3. Serialization / Deserialization. What is it?
Pic from https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf
Deserialization vulns
4. Various representations of objects:
- JSON
- XML
- YAML
- Binary
- …
Java has ~ 30 libs (formats, speed, capabilities, size, etc)
Deserialization vulns
6. Not so easy:
- Very Complex objects
- Constructor?
- Multiple constructors?
Deserialization vulns
7. Not so easy:
- Don’t know exact class
User webUser = objectMapper.readValue(json_str, User.class);
Host webHost = objectMapper.readValue(json_str, Host.class);
Deserialization vulns
8. Not so easy:
- Arbitrary objects with classes from client
- Call methods
Deserialization vulns
9. Not so easy:
- Very Complex objects
object inside object inside object = Matryoshka
- Constructor? Multiple constructors?
- Don’t know exact class
- Arbitrary objects with classes from client
- Call methods
- Language features and limitations
- etc
Deserialization vulns
10. A lot of libs with various features and implementations
Deserialization vulns
17. Node.js node-serialize – How to implement it secure?
- Execute methods (insecure implemention)
- Use Immediately invoked function expression (just add ())
Deserialization vulns
19. Java Jackson
- Bean-based
- Default empty constructor
- Strict type check
=> Safe by default
Deserialization vulns
20. Java Jackson
- Don’t know exact class ?
=> Not so safe if it’s too wide
Deserialization vulns
21. Java Jackson
- Don’t know exact class ?
=> Not so safe if it’s too wide
- Classes with danger stuff in setters
https://github.com/mbechler/marshalsec
https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
Deserialization vulns
22. Java Native Binary
- Field-based/Reflection API
- No method calls?
• java.lang.Object->hashCode(), java.lang.Object->equals(), and
• java.lang.Comparable->compareTo()
Deserialization vulns
24. Java Native Binary
- Create then Cast
=> Any object of known classes
You can implement your own before-deserialization type checker
Deserialization vulns
33. Conclusion
- We control serialized object
- Basic requirements
- Set class/object
- Call method
- Attacks on business logic
- Language independent (Ruby, PHP, .NET, etc)
Deserialization vulns