BSIDESLV 2018 - Ground Floor- Day One
Show transcript [en]
[Music]
[Music]
[Music]
[Music]
[Music] [Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music] [Applause] [Music] [Applause] [Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
thanks for joining us I hope you are having an excellent besides okay so welcome to this track and you are off for a treat we have dort Markin presenting on uncie really colors I have a few announcements before we get rolling first of all we'd like to ask you to turn off your devices we will be live-streaming this and as a courtesy to everybody we just don't want to have any interruptions from phones or beeps going off if you have a question we would ask that you please raise your hand somebody will come over to you with the microphone so that we can hear it clearly and we'll also ask the speaker if if that's the case and the microphone
is not working too please repeat the question and that way everybody gets the benefit of the answer finally and most importantly we'd like to acknowledge our sponsors because without them this this wouldn't have been possible so our sponsors this year are Amazon oath assembly and several other really generous benefactors and we thank you all for being here today have a great talk check-check good okay so hi my name is Dora and welcome to my talk about the serialization attack called D serial killers sorry that the name is kind of [ __ ] I didn't choose it but let's go so a bit about what we're gonna go through today Botticelli's hell so we're going to talk
about serialization deserialization generally is a concept as a positive development tool in code and in real life scenarios I'm gonna go through this realization in some languages frameworks I'm going to exploit where we can gonna discuss it in java.net Python PHP go then we're going to talk about built in D serialization mechanisms and we're going to conclude with some best practices and mitigation techniques in a pretty broad fashion because I'm not gonna go into every single one so my assumptions are that you'll enjoy this most if you have some familiarity with code object-oriented terms that this thing is is it's going to be familiar to you some fundamental exploitation generally and specifically in web applications or applications in general
that you will have chill because I'm going to lie to you by oversimplifying a lot of concepts just to make it in time but I guess like everybody does that and in these kinds of talks and the ability to go really fast because we're gonna go really really fast at some point so about me my name is dor dor tamarkan I've been a knapsack team leader research team leader in check marks for the past two years previously I was a senior consultant Cisco for two and a half years doing red team's and penetration testing having a lot of fun and generally poking [ __ ] until it explodes for the past seven years I'm also father of this beautiful beautiful
and smart girl and this stupid dog who I love very very much I'm based off Tel Aviv Israel so represent and I talk a lot I thought fast so I hope I hope you're fine with that and opinions obviously are my own naughty words are my own [ __ ] on other vendors it's me it's not the company so without further ado let's get started so Wikipedia describes serialization as the process of translating data structures to object States into a format that can be stored or transmitted and reconstructed for later use I think that this is a very very good definition you have this sort of this thing in memory that has references and members and pointers and
all that [ __ ] and you need to push it through a wire that is basically meant for pushing bytes and by extension strings right so transmit it over a network put in database or whatever you need it in a bike format or a string format what I'm a technical guy I like knowing what things do look like in real life so these are some native language examples this is the Java object stream format that is sort of binary we also have this Python pickle right here which is a proprietary format we also have the generic types that everybody knows CSV XML is Jason's and specialized formats which I'm not going to go into they're kind of out of
scope for us like sea bore and protobuf okay so basically a serialized object can be transmitted over a network stored in a file written to a database and most standard serializers have access to you know multiple classes in their space basically they can reference almost any class inside of them obviously we need to also implement some sort of serialized interface in many implementations but we'll get to that and it doesn't really matter that much so I like to think of serialization it's sort of like soup in a cup you take a bowl of soup you dehydrate it you just extract its essence into a powder and in its powdered essence form it can be distributed to your local supermarkets
or stored in a warehouse and I think this is a very apt comparison for that and if you want your soup back you just add water and you got your thing and like I said I'm a technical guy so I want to see what that looks like in code using this serialize are called extreme I'm gonna call it X extreme because I keep confusing it but it's extreme we can see in lines one two four that I define some basic primitives I set them into a class called a testing class I created an inline six I'm I'm creating a serialize err the extreme serialize there then you know convert it to XML pipe and printing it out to screen and
the console output as as as you expect just like XML wrapper with a class name and all the primitives all the little members inside and this format you know very human readable transmittable storable whatever you need it to be at this forum then we can reconstruct it using very similar code right I mean they have drawn XML here and I pass the XML to it and then I get name and the name that I put into that serialize the object originally was John Doe and I can get it back from the now reconstructed object and the important thing to remember about serialization is that you have like two ends you have the serialize ER in the deserialize ER they can be
independent of each other but they have to match you need to have the parity to deconstruct and reconstruct the same objects in the same manner on both ends otherwise you're gonna have errors so talking about real-world examples of where this is would be useful so for example struts 2 has a REST API based on XML s where you can pass objects to the struts API and it gets deserialized into an object if you have an application for example a game where you want to save your world state into a file you just you can just be serialize all your world parameters save those in a file very handy it's also useful for distribution of work good example is that a lot of
distributed by a Python work is done by pickling you can pickle like classes of work and transmit them and then you're fine you you distribute it and you know there's just so many uses for this thing that can go on forever so isn't serialization amazing let's let's rewind a bit through all this these wonderful compliments this slide I love it because almost any class is [ __ ] money I mean that's that's that's the gist of it that's that's where everything rates the part that this automatical almost any class line so let's talk about exploitation but before we do there's a bunch of guys I want to acknowledge I'm really standing on the shoulders of
giants here a lot of aggregated data from other people's research Chris Alexander Morozov our Munoz James Forshaw for their work on Java and.net D sterilization and menu MO who disclosed the CV that I'm going to demo later just for for completeness of understanding what an attack looks like on a product so moving on struts to anybody familiar with struts - yeah the infamous struts - we're not going to talk about the Equifax ACK that's a completely different attack this is this is also quite similar in in its impact so open source MVC framework for creating web applications and somewhat renowned garbage fire of critical vulnerabilities that are easy to exploit unauthenticated I don't know they say it's it's coating
over convent or configuration so instead of configuration you have the most spaghetti code I've ever seen but let's not just [ __ ] on starts let's just it's also demo it's going on so you have your threat server on the left side on the right side we can see the rest API demo this is built into struts and we're creating a new order right through the this sort of nice web UI and then you know here I demo how you can create it from this XML and just submit an XML to the web application and there it is created let's try something a bit different so let's submit this bad boy I'm gonna go a bit into detail later about this
malicious XML the important part to remember or observe is that it's innermost classes or process builder a reference to the start method with CMD backslash c calc so i'm gonna submit that request and i get this error 500 anybody who's ever tried something on a java server knows this error screen so what happened what did i submit this this is a gadget I'm going to describe gadgets a little more succinctly later what's important about this gadget is that it's based off of classes available in in in Java and in the Apache Commons library which is very popular it's already parts part of struts so there's no like it's not custom struts or anything this is out of
the box from 2017 and I think that the interesting part about it is that it's impossible to you Rishta cailli detect it because we have this API that's receiving an XML as an input and I'm submitting an XML to it there is no like malicious backtick for sequel injections that you can qualify or something like that and if you blacklist these classes then I'm gonna find something else probably soyou ristic aliy it's equivalent to a good request rather than a malicious payload so let's see what just happened let's check our server oh no it's calc so our old friend calc so what happened really like under the hood there was a naive deserialize ER in struts and
spoiler it's extreme I chose it for a reason not just because it's very readable but because it's part of this demo and you can see in their code how they create this same generic constructor like generic extreme class that I created earlier and they fixed it sense and this is this is an interesting fix they deprecated the old call and they also like as you can see in the bottom half they also stripped all type permissions which means you can't be serious anything anymore and then they start white listing and adding classes that you can do you can be serialize now so this is a really robust solution by removing like these potentially malicious classes or any classes that
are unexpected so like I said that that was a gadget chain that's a nickname for sometimes nested malicious objects that invoke whatever your payload is in this case it was process builder they're very difficult to design sometimes sometimes they are very straightforward in this case that was a very complicated example well you do need to know about gadgets is that they must live off the land you can't invent classes or use glasses that are not imported by the codebase because then it's just not going to see let's just gonna say the object doesn't exist it must parse because if it doesn't parse it's gonna fail way before it gets to the serialization it's gonna fail at
the parsing phase and it doesn't always have to finish its work because the error 500 we saw unlike errors we're gonna see later isn't about creating the wrong type of object or unexpected object actually fails to create the wrapping object and only creates the ones inside but that's enough for me right I mean I want it is the process builder I don't care for the rest so it's owned by me but owned and we can move on to other technologies so Jason that we don't know if you're familiar with it it's a really good net a jsonparser and it's somewhat endorsed by marker soft you can see examples of it it's not by Microsoft it's by Newton
soft it's a very handy little parser and this is our D serialization code where I created a DC réaliser and deserialize some jason and from this order object i get the order ID and user ID and I pass this JSON object to it of type D serialization not the order that's like the project name and the class name and some data inside it and it's working as intended it's not very interesting it's cool but what would Jason convert deserialize do with with this fella so this fella is an object data provider which contains a system diagnostic process call to start very similar to the process builder that we went over earlier and when we pass it to this
order Jason converts serialize object we see that it pops calc so again this is a small demo app that just unbar sees like deserialize is this object but as you can see it works it works like a charm for this instance there are actually good implementations so this implementation is bad where you're casting order right ahead of the deserialize call but this guy's good where you have order in your generic notations right before the function like inside a function header so why is that because the implementation knows to look at the generic notation and say this is the type I'm expecting and if before object creation it sees that the type doesn't match it knows to fail it fails
during the serialization before object creation so without this anything gets deserialized and you know there are ways to get this to accept multiple classes but that's not the point the point is that this is very vague in terms of usage they put the brackets before they put the casting before the generic confession not everybody knows the difference and even if you do do you think of it when you're writing a line of code right like do i notate do i cast they both work just just as well and we saw an exception occurring and it was an invalid cast exception so we're casting the wrong object so it fails but again when we're doing the casting way too
late and we don't so this is another interesting use case so this used to have a pickle work meme it's a dead meme now so I removed it stop using pickle Rick please um so let's consider the following Python code we have this trade class we have we're creating the trade class and we dumps it using pickle to vary expected output as you can see it's a bit unreadable but because it doesn't really make all that much sense but you can see the data you can see the class name you can see sort of what you need and when you load it as you'd expect you can see it was successfully BC realized and we got John Doe again so for
strictly type languages it is an easier time for developers to discern what classes are what's happening like what classes are being created what classes are being handled and for untyped languages on the other hand it's actually quite difficult you can do some type a detection but not in pickles by the way pickles are completely vulnerable says so in the API so don't use pickles if you're expecting untrusted data because you won't be able to detect the type before you get started so we have these two two little samples I'm gonna use the window samples because I'm lazy and that's the VMI setup and you know I got this on pickling code on the left and on the
right we're expecting to use pickle loads and obviously I get calculi it's very easy Python by the way has a very interesting internal implementation for classes where you have the underscore underscore reduce underscore underscore method where what it returns is the pickled form and so if in this example I'm returning the pickled form as a tuple of OS system and the parameters I want to pass to it and then I dumps that object and I can or dump that class and I get the reduced form as a pickle so you can actually pickle literal code or literal calls to methods in Python which is very interesting so basically your spring loading addy serialization bomb using using pickles using the reduced
method which is cool and owned let's talk about PHP a bit PHP is a strange creature it's it's a very specific sort of exploitation method deserialization when you deserialize using native PHP it just goes through the underscore underscore construct another score underscore destruct methods which you know start of life life and then be construct end of life in your current running contact and in between it sets the members like it constructs it sets the members from your deserialized object and moves on so you can't really trigger anything particularly interesting because PHP has built-in limitations by its very design that save it from being you know roasted so anything built in like operating system calls like exact eval all that
sort of thing they're not actually classes because PHP is an object-oriented at it's very core it's very core these things are basically language constructs and not functions that belong to a class so it's not part of any class and by that it essentially white lists what you can call when you deserialize and by that I mean you can only attack custom classes or imported classes and and anything that is custom implemented but not the actual language so it can still be exploited there are exploits out there that are specific for D serialization and PHP but it has to be done very contextually with a lot of thought so moving on to go what would does anybody have any idea
what go D serialization would look like any go developers here any idea what D serialization will look like and go yeah but is it how is it vulnerable what would you so so in go you really can't exploit the sterilization this realization exists and go but because go doesn't really have classes it has structs and interfaces you can't really spring load anything you can barely you can populate a struct from deserialization but there is no active code beyond that it's more like parsing than it is D sterilization because there's no constructors no destructors no nothing to spring load so okay so that's go but at this point we have some idea of commonality between language and
exploitation basically these realizations streamlines converting objects to text and texts back to objects or string or bytes so it's dangerous if and only if you use it on untrusted data if you do it internally who cares I mean if nobody contains that then it's you're pretty safe but remote and naive D sterilization is basically RCB livery systems that said it is in in many cases only local and trusted and for some of the examples that we saw at KP is you can just replace it with a parser you can build your own so it's not like there are whole technologies designed to distribute object objects via serialization right yeah so moving on to message queues and the
serialization message queues are literally there to distribute messages it's exactly what you expect if you've never worked with one you have like a queue you push a message into it somebody pulls the message or publish and subscribe depends on your implementation how you describe it and you know there are agnostic and queues where it's just strings or bytes there's no like wrapper functionality around it those are obviously not very relevant to us because we want the whole thing we want we want things that allow sending objects where your end-to-end solution is serialized published read what you published and then deserialize it on some other note are they basically end-to-end delivery system for remote code execution bombs yes so Java JMS is
documented well documented is vulnerable there's a really good talk by Matthias Kaiser from blackhat 2016 opponent messaging systems that describes multiple ways of exploiting it and this code snippet here this JMS thing this little snippet is just like a basic on message event where you receive a message and you get the object and as soon as you reference this get object method without verifying what's in there it explodes like it runs I'm not gonna demo it because you've seen enough culture for the time being so that begs the question what about dotnet because whenever there's something cool about Java we go looking for it and dotnet because once a knock off so it doesn't have Microsoft message QMS MQ it's kind
of cool it's ancient but it's still in use and when I say it's still in use it's still a feature in Microsoft Windows and up to ten like it's still there you can still enable I can MSM Q server on your system and it's baked into dotnet as part of system messaging DLL so it's it's it's it's still there and this is what a message queue kind of looks like it's added to your computer management you can see the queues you can even read the messages that are waiting inside the queue so it sits there and it has two object serialization suites or for matters one for XML one for binary and we embarked on some of our trademarked research the
only reference we could find for any security issues pertaining to message queuing in in Windows that isn't that particular CVE but rather the technology itself that's bad is a reference to the binary message formatter in Friday the 13th Jason facts on the talk the paper which is again highly recommended but that's it all we know from that is that it uses binary for matter and is therefore likely to be dangerous so being being the savvy researchers that we are we browse to MSN msdn.microsoft.com to look into it and we saw that binary message formatter is very efficient and fast to parse and has faster throughput and works on pure speed and you might ask how fast does it go too fast it goes too
fast it doesn't do a lot of vital checks that would have been saving its bacon at this point so let's look at the sample code from MSDN there's a receive message method very basic it creates like a queue object it sets the formatter and it receives a message reads the body of the message as a bitmap because it's a binary like it's a byte stream and tries to save that to a file so we take this nice little exploit known gadget called pipe confuse delegate and we push it into a message with the binary message formatter to see what happens on the receiving end so we have this basic MSM queue sent and received code we push the
message into the queue and we read it using the Microsoft code and pop also also we can see that same casting error from before and if you can see it's highlighting the bad cast for bitmap obviously because I didn't send a bitmap it was not a bitmap so Microsoft samples being dangerous isn't great but isn't news either there have been several talks about demo code from Microsoft being vulnerable like from MSDN so we did some digging into more official stuff by Microsoft about the message queuing system and figured you know maybe it's bad because they're trying brevity I mean it's demo code it's only intended to read like a message and maybe like they have something else so we went on the
Microsoft github and found this solution called large message queue and you know it's just a basic forms application that you have this queue and you send the file like a bitmap and you read the file from the same queue and you're done basically it's a wrapper for the existing message queue that is designed to handle some loss when reading the image from the message queue so we took the same exploit and we pushed it into the same queue being used by this windows forms application and crafted the same malicious message messages before from a different application so now it's in the same in the same queue that's being read and we click receive the mam
so you know toi so as you can see as soon as the binary message formatter is set like the immediate following line is dereferencing like the body member of the message as soon as you step into the message body it's caca o'clock baby so very cool we the exploit that we used was for dotnet for now that project is kind of old it's for dotnet 3.5 so we figured like there aren't nobody actually published like any or at least that I know of like exploits for dotnet 3.5 for this realization because a lot of the gadgets like I mentioned before depend on classes that you have available but we did successfully modify one of the
existing gadget chains by changing around some versions and tinkering with it just very minor tinkering just to get it to work on dotnet 3.5 which is very very cool because then you can consider any usage of the binary message formatter since 2007 is vulnerable so I mean it's ancient history but you know still there and binary message for matter is exploitable by default you can't explicitly set types I couldn't method of setting a tie for binary message Florida or a check or some sort of canary whatever for detecting object creation before it actually triggers and it's intended for remote use guys it's a message queuing system so they can't go like yeah it's local it's it's don't
don't use it like that there's no other way to use it and and what scenarios that we observe this class being used so you can find a lot of demos white papers about using it a lot of snippets on on github and and stuff and it's recommended for high throughput and large messages and complex objects it's not particularly uh not particularly popular in open-source but that makes sense because Message Queuing is sort of a middleware solution so you're gonna find it in proprietor implementations you're gonna find it in internal enterprise networks and you know it's anecdotal it's not evidence but I've spoken to some DevOps people and they knew exactly what I was talking about so it's very very interesting in
that sense we did observe some traces of it in older implementations like it's not used in newer versions but I guess it was pruned because it's old that said it's still available in older monoliths I suppose so where else did we see it like I mentioned before and like github but we also found it in books so they have a vulnerability in books folks this is exactly the same way like you define the binary message for matter is your formatter and at some point in this long link expression it be references the body twice so that's twice we found it in other books like F sharp by O'Reilly oh by the way that previous book was
dated 2015 so it's not that old it's like people still in people's minds it's still sort of part of the ecosystem it's still built into dotnet an F sharp in this book in this book and that leads to the only reasonable conclusion we just don't read [ __ ] books I try my darndest to adhere to that um so obviously we confronted Microsoft and as they said did not meet the bar for security servicing fantastic closed no longer monitored yet danced but you're also owned people were actually good sports about it where O'Reilly they're like yeah we'll notify all the editors of all the books that you mentioned or that were irrelevant to arriving not all
of them are Riley's fault aware of me of making any necessary changes before printing them I think that's the that's the spirit that's that's how you do it so moving on from exploitation let's talk about additional risks this realization isn't just remote code execution you can add checks you can add other things you can use it safely but there are still additional risks to that so these realization errors obviously as you could see they throw exceptions and you know Irenaeus behavior and all that stuff which is not very sexy but you know it's part of part of the whole thing of security I guess what is interesting to me is that in some languages and some implementations of
this realization the object is built from a reflection in the sense that it doesn't use the same Constructors that you think it uses it doesn't use the same setters that you wrote so it might be bypassing your logic and might be bypassing your checks and you wouldn't know for example if I deserialize an object that has an integer representing an object ID like an order idea or user ID I can set it to minus one and you know it's not going through the setter that makes sure that ID is a positive integer or isn't already taken so you know your deserializing naively and i might be bypassing your logic through that and that's very very interesting
because even if that means that even if you do check for classes and and everything is on the up and up and you can't be sterilized a malicious class i can still do a lot of harm from naive deserialization so you can't assume any thing about values and logic when you deserialize for some implementations for some it works just fine but you would be surprised which D sterilizers do and don't go through setters and constructors so from an industry perspective I think that it's very interesting to see just how many critical vulnerabilities are found in vendor provided products I bet some of you bumped into it you know some of these were wormed and/or converted
into worm that for crypto miners for stuff like that it's very very cool I would suggest like if you're interested just follow up and on this list just to see what's up it's also part of our top 10 now o ASP is known to sort of fit themselves to the spirit of the time so they decoupled the serialization into a eight from a one injection which is broad and you know it helps them catch the media buds for this and also know bathe in some industry tears which is lovely which is exactly what I'm doing right now for in terms of like CIA and stuff like that you get a bunch of CVS as tens and a lot of
critical vulnerabilities going on when you get to a ten or a nine point eight it's like total game over complete destruction but you know I can also like I mentioned before tamper with your integrity by bypassing logic and stuff like that and obviously there's the whole stability issue thing so um this is Mark Reinhold I don't know the man he's a chief architect for the Java platform at Oracle and he says that serialization in its current form was a horrible mistake made in 1997 did that extent Oracle is planning on dropping support for serialization in Java in its current form and I have to say that this does not matter this does not matter at
all because if you tell me that a software update is going to break my code I'm not going to install that software update naturally and if there's there's Java Oracle and there's other Java JVM I'm gonna switch over because I'm not gonna change a line of code and and and when I say me I mean enterprises that have been relying on this code for decades sometimes so it doesn't matter you can't unring this Bell there is nothing you can do there is just this the regular cycle of testing and finding and mitigating and or getting hacked and crying on TV but this this approach is not gonna work that's or at least that's my opinion
we'll see that I'm right so mitigations do's and Dusen's as we saw before catching exceptions from failed II civilization it's too late and probably irrelevant then you lose and we when you make assertions it's the same thing I mean it's it's it's gonna be the same thing it's gonna be way too late actual mitigations are about never deserializing untrusted data unless you have to and I stand by that I don't think you should DC relies on trusted data but particularly in untyped languages you're gonna have like the same challenges that we mentioned in Python and untyped deserialize errs it's very important you saw the constructor that I used for my first demo you saw the constructor and struts that those
were untyped that should be that should really raise your eyebrows you have this thing that magically converts any object to something and then converts it back so it's it's it's obviously inherently part of the paradigm to always serialize by defining what types you expect otherwise you're gonna get these gadgets that as complicated as they may seem not impossible to design obviously so there's also the matter of dangerous types which again sort of like the logic part but also what I mentioned in PHP if you have like a class that is dangerous and you know can save files or overwrite files on one end of your applique and deserialize on the other end of your application the derealization can talk
to that class without you knowing and then you're screwed despite trying your best to not deserialize or use a language that is new civilization safe and all obviously always whitelist the classes you're expecting no wildcards no nothing the exact classes that you're expecting so always test your D sterilizers when you're working with them even if you are using a well-defined whitelist check if you can nest objects tests if you can maybe inject the wrapper of the object or or just tinker with it see what happens always fail before you create the object because if you fail after object creation like the exceptions that we saw it's not good enough and if you are if your object has
logic check that lat that logic is gone through in your code flow and if it doesn't you need to implement reimplemented object after you deserialize don't just assume that because the object constructed correctly it's going to be a good object or or safe for you to use or consume and it's deserialize the form if you're still very very paranoid about this you could build your own right just parse it grab the the variables put them in a constructor and use that and you know it's very poor performance none of your code is gonna be as fast as built-in deserialize there's especially binary ones it requires work on your end because you're gonna have to do it for
each and every class that you'd be serialize but it's secure maybe I mean it's if to you guys right but it is a less magical idea than serialization which does things for you and you can't be entirely sure what exactly is going on could be dangerous objects could be by passive logic so it's a conclusion the serialization is kind of awesome but maybe it's too awesome it's too too magnificent for this world and it's a classic example of things working automatically and that's that's sort of a key concept in vulnerabilities in this industry is that it was doing something so magical that nobody knew what it does until they did it can be very very deadly and I
from RCE and to to manipulation there's still a lot of potential areas to explore we just bumped into this binary message formatter a couple months ago added post-hoc to this presentation but I still think it's cool go go out there and look for CD serializers it's gonna be built into other things it's gonna be very interesting for you and never trust that deserialize are always tested questions have to but I'll do one and then wait and see if other people do first would be the MSM queue stuff is that remotely detectable just like a few nmap Oh windows box and yeah does it tell you you can you can remotely send to message queues I didn't think around
with their settings too much but obviously the default settings for a private queue means it's remotely accessible in a local network so if you want to weaponize that go ahead sir I'm more interested will nmap actually tell you this is a shock you yeah it's got its own unique ports so very frequent rentable thanks for a great talk is there any examples of people using JMS safely like or is this the way to do it JMS oh yeah you can you can oh you can just try to get the type from the message before you open it it's just the idea of getting the object before you test it it's a lot like regular mail you
know like screening for bones and sheds so but yeah you can you can and in Java there's also a lot of very simple implementations that you can implement on the object input stream to verify types and stuff like that and that also applies by extension to JMS so you can you know the thing is that this is hastily written and very basic example and it works and that's kind of the problem isn't it that it works without any sort of checks and that's why it's still out there and in so many forms well thank you for the great talk very interesting I just wanted to ask you what is your approach in finding the gadget changed to it's a git remote code
execution once you know that you are you are using untrust they are using untrusted data to deserialize the object so first of all none of these gadget chains especially the complicated ones yeah no Java one and dotnet ones and now mine I credited the the guys who developed it it's actually very difficult to make something specific however you will find that this applies these are these can work on very specifically serializers there aren't that many variants of these sterilizers out there so you go by what this utilizar is actually being used and I would imagine that for proprietary implementations you can find out by just checking for the exceptions like if you have a black box just look at the
exception I was able to detect some that there's l OS formatter for example it's got very clear errors that tell you like what it is so you already have like a set of D serializers and potential exploits in Y so serial net and now all you have to do is find the unsafe usage excuse me let's go over here here's a question thank you thank you over here it's got a first line Thanks I know that you mentioned a pickle for Python is there any safe way for doing the Civilization Python I didn't you know I'm a negative guy so I just go for the bad I don't know if there's a secure solution particularly I there probably
is but the concept of typing in Python is is complicated it is good for distribution of workload so if it's just you know if you can trust what you're getting and just I don't know encrypt the stream and authenticate just make sure that the channel itself is safe and then you can you know the problem is the serialization of untrusted data if you disable one of these nodes then you should be fine but it's under use it sits on you you have to make it secure okay second question when your believe what you're talking about JSON with the casting versus generic stuff um could you do say it was customer object no can you do a member of the customer as one
of the malicious objects instead and then the top-level stuff is still a customer but say his address is the malicious object that's a very good question it's a very complicated question because it depends on the unique implementation of each of these objects so for some of them it should be possible but complicated and it depends for example if you pass an object that has some sort of data provider interface that is part of the implementation of the class then maybe you can shove a data provider like an object data provider that we saw here and I also know that samel reader of an object provider is vulnerable it's in another gadget so maybe you could nest it into
this customer object but generally if it's just data types it might not be possible it depends on whether it's possible to nest and how you can reach classes on the object graph data for vulnerable by design or I don't know like you can chain them into this gadget chain I would say that it's theoretically possible because the Java thing I showed you guys is a very complicated object that starts from a map and goes through some internal types and and and a lot of interesting things all the way down to process builder so it's it's potentially possible yeah maybe it depends on uh nesting capabilities okay so you need to wrap up so thank you guys for attending
[Applause] [Music]
[Applause]
[Music]
[Music]
[Music]
Related talks
51:51
32:48
33:48
54:33
31:06
20:51