Practical Serialization Attacks

I'm a managing security consultant at NCC group X software developer I used to develop all kinds of software from desktop software to web so games and even some factoring machines and I think myself as a as a hacker breaker I like to I like to bake stuff bad stuff to break stuff so problems outside of work and technology and I was kind of stuff I'm a hiker and what grandma and I mixed to be be on the Internet Twitter and what-have-you so first thing thumbs up if you would know what to do if you saw this packet during a pen test that's right welcome cool so you start off with a story I went to a customer site to assess a web

application except when I got there they told me I needed a specific old version of Java that's a bit strange is a web app sure I would buy the only but so I thought maybe it's a job a client application that communicates over HTTP so I started to build a VM and asset to poke around with this application and I know it's the application eventually responded so just our test logging request with something saying that the account was locked out there are strange because I haven't seen any requests go through web suite so fried up wireshark see what was going on and and it turns out that it was just a job application served by HTTP page so it was it was a

Java Web Start application so it was actually just that okay I think client application and with Wireshark running I generate some logging requests and I saw a packet like freeze drug login request a packet like the one that I just showed you so it was a a login pocket like I say not let's see the discovery of a vulnerability that survived multiple previous pen tests every time the new version in this application was rolled out and on the network they had it been tested a fold on a server that had a hard exterior but there was something inside but on that server and from I was able to jump around the entire environment and from pre-production to production I

was in at least three different data centers

so I would have missed up one ability as well as all of the previous pen testers but I've done a lot of research into that and Java D civilization stuff so as soon as I saw a packet I recognized that I knew what to do I've been talking about it today everyone in this industry needs to be learning constantly so the private starkest so look at these kind of look how we can identify these kind of vulnerabilities or potential entry points and how we can then attack them using existing tools so the first thing to point out is that that score doesn't mean point-and-click generally these kind of attacks are a bit more involved but I would put that I

would put that in line with of many or SQL injection about to poke around a bit more to it equerry a bit more dry and bypass and fillers but they are rewarding these kind of vulnerabilities generally get you command execution on a box so it's worth doing

so we need to understand how serious a ssin works and how these kind of volleyball is can be can be identified and attacked in order to sudhir it effectively so start with some background the serialization the process is the process of converting one-time variables and program objects that are in memory in so form that can be stored on the desk or in a database or transferred over the network the best process be civilization takes that data and turns it back into one-time objects and variables the more complex the one-time data structures are so object oriented programming languages have objects embedded within objects the more complex a civilization than format and process has to be and the more complex that but

family is not processes the more scope the risk for vulnerabilities there is no fixed format for serialized data can be a custom format it can be a built-in farm up that this provided is part of the programming language our API is standard API use Jason XML and similarly built informants are easier to use you don't have to do anything to use them so focusing on Java for the stock but so high level concepts they apply it said so other languages in technologies for example PHP and let's say the built in civilization is easy to use so in Java we have in order to make Java cross serializable we just implement the interface Java dot IO dot serializable

once we've done that we can pass an instance of that object in time object to an object output stream and we can write it to a file to a network can over a network connection so on to read that back we use an object input stream and we can move that there a buck is that's all there is to it really easy to use and the actual dates of Roma can be described as a simple stream farmer so each stream starts with I see by magic number let's fill it by a teapot version number I've only ever seen version 5 draw this there's older versions that exist and in future newer versions could exist and that header is followed by at least

one concern element the reason it's a stream format is a there can be multiple concert elements and you just read and read and read until the end of the stream so there's no more data so that content element will begin with by in the range X 7 0 X 70 and so for example Zarek's 7-0 is no an object is 73 arrays 7 5 and so on the actual specification can be found online on the Oracle website and it's a bet on clearing places so some examples just to show you what civilization data looks like I'll see guys date it looked like so a minimal stream I could say you've got the to base a CED the header

magic number the version number zero zero zero five and then seven zero which is a null element string for A's again you've got the header you've got seven four which is a string zero zero zero four is it's a by length field which cells as hold on the string is and then we've got the actual bytes of the string and then this is a basic objects a better caliber should actually implement so as a robot that's a simple object so we've got seven three but I've set for is the sellers this is an object 7c this is across description and then we've got the rest of the data for that class so the length of the

class name the actual class name and so on the serialization in Java is done using the objects input stream but parsa's data sequentially so it reads free stream tries to instantiate some element from constant element gets the next one after la and so on but didn't sake and they're a go with thoughts the first byte of a Content element that tells us a type whether it's no string so on but also tells us the format of the data that follows for our elements or like I said in a string you've got a length field and then you've got the actual string then you can have additional content elements data is instantiated as it is read it's

instantly sunshade so this I'm not I'm not an object in the stream data for objects is red insert memory send it to an object and then Java or carry on reading from the stream I've requested there isn't much validation performed if any really so for example here we're reading recalling objects input stream that read objects to read an object from a serialization stream we then cast it to a string and assign that string to the available s the validation kind of happens there if the object that we read from the stream isn't compatible type compatible with string then an exception will be thrown and that's kind of you your validation so you a program should handle that

exception you're right that there's not how we expected it to be and took it away whatever while the several Ice Age civilizations happening look at the destabilization say Java doesn't care I was going to read an object from the stream instantiate and then return it about brain it's too late and we'll get to that so in a class implements civilized world interface it can also implement a read object method the method can be used in place of or in conjunction with Javas d4 Reid objects javis different method of reading objects so you can read custom date so it can have shared version and bring the stream so that you can parable weave you can have a newer version you software

compatible with older versions of data but we can also use that read object methods to sort of handle the event that an object is loaded so a deft example of that there's neither across the manager database connection when you see realize that glass in my write the database connection parameters to a file using solarization and then when you read those back it might automatically reconnect to a database so that's how we might handle and this object loaded event so this civilization vulnerability these occur when we as an attacker have control of the data that's being deserialized by controlling that data we control the properties of objects but are being instantiated in memory including the type of the objects so our example where

we custom pincer a string we don't have to have a string in the stream there an exception will perform but by that point and objects has already been instantiated by controlling bait so we can control code flow that depends on that data and that includes any code that's in a serializable classes read object method that handles they object loaded event and any interaction with an object that's been loaded I've been read from a serialization stream so if cold calls read objects and then interacts with the result again we can manipulate the code using the properties of the objects [Music] solicit co-op the or it's a programming we control properties of objects to implements the flow of current execution

payload like safe controls so code that we control through controlling properties and objects is it's got a cadet we can think about as high level rock gadget accepts a rock gadget mat just push a value on to a stack a pop gadget my rights and dates or fail for example so it is much much higher level and generally exploitation relies on exploitation relies on knowledge and source code so we need to know what code is executing when our object is instantiated in order to be able to manipulate it this seems to be a point of confusion when it comes to this kind of stuff a memory corruption expert you kind of it sounds be sending some kind

of code city application and it's going to eventually execute that code the civilization expert where it's sending properties and were manipulating code that already exists it's not always possible to acquire an application source code so how do we attack an application without source code

now anyone that's done any this kind of stuff before already anything about this kind of stuff should have heard of white sauce area and so I saw cereal it's actually these that various researchers when looks at all of these libraries and some more and basically said write what code is there that we can manipulate to do something useful to an attacker [Music] but a lot of pop gadget chains and publish them in a tall glass of cereal which regenerates these chains and generates these payloads most of these payloads enable us to execute months blindly so we don't get anything back from those commands unless the command addition so like we can pinch ourselves but we'll get output

from the ping command

so how do we suck Java deserialization there's three key parts to a civilization attack first part is an entry point sex Empire is some gadgets so right so surreal and then actual commands to execute against the target environment and I'll get through today's so an inch brain is any part of the application that DC arises data so if we're looking at network traffic or we're looking at files that an application reads you can identify civilise data by the magic number in the version number you want ideally you want five bytes so identified a sterilized stream excuse me let's say the header on a bright in the range 7 0 to 70 because that's a valid

say realizations dream so got some paella that's corley not plain text in burp suite we click on the hex view and you can see that a CED zero zeros in five seven three again the same thing Wireshark startup packet

basics for recoded serialization data so in for example a web application where we're working with a text-based broad scope and binary data is no it's not it's not very nice to use nobody isn't really comparable with a text-based bolts code so we might basics for encode the data which produces a recognizable pattern and so if you see if you see a cookie or an HTTP header that starts off with lowercase R capital o 0 and own capital ABX then that's the civilization hello so when we're looking at some sales data a Java centralized data and there were another a handful of other indicators that I was that this is definitely civilized data first thing is Java class

names you'll see this stuff here the dates are so soon that reflects that annotation but annotation invocation handler comes up for you to a so on there's also not a net format format for that and that's don't see the serialization and data format it's just I don't know the exact reason for it but these certain places the class name will be in a slightly different format so it'll begin with a capital L end with a semicolon and then instead of dots in between and the parcel names based in the actual class name it's false lashes and then know about that stands out again from the format of the but from the screen format you'll see

strings like SiO and XP throw it throw it so si are tells us this is an object and this is across different description 7 X 7 3x 72 XP is seen as the end of a cross description it sells as that this is the end of the class annotations unless this cross has no has your parent class and so that's CC and what dates last as the content type is and what data and then constants I know flows and so looking back at that login pocket we could say all these indicators so we've got si Java class names XP but there's no a CED zero zero zero five and the reason for that is so this is

this was the first of the login packets that I actually saw in Wireshark when I was testing an application and the reason for there being no a ced 0:05 is that that's a stream header that only appears right there they start of a sterilization stream so what this application did was it when you started up connected to a server and use the objects input stream object output stream so to read and write over that connection a batplane the serialization had a goes in each direction and then subsequent packets can say don't contain the header because we've already open the stream have already started the stream an interesting point here this client had and IDs in place which had rules to

decide these kinds of attacks but it looks for those boats and some additional bytes in the packet in the same packet because my payload went over the network layer pone my attacks went completely on it undetected so don't rely on seeing the header it should be there it's not over the stream but if you see data that's bit over into the stream then you're not going to see it straight away so once we've we've identified an entry point we needs to work out where to actually inject our payload so the simple case is that we will see the serialization stream header and it will be followed by a bright any very these three ranges so seven zeros to

seventy six or seven basis of any each of those all of the breaks in those two ranges constant elements civilization stream constant elements that can be read as an object so if you call objects input stream dot read objects you can read any of those content types the ones that I'm in those ranges they won't read them so there is some validation going on so we see that pattern in a solarization stream then we can replace the fifth by an woods with a payload an arbitrary object when that stream gets passed to the target it will read the header and it will start to instantiate an object which is the object we put in the stream once our objects instantiated

and returned from objects in equestrian but read objects there might be an exception from something there might be an error somewhere where that point our objects aside have been associated in memory and we potentially already to control some code and exploit the application just too late

becoming alternatives that is the stream might start with a block data about data long element the so again we'll up the stream header and then we'll have either 7 7 or 7 8 7/7 is followed by a single bite which is the lymph excuse me followed by that many bites which to the actual blood data 7a has four bytes for the lung field and I'm not many boats after that if we see about in that range if it all C ranges then we can replace that by and then words with a payload and we can inject there so got an example where we've got the header we've got the version number at the magic number the version number

seven seven so we've got blog data 0 8 8 bytes long 8 bytes and block beta and I'm at 7 3 is in those one of those two ranges so we can actually replace that something 3 onwards with any object we want and plus the states it's in the target application and it instantiate our object or something so more complex situations cases then those and all tool for this because I've spent ridiculous amounts of time manually decoding sterilized streams of data and working out what all the different things are where exactly I can inject a payload so sterilization didn't put that gotcha we win it and just press about Bible civilization scream or we can import a file

and it will attempt to pass that in Xalapa human human readable form and what we're looking for in air is again those those two bright rage back ranges so seven zero two seven six I think and then seven beats they're 70 and as we can see in the contents the first one is a string element seven four so we can actually replace from the start within objects of our twos and it will be instantiated but all is on github I've got details of that bit later on essentially we're looking for a Content element that's got that the type seven zero two seven six or seven be 270 we can replace that with any object we want

them so we've got an entry point we need to find some pop gadgets that we can use I could say we need source go where to find pop gadgets you're looking for read object methods and you're looking for the code in those methods how you can manipulate that based on the day there's been read from the stream the properties of the objects that going across and we're looking for objects input stream got read objects' and code that instructs with the return value any of that code we can manipulate using the properties of that object well that's not very practical we don't always have source code and I'm talking about practical attacks so like I said Russell cereal if if there

were these little common libraries that are used by lots of applications Commons collections is is one of the most commonly known and loads of applications are still using it still I would say the most common vulnerable library for this kind of stuff so ideally we'll have some background information on the application or we'll have an information disclosure that will give us some idea of what libraries are in use and we can just go right that's a little Burleigh berry rather that correct payload on it and we went hopefully and if we don't have that information we can kitchen sink it which is throw everything but the kitchen sink area so we've got my sauce cereal it generates

all these different bowls for all these different libraries brought them all so like Russell sales got load of pillows for different libraries us just an example if we know that any of these libraries are in use they the jar files on the left then we can use the payload on the right somebody's over up so I think this accumbens be initials payload that we relies on Commons collections being present and so that might not be so so useful but so access that kitchen sink in any way there I've got a Python script which I've used quite a few times it's a pop this kind of stuff just got a list of Wessel sailor payload types loop through

them and we record by source or to generate a payload that generates the serialized object that will execute a given command using one of these pop gadget chains so the Commons collections one for example we don't call fire payload we pass all spikes see that method fire payload will be whatever it needs to do to deliver that payload said application so not sir Freyja a certain sequence and packets over the network and then inject the payload into the stream insert over the network that's potentially risky where Ferenc a lot of random data and objects an application we could crush it I've never seen this happen the application would likely fall over if you just am upset if it was going to

fall over because of this so it's probably not that bad because any any strange data going over the network hit in this boat were probably because it's a crutch of its if it's not it was hand or less it's definitely noisy doing that because we're going to generate move buckets different payloads from all over the network the issue is that it's we're doing brand command execution when these payloads we don't know that the pop gadget chains and the libraries are present which ones if we're going to just fire all the different payloads so we might fire 10 different payloads at an application and we might see that replicate that the server starts opinions or something

about the payload that we use in which one actually cause that to happen and another thing is we might find nothing's happening nothing seems to be happening is the pelo command that we're trying to use actually available on server is a server is there actually actually some good firewall and in places step in traffic from reaching us when we've we've executed a command we don't know so ideally we want some feedback from the application I said you might pin yourself farewell Matt stop that if you do try that make sure that you limit the pink um when I did this I got a bit excited and I forgot to do that so I made some

processes constantly pinging my box and so I managed to get on the sovereign and kill them off but actually a better option is to try an invalid command generally when you when you sucking these kind of issues you'll at least get exceptions back over there network I don't think I've seen a saga yet that didn't some an exception back now reuse an invalid command and [Music] then we'll get an exception IO exception says cannot one program so everyone X Y Z X Y Zed and that's not present on the server will get that so we can confirm that the payload chain the pop gadget chain that actually triggered that is is available to the server if the pop

gadget chain isn't available [Music] across not found exception because we've sent our objects of a cross sort of server the Soviets attempted to instantiate an object of that grass and it doesn't know what the cross is so it's gone I don't know cosmic farm there you go and so we can fire a single payload with anybody command and we can find out whether the pop graduate chain is usable and also well we using the sense that now we can find out the commanders available sorry so that's saying pelo commands there's a few quirks with this like I said we've got blanked command execution if we've got an entrant and we've got some pub gadgets at work

usually we want the sunlight so shall we want more actresses so we want a nicer way to interrupt with server and then pivot sir to other systems so lesson that we might do is try and enumerate Commons available a target environment same technique that I just mentioned if we get a IO exception saying cannot run program then we know that the pop gadget chain is available but we also know there that command isn't available and there are some limitations to the payload commands that we can use and so these these pop gadget chains in my source aerial use Java dot lined up one time to exec with a single string parameter and well that does is it takes

up string splits it on the space character and then the first is the the first item in that array and the result is the command to execute and the rest of the parameters to that command that means that we can't use whitespace in parameters through that command so for example we can run this command you can see that parameters like Amanda different colors and we can't use this command because we've got spaces in between meant that the parameters get split up as shown there with the different colors we also can't use shell operators so piping and output redirection and now I'm going to skip over these some examples of payload commands that we can use and windows as

well but came across this after the first summer deliver this talk payload command X encoder a type in arbitrary brush commands PowerShell - perl and encode source commands so that you can use them with one time book Jack so we just take out the button and we can execute whatever commands one hopefully windows where powershell is obviously a bit more difficult but we we can probably Dave thought so we've got all these things now for a sock couple of case studies so the first one and Spring Framework and as if has a feature called hayseeds people will take what remoting generally but this is HTTP version razorba versions of it and what this allows us

to do is expose a bunch of Java classes over HTTP that's facilitated by the spring remote invocation class so essentially that we do is we we do some configuration stuff with Spring Framework and we say right this class is going to be exposed over-hasty to people moving on the client side we can learn we do a similar configuration we say right I want an object I want this object and sprinkle some logic in the background then it goes it recall the method on the object spring will further off over-hasty to page to the server way or decode or you know invocation objects and column method got the result and send it back that's done and in a body ever hasty to

be post request and it looks like this this so that's our entry point literally just the body of a post request before any civilized objects in there and the server spring Hasty's be remote and will be sterilized it and so this is an extension to the script I showed earlier where we're looping through different payload types fire payload just does a post request using the piping request library it also checks for the cross not phone exceptional tells us if that pop gadget chain is supported on up

yeah so using that you could pop Spring Framework spring hayseeds be mine doesn't happen though and the problem here is that I'm sending a hushed set objects to spoon framework in the body is post request the spring framework is deserializing a hush sled but it wanted a remote invocation I should have sent a remote invocation objects but just Ysera rise to anyway the hash set object that I sent isn't compatible with the remote invocation it's not compatible and so an exception gets thrown and the object that I send to the server never reaches the application that's using spring Hastie to be remoting and because Spring Framework itself can't cast it's a remote invocation but card it's pivotal who make Spring

Framework that's not an issue with Spring Framework go figure the Garland's been secured the pivotal security team that reported this issue - has a CV number for report on a very similar issue and I think J boss and he still thinks that this is an issue with Spring Framework as an application developer you can't you won't ever see that payload second case study Acme money obviously that's not what it's called can't reveal the name in a minute but it's where that band login packet was so exploitation was a little bit more involved this time still easily done and but scripts can still do it quite easily so that's probably civilisation day or in the stream can say that quite clearly

though so like I said I didn't see a CEB zero zero zero five so we started application fright up wireshark I know that sorry closed application down alfredo by shot restarted application and I captured the full communication and actually it was quite simple that was just an initial pocket went out to the server response came back another response came back and then like sled before you're looking for a bite in what do you see ranges so seven three and that second out brown packet that's the injection point

oh sorry soap yeah highlight the stuff so some prints point out here this very first packet the following bytes there is static every single time I did this so I knew that I could just send that same packet replay that same packet to the server so as we can see we've got fire payload method from that same Python script are similar you know a copy of it we connected a target we send that first pocket the static every single time we received see packets from the server don't care what they are just trucking away and then we send the payload and the reason for the square brackets for : is the stream header was already sent there a CED so on so that

payload contains the stream header so we just trim that off and we summon the rest of it the objects the payload objects so through this script together based on the packet capture I fried it at a server found out that it was running it was using Commons collections 3 t1 and got command execution got quite a lot of command executions actually so this point I've proved that I'm executing commands on the server and you could say that's you one and well then this is a good example of what you can do with this kind of issue and this there's it's there's loads of big enterprise applications that have this kind of issue so I've got to carry on

obviously I wanted a show so I used technique that I've talked about so find valid commands on the server I tried net cut to beget curl getting the command didn't exist I found that pearl was on the server at the time I wasn't aware of the payload encoder I mentioned so this Brian ever I can't easily write a file because I can't Ocoee direct outputs or file for example every one of they were purl she'll one-liner I've got to use socket so I need a space and the parameter to purl so it's I could probably use it some help and we'll see what else there is solve it around eventually found that the server had the TFTP command

available quick Python script so it set up a directory as a TFTP server and our books I had access to the file system then I could download stuff from my box I could have all sorts a bit to the server so that she'll on server and well as well firstly this is the first the first every time I found I come across an air box I do mostly application testing and code review first sampling across one of these and that's probably what was a bit of fun kid with commands but it was also outdated because obviously operating system patches don't know and and so from the privileged escalation expert I thought awesome I'm done I've got me

on this box but the exploit was read in C and I didn't have build tools available on the box brooded up peril so I rewrote my exploit in Perth it was painful but it was worth it because I got root on that box and I'm like I said from there I jumps around the entire network I had units up millions running out from when they got alerts that's what I logged onto the production servers like it wasn't me so like I said this I'm talking about practical civilization attack sees I'm as practical as although attacks other than as easy to do but I want some tools that hopefully make it a bit more practical so the first one serial brute

this is basically what scripts and Sarah blue top I will replay HTTP HTTP request r/a a TCP conversation and we'll then jet to payload at some prime and it will bring folks through the payloads analog it will stop at each one site was it successful because ideally you don't want to be spamming all these different payloads they'll also try and detect the exceptions coming back and I'll tell ya this payloads no good this one's no good that one might be useful and it's not meant to be a robust attacks all it works for most cases if you have to do something like get such an ID from the server and then replay that info in

a packet it's not going to do it but for that there's another version srl BRT that by which you basically implement you dispatch payload method do whatever you want to do that I so like it's look at it before replay the first pocket me two pockets back and play the replay payload or send up a Lord civilization dump it up Jarrah released that as well so if we've got some theorize date set we can just pass it through this it would empower in a more human readable form and we can find a point in that stream where we can inject a payload and yeah decel up whatever you wanna call it however you want to pronounce it it's

it's just a demo application client and server it does something similar to this application this me money application but you can use up to actually just try the tools out and see how it works and see if we can exploit something nice and so I was going to do a demo but I think I'm out of time so I also didn't sacrifice to go any conclusion and any questions

it's built into Java it's just easy to use you don't have to do you don't have to have an extra library and there's no you know no dependencies you just implement this interface and you go so that's it's easy that's that's it basically possible to build a gadget ideally from with glasses from the JJ yes weather glasses rather than the classical home and so I know that there are ngenikis JDK 7 and JDK 8 pure Java gadgets but for very very old versions of the JDK

it's you have to really think in silico this medical research is the loads of work in this area and it could be quite time-consuming some people built tools that help to find gadgets and the Hat being gadgets that work just purely using jelly cake jelly

you