The document discusses deserialization vulnerabilities across various programming languages, particularly Java, emphasizing the complexities involved in the deserialization process. It highlights potential security risks, such as arbitrary object creation and method invocation, and suggests methods for mitigating these risks through type checking and whitelisting. The importance of understanding different serialization formats and libraries, as well as recent exploits, is also covered.

1. Deserialization vulns
Aleksei “GreenDog” Tiurin
https://twitter.com/antyurin

2. Basics:
Class -> Object
Properties
Methods
Deserialization vulns

3. Serialization / Deserialization. What is it?
Pic from https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf
Deserialization vulns

4. Various representations of objects:
- JSON
- XML
- YAML
- Binary
- …
Java has ~ 30 libs (formats, speed, capabilities, size, etc)
Deserialization vulns

5. Easy, at first glance?
Deserialization vulns

6. Not so easy:
- Very Complex objects
- Constructor?
- Multiple constructors?
Deserialization vulns

7. Not so easy:
- Don’t know exact class
User webUser = objectMapper.readValue(json_str, User.class);
Host webHost = objectMapper.readValue(json_str, Host.class);
Deserialization vulns

8. Not so easy:
- Arbitrary objects with classes from client
- Call methods
Deserialization vulns

9. Not so easy:
- Very Complex objects
object inside object inside object = Matryoshka
- Constructor? Multiple constructors?
- Don’t know exact class
- Arbitrary objects with classes from client
- Call methods
- Language features and limitations
- etc
Deserialization vulns

10. A lot of libs with various features and implementations
Deserialization vulns

11. Python Pickle
Deserialization vulns

12. Python Pickle - do whatever you want
- Arbitrary objects
- Call methods *
Deserialization vulns

13. Java XMLDecoder
Deserialization vulns

14. Java XMLDecoder - XMLJAVA
- Arbitrary objects
- Call arbitrary methods
Deserialization vulns

15. Node.js node-serialize
- Arbitrary objects
- Function is an object
Deserialization vulns

16. Node.js node-serialize
Example from:
https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
Deserialization vulns

17. Node.js node-serialize – How to implement it secure?
- Execute methods (insecure implemention)
- Use Immediately invoked function expression (just add ())
Deserialization vulns

18. Java Jackson (JSON)
- Bean-based
- Default empty constructor
Deserialization vulns

19. Java Jackson
- Bean-based
- Default empty constructor
- Strict type check
=> Safe by default
Deserialization vulns

20. Java Jackson
- Don’t know exact class ?
=> Not so safe if it’s too wide
Deserialization vulns

21. Java Jackson
- Don’t know exact class ?
=> Not so safe if it’s too wide
- Classes with danger stuff in setters
https://github.com/mbechler/marshalsec
https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
Deserialization vulns

22. Java Native Binary
- Field-based/Reflection API
- No method calls?
• java.lang.Object->hashCode(), java.lang.Object->equals(), and
• java.lang.Comparable->compareTo()
Deserialization vulns

23. Java Native Binary
- Field-based/Reflection API
- No method calls?
• java.lang.Object->hashCode()
• java.lang.Object->equals()
• java.lang.Comparable->compareTo()
• finalize()
• …
Deserialization vulns

24. Java Native Binary
- Create then Cast
=> Any object of known classes
You can implement your own before-deserialization type checker
Deserialization vulns

25. Java Native Binary
- No constructor – readObject
Deserialization vulns

26. Java Native Binary
Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf
Deserialization vulns

27. Java Native Binary
- No constructor – readObject
OJDBC lib / OraclePooledConnection:
- Serialize object
- Send it
- readObject
- SSRF
- Exception in Casting
Deserialization vulns
SSRF via connection string
IP:port:anything_here
Binary_data+your
Text
Here
…

28. Java Native Binary
- Dynamic Proxy support
=> More gadgets (classes)
Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-
your-java-endpoints.pdf
Deserialization vulns

29. Java Native Binary
- ysoserial https://github.com/frohoff/ysoserial
CommonsCollections 3.1
CommonsCollections 4.0
Jdk7u21
Spring Framework 4.1.4
Hibernate
… ~ 30 gadget chains
- https://github.com/pwntester/JRE8u20_RCE_Gadget
JRE8u20
Deserialization vulns

30. Java Native Binary
- Look ahead deserialization
- Type check before deserialization
- white list
- black list
Deserialization vulns

31. Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-
endpoints.pdf
Deserialization vulns

32. Java Native Binary - Everything is broken
- RMI
- JMX
- JNDI + Won’t fix JRE DoSes
- JMS + JVM langs: Scala, Groovy, Kotlin…
- AFM
- *Faces(ViewStates)
…
Deserialization vulns

33. Conclusion
- We control serialized object
- Basic requirements
- Set class/object
- Call method
- Attacks on business logic
- Language independent (Ruby, PHP, .NET, etc)
Deserialization vulns

34. Questions?
https://github.com/GrrrDog/ZeroNights-WebVillage-2017
Cheat sheet about Java Deserialization attacks:
https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
Deserialization vulns