Explanation of attacks on deserialization libs. Python Pickle, Node.js node-serialize, Java XMLDecoder, Java Jackson, Java Native Deserialization

1. Deserialization vulns
Aleksei “GreenDog” Tiurin
https://twitter.com/antyurin

2. Basics:
Class -> Object
Properties
Methods
Deserialization vulns

3. Serialization / Deserialization. What is it?
Pic from https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf
Deserialization vulns

4. Various representations of objects:
- JSON
- XML
- YAML
- Binary
- …
Java has ~ 30 libs (formats, speed, capabilities, size, etc)
Deserialization vulns

5. Easy, at first glance?
Deserialization vulns

6. Not so easy:
- Very Complex objects
- Constructor?
- Multiple constructors?
Deserialization vulns

7. Not so easy:
- Don’t know exact class
User webUser = objectMapper.readValue(json_str, User.class);
Host webHost = objectMapper.readValue(json_str, Host.class);
Deserialization vulns

8. Not so easy:
- Arbitrary objects with classes from client
- Call methods
Deserialization vulns

9. Not so easy:
- Very Complex objects
object inside object inside object = Matryoshka
- Constructor? Multiple constructors?
- Don’t know exact class
- Arbitrary objects with classes from client
- Call methods
- Language features and limitations
- etc
Deserialization vulns

10. A lot of libs with various features and implementations
Deserialization vulns

11. Python Pickle
Deserialization vulns

12. Python Pickle - do whatever you want
- Arbitrary objects
- Call methods *
Deserialization vulns

13. Java XMLDecoder
Deserialization vulns

14. Java XMLDecoder - XMLJAVA
- Arbitrary objects
- Call arbitrary methods
Deserialization vulns

15. Node.js node-serialize
- Arbitrary objects
- Function is an object
Deserialization vulns

16. Node.js node-serialize
Example from:
https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
Deserialization vulns

17. Node.js node-serialize – How to implement it secure?
- Execute methods (insecure implemention)
- Use Immediately invoked function expression (just add ())
Deserialization vulns

18. Java Jackson (JSON)
- Bean-based
- Default empty constructor
Deserialization vulns

19. Java Jackson
- Bean-based
- Default empty constructor
- Strict type check
=> Safe by default
Deserialization vulns

20. Java Jackson
- Don’t know exact class ?
=> Not so safe if it’s too wide
Deserialization vulns

21. Java Jackson
- Don’t know exact class ?
=> Not so safe if it’s too wide
- Classes with danger stuff in setters
https://github.com/mbechler/marshalsec
https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
Deserialization vulns

22. Java Native Binary
- Field-based/Reflection API
- No method calls?
• java.lang.Object->hashCode(), java.lang.Object->equals(), and
• java.lang.Comparable->compareTo()
Deserialization vulns

23. Java Native Binary
- Field-based/Reflection API
- No method calls?
• java.lang.Object->hashCode()
• java.lang.Object->equals()
• java.lang.Comparable->compareTo()
• finalize()
• …
Deserialization vulns

24. Java Native Binary
- Create then Cast
=> Any object of known classes
You can implement your own before-deserialization type checker
Deserialization vulns

25. Java Native Binary
- No constructor – readObject
Deserialization vulns

26. Java Native Binary
Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf
Deserialization vulns

27. Java Native Binary
- No constructor – readObject
OJDBC lib / OraclePooledConnection:
- Serialize object
- Send it
- readObject
- SSRF
- Exception in Casting
Deserialization vulns
SSRF via connection string
IP:port:anything_here
Binary_data+your
Text
Here
…

28. Java Native Binary
- Dynamic Proxy support
=> More gadgets (classes)
Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-
your-java-endpoints.pdf
Deserialization vulns

29. Java Native Binary
- ysoserial https://github.com/frohoff/ysoserial
CommonsCollections 3.1
CommonsCollections 4.0
Jdk7u21
Spring Framework 4.1.4
Hibernate
… ~ 30 gadget chains
- https://github.com/pwntester/JRE8u20_RCE_Gadget
JRE8u20
Deserialization vulns

30. Java Native Binary
- Look ahead deserialization
- Type check before deserialization
- white list
- black list
Deserialization vulns

31. Pic from https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-
endpoints.pdf
Deserialization vulns

32. Java Native Binary - Everything is broken
- RMI
- JMX
- JNDI + Won’t fix JRE DoSes
- JMS + JVM langs: Scala, Groovy, Kotlin…
- AFM
- *Faces(ViewStates)
…
Deserialization vulns

33. Conclusion
- We control serialized object
- Basic requirements
- Set class/object
- Call method
- Attacks on business logic
- Language independent (Ruby, PHP, .NET, etc)
Deserialization vulns

34. Questions?
https://github.com/GrrrDog/ZeroNights-WebVillage-2017
Cheat sheet about Java Deserialization attacks:
https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
Deserialization vulns