wiki
Simple format and/or data types
− Strings, Numbers, Arrays, Maps, etc.
− Manually serialize complex objects
Keep session state on the server when possible
− Beware of lateral attacks! (memcached, redis, database, etc.)
91
Restrict Deserialization
Use with Caution. This is a band-aid.
Whitelist/Blacklist classes
− Use subclass of ObjectInputStream0
− override resolveClass() to allow/disallow classes
− http://www.ibm.com/developerworks/library/se-lookahead/
− Blacklisting ≈ Gadget whack-a-mole
− Difficult without robust library support
− Runtime Agents can help
− Strip Serilaizable/Externalizable interfaces from classes
− Instrument native ObjectInputStream.resolveClass()
− Subclass circumventable by “bypass gadgets”
92
Authenticate
Trust Verify
Encryption != Authentication
− See JSF Padding Oracle attacks
Authenticate channels
− TLS Client Certs, SASL, DB/Cache/Broker credentials
Authenticate content
− HMAC or Authenticated Encryption with secret key
Must be verified pre-deserialization!
− Don’t read credentials with readObject()
− readUTF() is probably OK
Pro-tip: Don’t leak crypto keys!
− Path traversal
− Default key or key committed to source control
93
Security-in-depth
Assume breach of defenses
Strict firewall rules for deserializing listeners
Sandboxing/Hardening
− Java SecurityManager
− Transient usage can by circumvented by “deferred execution bypass gadgets”
− AppArmor/SELinux
− Docker containers
− Block (or whitelist) forking processes,
file/network I/O
94
Great Job Everyone…but you’re not done
Continue pwning all the things
Find more unsafe deserialization
− Watch products with naïve mitigations
Find more gadgets/chains
Gadget finding tool improvements
Explore mediums, platforms, formats, implementations
95
The Future
96
Past Work / References
Abraham Kang, Dinis Cruz, Alvaro Munoz, 2013/8/6, RESTing on your laurels will get you pwned
− http://www.slideshare.net/DinisCruz/res-ting-on-your-laurels-will-get-you-powned4-3
Tom Van Goethem, 2013/9/11, WordPress < 3.6.1 PHP Object Injection
− https://vagosec.org/2013/09/wordpress-php-object-injection/
David Jorm, 2013/11/20, Java Deserialization Flaws: Part 1, Binary Deserialization
− https://securityblog.redhat.com/2013/11/20/java-deserialization-flaws-part-1-binary-deserialization/
Alvaro Munoz, 2013/12/16, CVE-2011-2894: Deserialization Spring RCE
− http://pwntester.com/blog/2013/12/16/cve-2011-2894-deserialization-spring-rce/
Dinis Cruz, 2013/12/22, XStream "Remote Code Execution" exploit on code from "Standard way to serialize and deserialize Objects
with XStream" article,
− http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
David Jorm, 2014/1/23, Java deserialization flaws: Part 2, XML deserialization
− https://securityblog.redhat.com/2014/01/23/java-deserialization-flaws-part-2-xml-deserialization/
Johannes Dahse, Nikolai Krein, Thorsten Holz, 2014/11/3, Code Reuse Attacks in PHP: Automated POP Chain Generation
− https://websec.files.wordpress.com/2010/11/rips_ccs.pdf
− http://syssec.rub.de/media/emma/veroeffentlichungen/2014/09/10/POPChainGeneration-CCS14.pdf
Renaud Dubourguais, Nicolas Collignon, 2013, JSF ViewState upside-down
− http://www.synacktiv.com/ressources/JSF_ViewState_InYourFace.pdf
Gabe Lawrence, Chris Frohoff 2015/1/28, Marshalling Pickles
− http://frohoff.github.io/appseccali-marshalling-pickles/
98
Past Work / References
99
Chris Frohoff Gabe Lawrence
cfrohoff@qualcomm.com gabe@qualcomm.com
@frohoff @gebl
Thank you
Follow us on:
For more information on Qualcomm, visit us at:
www.qualcomm.com & www.qualcomm.com/blog
Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries.
Other products and brand names may be trademarks or registered trademarks of their respective owners
100