[In]secure Deserialization, and how [not] to do it

here is Alexi he began his career as a software developer a decade later he realized that breaking code was made way more fun than writing code and decided to switch direction so he is now a full-time application security professional with several years of assisting various development teams in delivering secure code as well as security consulting his he currently works as a senior product security engineer for Salesforce and occasionally speaks at local security events and global conferences thank you hi everyone yeah last talk of the day yeah all right let's go so when I started looking into this topic of of this realization about a year ago I thought it was kind of boring but then I started reading all

these information on the internet and realized that man that's a lot it's just too much so my company asked me to prepare a little like educational material for our clients on digitalization and that's why I started even looking into it but you know all these information out there is just overwhelming and it's just lots of different languages lots of different frameworks lots of different ways to exploit and to protect and they might be very very specific to a particular system so today we're not gonna talk about all that stuff I'm gonna give you just a little snapshot like an overview of what that is and actually my favorite part of this presentation is the demos

and I hope they all work you're there in the back of the room you might want to move closer to see the stuff on the screen alright let's let's start just in a few words what what is this civilization imagine you have some kind of a program with an object in its memory and you want to send that object maybe to a different program so the way it's normally done that object is converted to a stream of bytes that you can send over any media and then on the other end is converted back from the by stream to an internal representation of the object so the first the first one is called serialization and the second one is

called D serialization it's very simple concept there are some binary serialization formats and those are normally related to languages that support civilization natively like Java Python or dotnet but they're also human readable formats like XML JSON or any xml-based formats where you you you see this kind of structured data and you can even read it and understand what it is of course this is just a very small subset in reality there are many many more formats and again we're not going to talk about them but you can go to Wikipedia so with that let's move to our demos and the first one is a cookie so this application is written in nodejs for my demos I try to use different

languages so this one is no js' and it has two parts one is one is insecure and when we click there we got a cookie here it is and it looks like a base64 encoded data right so let's go and try to understand I need to replace these two characters okay decode alright it's a very simple JSON object okay and what it tells me and I think you agree that it probably describes who the user is and what their role is so what if we just replace something like I'm going to replace administrator sorry anonymous with admin okay looks better now right and I'm going to base64-encoded and here's my new value so let me try to give it back to to the

server so I'm replacing this cookie in the browser and refresh the page and now I'm the admin so very simple right it's it's really basic stuff but the problem here is that the application doesn't really make any checks just trust the user so when we go to the secure section we got a cookie again and it begins in a very similar way but it's actually much longer and it's actually consists of two parts separated by a dot here I don't know if you can see it but the first part is our JSON and the second part is an H Mac it's a cryptographic thing thingy that he use to authenticate your data so if I try to

replace that JSON and refresh the page I'm kicked out because the that H mag does not verify oh that's much better so of course no integrity no security so go ahead when you when you think that you receive in data that might have passed through somebody that you don't trust always have something that you can validate let's move to a more interesting example I have a tomcat server that runs obviously a java application and suppose I want to contract the factory to to build something so I go to factory in order a million iPhones cool and they build it like that so they send me back that package I'm gonna save it and then I'm gonna go so now now that I

have they got the items I want to sell them so I'm I'm sending them to the store so this is the store that sells all the things so I give them this iPhone package and they instantly sold 1 million iPhones and I got the profit let's try something else Tesla I think 1 million counterfeit justice would be too much so let's dial it down and try to sell them and they sold 100 Tesla's awesome so let's take a look at that have those objects and trying to understand them the file command on Linux tells me that serialized Java data and that's actually is because I wrote it so is there anything that can go wrong with this of

course the answer is yes so let's let's say I go the factory not real factory about the bad one the malicious one called Hector II and instead of iPhones and Tesla's they send me some different things I'm gonna store them all on the disk and I'm gonna try to sell them so again I'm not the victim here I'm just passing them through ok well maybe I don't get the profits but it's alright so I first of all I try to sell this strain object and I get a Java exception great right because 3 is not what they expect and well they didn't handle expect exception here but at least they did not like I did not share that box but let's see

where the exception was thrown it was thrown on line 21 of that file and on that line we use the Java function called read object that's the one that does the civilization and then we cast the result to the to the class that we expect right the class is called items but if you read the exception carefully it says that string cannot be cast to cost items which suggests that the digitalization actually did occur we got the result from read object and that's where we failed on casting so if anything goes wrong why something really bad goes wrong during the serialization we're not gonna be able to catch it because it will be too late so to prove

my point let's try to sell a couple of other things so the 64 gigabyte nest nested object whatever there is now a instead of an exception I get connection reset which kind of suggests that the thread just crashed and in fact it did because that little object and it's it's really not that large it's 100 bytes but when this utilized the JVM try to allocate 64 gigabytes of memory and I don't have that much memory here on this machine let's try to sell something else how about this CPU bomb payload and I just put the sell button and I'm not getting anything it just sits here and does something so it seems like it's hanging

but but I hear my CPU fan going up it's pretty loud so what's going on let's go to this virtual machine that runs this Tomcat server and run the top command and here in the first line you can see that Java process is using 100% of the CPU and if you'll see it here forever and what is this process of course 1/7 it's our Tomcat server and the only option I have at this point is to kill it

because it's gonna sit there forever spinning in my CPU let's restart the server if we can I hope you can yeah okay it's back so what just happened this little object again it's just 100 bytes but when this you realized it has something in it that tells JVM allocate 64 gigs of memory and JVM refuses this one on the left is a structure it's 100 levels deep and it's a it's actually hash set with more hash sets and it's finite right it's only 100 level Z but JVM has a huge issue with it it's is it goes and some kind of an infinite loop and it will never return it will just try to build that tree or whatever okay

how can we protect let's go to our secure store and try to sell those things first of all let's try to sell iPhones and they can still do that let's try to sell 64 gig object and now we got a nice error message saying that Java object is not something that you would sell awesome and same with the CPU bomb it's a hash set and we not going to process hair set so they actually whitelist the the class types that they going to destabilize here they would reject anything else cool yes yes the question is how do they do that the answer is here you can override a certain class in Java and and here you

can check the name of the class on your input with the name of the class that you expect to see so that's the recommendation given by over a span bunch of other sources yes yes there is extra functionality for it to to detect and fail gracefully returned a nice exception that will be this one in this case and that will be handled okay next one well poison a denial-of-service might be a great goal but most of the times you won't remote execution on the server so let's see how we can do it in this case with Python this is a very simple application doesn't do much but it gives me back a session cookie and

what is this session cookie again it seems like a base64 encoded object and since this application has written Python I might assume that has something to do with Python so let's see if I can analyze it I need to basics before decoded first and I'm gonna write it a foul because it's it's some kind of binary I wrote it you file and then I have a little program that DC realizes and prints the output to me so again it's a very simple python dictionary again with some role and and user name whatever and again I can probably spoof the role here but that's not what I'm after what I'm after is in Python when he used its standard

serialization mechanism called pickle you can define a class with a method called underscore underscore reduce underscore underscore and whenever you serialize and deserialize such class this method gets executed so if everything goes well when this is this realized it's going to run OS command in this case it's a net cat and I should back I should get a reverse shell alright let's let's give it a try there's my pillow generator and generate it a Python object which this application will just accept because it doesn't have any checks bad for them but before i refresh my page i want to start an netcat listener on this machine refresh go back and i immediately got a connection from somewhere and it appears

to be a shell and i am a root so this application is not configured well either and I can do whatever I want

unfortunately in Python there is no really way to protect against this so don't use visualization by them unless you trust the source cool let's switch gears a little bit and talk about some well known vulnerabilities in the past years and what I'm gonna name talk about some companies here it's not I'm not talking about them a negative way because digitalization is hard so first one is in Apache Commons collections which was not really in a batch ecommerce collections but it made a lot of noise four years ago when somebody found what is known as a punchy comments gadget chain and when your web application is dis utilizes an object with this kind of chain and it has

Apache Commons library on its class path we talking about Java applications that gadgets chain might cause code execution or can do anything else and here is a sample call stack or culture e of the method calls that occur during this kind of digitalization as you can see on the bottom the ultimate goal is to get runtime and call exec yeah so the again like I said is a problem with the pancha comments no the problem is with the web application which is not this turtle dis realizing in a safe way but during those events four years ago big companies pressured Apache project and they had to fix the library so the issue the fix for

Apache Commons collections but they made a statement that this is not our problem we do it but you need to take care of your applications because if any other one of these library X Y or Z has similar issues you're still vulnerable makes sense right ok next one was an Apache struts a couple years ago this is X the civilization but the payload this is the payload which is wrapped in HTTP request has some Java code in it and you can easily recognize it and again the the goal here is to get Java Runtime or in this case this process builder any pass a string to you and gets executed another similar one in Oracle WebLogic

this is soap which is xml base and same pretty much same thing you get process builder you execute come in and apparently oracle weblogic had several issues over the years and if you go to a Metasploit this is a these are all the known exploits there in WebLogic the related to the serialization like they had one each year since 2015 a lot of fun not really but i hope they got it right and we're not gonna see the next one in 2020 alright cyber-ark is is a security product it's like your enterprise levels level password manager which keeps all the credentials safe and they have a really nice web access API which is REST API and of course it's

protected by authentication token but that token happens to be a serialized dotnet object nothing wrong with that really but they didn't have any integrity protection meaning you could spoof it not just that they didn't have any class type validation meaning you could submit any dotnet object of any class and they would process it which led to dotnet gadget chain similar to that Java gadget chain in Apache Commons and which led to remote code execution somebody found it and they contacted the vendor they fixed it and the hackers published the exploit and this is the whole exploit you run a utility to generate payload and you run a curl command just send that payload to the

server and that's it is it difficult to do No in fact you're gonna do it right now if I can find my window okay I don't have cyber-ark so I had to write my own application and all similarities are purely unintentional it's called cyber Park and it has one REST API endpoint and when you go to it without any parameters it just returns a sample value to you so let's do it from the command line a lot of command line all right so this is that sample value which says hey this is sample authorization value so we're going to submit that value as authorization header if I can find okay here it is and it processes it and returns the object

to us it says the best awesome but I told you that you're gonna exploit it in real way so we're gonna run that utility called wiser serial exe this is actually why see all that net but it exists executable on Windows ok and we generate an object that will supposedly run Cal kxe every hacker wants to run calculator and we're gonna wrap that payload in authorization header right here right and send it to our application and we got an exception there like a huge exception but we got our calculator

okay so as an attacker as a pen tester what are the tools that you can use to try insecurity realization so first of all you might want to reverse engineer things you probably want to understand what the software is doing and whether it even has utilized objects and there are certain signatures like Java utilized object has a certain five bytes in base64 that you can just grab for same is true for dotnet there is tool called voice of serial it was originally written four years ago to generate exploits against Apache Commons collections I cannot recommend it enough it's a great tool if you're working with job applications since then it got a whole bunch of other exploits and

different libraries and I did use it on engagements and it works really well a similar tool for dotnet which we just used two minutes ago bellow generation for that net also awesome tool there are some burp extensions if using burp that will help you analyze serialized data and maybe even modify them and resubmit and of course you might in many cases you may have to write your own code which is okay because you can copy and paste from stack overflow right so take your ways this realization is awesome well but it can be dangerous right so don't use it I mean no well there are legitimate uses and if you trust is the source okay you can you can do it if you

do validation if you attach a CH Mac and you discard anything that that ashmac where ich mag does not compute then that's fine okay but if you do it in securely bed visualization can cause you all kinds of issues like from broken authentication authorization privilege escalation denial of service and even the ultimate goal of every hacker remote code execution and remember the third-party components can be vulnerable so even if your program is okay that little open-source cool library might have something in it that is not that good all this code that I show you today is on github and you can use it feel free to use it it's very easy to use you just need to have VirtualBox and

vagrant and you run one vagrant command and 20 minutes later you have a virtual machine with all this code running except for Windows you have to set up your own Windows machine for that you can compact me on Twitter or LinkedIn and thank you