Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries.
In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject.
This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area.
http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/226242635/
How to submit a standout Adobe Champion Application
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization
1. Deserialize My Shorts
Or How I Learned to Start Worrying and Hate
Java Object Deserialization
Chris Frohoff (@frohoff)
Gabriel Lawrence (@gebl) (in spirit)
3. 3
snapshots one or more “live”, in-memory objects into a flat, serial stream of data that can be
stored or transmitted for reconstitution and use by a different process or the same process at
some point
Formats
− Binary: Java Serialization, Ruby Marshal, Protobuf, Thrift, Avro, MS-NRBF, Android Binder/Parcel, IIOP
− Hybrid/Other: PHP Serialization, Python pickle, Binary XML/JSON
− Readable: XML, JSON, YAML
Platform/Formats may have multiple implementations and/or sub-formats
Serializing Objects
a.k.a. “marshaling”, “pickling”, “freezing”, ”flattening”
4. 4
Remote/Interprocess Communication (RPC/IPC)
− Communicating data to different system/process
− Wire protocols, web services, message brokers
Caching/Persistence
− Communicating data to process’ future self
− Databases, cache servers, file systems
Tokens
− Communicating data to different system/process and back
− HTTP cookies, HTML form parameters, API auth tokens
Purposes and Mediums
Why and where
6. 6
java.io.ObjectOutputStream java.io.ObjectInputStream
public void writeObject(Object) public Object readObject()
public void writeUTF(String) public String readUTF()
public void writeInt(int) public int readInt()
public void writeFloat(float) public float readFloat()
public void writeBoolean(boolean) public boolean readBoolean()
public void writeByte(byte) public byte readByte()
… …
Java Serialization API
readObject() and writeObject() are open-ended/polymorphic* *yes, that is scary
8. 8
Java Serialized Form
Uncustomized, default, simple (de)serialization
Object serialized form:
− TC_OBJECT (byte, 0x73)
− Class Description (or ref)
− TC_CLASSDESC (byte, 0x72)
− Class Name (String)
− Serial Version UID (long)
− Field Descriptions*
− Field Type Code (byte)
− Field Name (String)
− Field Type (String, for non-primitive)
− Field values*
− [Primitive serialized form] | [Object serialized form] | ref
− Causes recursive calls to writeObject()/readObject() or read*()/write*()
• Refs: Later representations of
same object substituted with
incrementing “handles” to save
space and preserve referential
relationships
• TC_REFERENCE (byte, 0x71)
• Handle number (int)
• > 0x7e0000
• Field Type Codes:
'B'=byte, 'C'=char, 'D'=double,
'F'=float, 'I'=int, 'J'=long,
'L'=class/interface, 'S'=short,
'Z'=boolean, '['=array,
9. 9
Must implement java.io.Serializable (or java.io.Externalizable) interface
− Including all nested values
Serializable classes must have access to no-arg ctor of first non-Serializable superclass
− Uses bytecode magic to circumvent normal instantiation requirements (MagicAccessorImpl)
Skips fields marked with “transient” keyword
Serial Version UIDs in serialized form and target deserialized class must match
− By default implicitly generated based on class structure
− Can be explicitly defined in class if responsible for own serialized for compatibility
Supports java.lang.reflect.Proxy instances
− Runtime generated class with interfaces implemented and java.lang.reflect.InvocationHandler
− Serialized form includes (Serializable) InvocationHandler instance and interfaces
Java Serialization Caveats
19. 19
java.io.Serializable
− void writeObject(ObjectOutputStream): customize object serialization
− Use ObjectOutputStream write*(), defaultWriteObject(), and/or putFields()
− void readObject(ObjectInputStream): customize object deserialization
− Use ObjectInputStream read*(), defaultReadObject(), and/or readFields()
− Object writeReplace(): provide stand-in object for serialization
− Object readResolve(): provide stand-in object for deserialization
java.io.Externalizable: fully customized and explicit serialization
− void readExternal(ObjectInput): manually read fields from stream
− void writeExternal(ObjectOutput): manually write fields to stream
Customizing Java Serialization
Implement interfaces/methods on class to be (de)serialized
20. 20
Java Serialization Stream Header
− 0xACED 0x0005 …
− “rO0AB…”
GZIP Header
− 0x1F8B 0x0800 …
− “H4sIA…”
Anywhere you see a fully qualified class name
− org.apache.commons.collections.functors.InvokerTransformer
Some sequences to recognize
22. 22
Code reuse attack (a la ROP)
Uses “gadget” classes already in scope of application
Create chain of instances and method invocations
− Start with “kick-off” gadget that executes during or after deserialization
− End in “sink” gadget that executes arbitrary code/commands
− Use other “helper” gadgets to chain start gadget execution to end gadget
Serialize chain and send to vulnerable deserialization in application
Chain executed in application during/after deserialization
Profit
Property-Oriented Programming / Object Injection
Earliest POP research we
found was by Stefan Esser
(@i0n1c), “Utilizing Code
Reuse/ROP in PHP
Application Exploits"
23. 23
Rube-Goldberg-esque
Gadget chains are generally carrier-medium, application, and OS/platform agnostic
− Relies only on code available to application
− Not necessarily code used by application
Gadget Classes
− Target common libraries/frameworks. Library sprawl FTW.
− “Proxy” gadgets versatile
− Deserialization hook methods for self-execution
Gadget hunting and chain construction is an art
− Can be frustrating and tedious
− Rich IDEs help, but custom tools are better
− https://github.com/frohoff/inspector-gadget (out of scope for talk)
Property-Oriented Programming / Object Injection
24. 24
A Simple Java Gadget Chain
ObjectInputStream.readObject()
“calc.exe”
29. 29
Time-Lapse of Deserialization
CommandTask instance allocated and referenced by CacheManager.initHook field
CacheManager
ObjectInputStream
readObject()
readObject()
defaultReadObject()
CommandTask
run()
32. 32
Time-Lapse of Deserialization
Target program run
CacheManager
ObjectInputStream
readObject()
readObject()
defaultReadObject()
CommandTask
run()
Runtime
exec()
“calc.exe”
33. 33
Target java.lang.Runtime.exec(String cmd)
Uses gadgets in JDK and Apache Commons-Collections library
Self-executing during deserialization
− Executes before object returned to caller
A Java + Commons-Collections Gadget Chain
Similar POP techniques previously applied to
Java Serialization by Wouter Coekaerts
(@WouterCoekaerts) and implemented by
Alvaro Muñoz (@pwntester)
42. 42
Imperfect Mitigations
Cover in more detail later to include new information
− Look-ahead deserialization with custom ObjectInputStream subclass
− Apply SecurityManager only during deserialization
48. 48
Other languages/platforms
− PHP unserialize()
− Python pickle
− Ruby/Rails deserialization fiasco (YAML, XML, JSON, Marshal)
− Recent stuff: “Instagram’s Million Dollar Bug”
Java
− JSF EL Injection
− Recent stuff: “RCE in Oracle NetBeans Opensource Plugins”, “Reliable OS Shell with EL Injection”
− Commons FileUpload
− XMLDecoder/Xstream/Kryo
− Recent stuff: “Serialization Must Die”
− Recent Serializable: SerialDOS
Only covering Remote Code Execution via Java Serializable/Externalizable API today
− Original AppSecCali 2015 “Marshalling Pickles” talk covers some of the others
Out-of-scope related must-see/read stuff
Google or see references
53. 53
? ?: Many JSF impls without encryption/signing enabled
2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858
Timeline of Java Serializable Pwnage
Vulnerable (or Likely) Products/Projects Gadgets/Chains
2011/9/9 Wouter Coekaerts: Spring AOP
* very much not to scale
54. 54
? ?: Many JSF impls without encryption/signing enabled
2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858
Timeline of Java Serializable Pwnage
Vulnerable (or Likely) Products/Projects Gadgets/Chains
2011/9/9 Wouter Coekaerts: Spring AOP
* very much not to scale
58. 58
2015/1/28 — Marshalling Pickles, ysoserial
Gabe Lawrence (@gebl) and Chris Frohoff (@frohoff) — AppSec California 2015
59. 59
2015/1/28 — Marshalling Pickles, ysoserial
Gabe Lawrence (@gebl) and Chris Frohoff (@frohoff) — AppSec California 2015
60. 60
? ?: Many JSF impls without encryption/signing enabled
2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858
Timeline of Java Serializable Pwnage
Vulnerable (or Likely) Products/Projects Gadgets/Chains
2011/9/9 Wouter Coekaerts: Spring AOP
2015/1/28 @frohoff: Commons Collections, Groovy, Spring Beans/Core
* very much not to scale
61. 61
? ?: Many JSF impls without encryption/signing enabled
2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858
Timeline of Java Serializable Pwnage
Vulnerable (or Likely) Products/Projects Gadgets/Chains
2011/9/9 Wouter Coekaerts: Spring AOP
2015/1/28 @frohoff: Commons Collections, Groovy, Spring Beans/Core
* very much not to scale
83. 83
Recent — Qualcomm Red Team Exercise
A colleague tried something new
Performed some new targeted scanning on internal network
Scripted ysoserial against various listeners
− Attempted multiple payload types
− Executed DNS lookup (logged at DNS server) with name of payload type
Results
− Discovered undisclosed vulnerabilities in 6 products (i.e. 0days)
88. 88
Fundamental vulnerability is in doing unsafe deserialization, not in having gadgets available
More will be always found
Transitive dependencies cause library sprawl
Cross-library gadget chains
Auto-detection difficult
Gadget Whack-a-Mole
DO NOT rely on this!
91. 91
Avoid open-ended (de)serialization when possible
− If the serialization includes a class name, it’s probably bad
− ObjectInputStream.readObject() is not safe
− Lots of non-open-ended JVM serialization frameworks available
− https://github.com/eishay/jvm-serializers/wiki
Simple format and/or data types
− Strings, Numbers, Arrays, Maps, etc.
− Manually serialize complex objects
Keep session state on the server when possible
− Beware of lateral attacks! (memcached, redis, database, etc.)
Abstenence
Avoid magic
92. 92
Whitelist/Blacklist classes
− Use subclass of ObjectInputStream0
− override resolveClass() to allow/disallow classes
− http://www.ibm.com/developerworks/library/se-lookahead/
− Blacklisting ≈ Gadget whack-a-mole
− Difficult without robust library support
− Runtime Agents can help
− Strip Serilaizable/Externalizable interfaces from classes
− Instrument native ObjectInputStream.resolveClass()
− Subclass circumventable by “bypass gadgets”
Restrict Deserialization
Use with Caution. This is a band-aid.
93. 93
Encryption != Authentication
− See JSF Padding Oracle attacks
Authenticate channels
− TLS Client Certs, SASL, DB/Cache/Broker credentials
Authenticate content
− HMAC or Authenticated Encryption with secret key
Must be verified pre-deserialization!
− Don’t read credentials with readObject()
− readUTF() is probably OK
Pro-tip: Don’t leak crypto keys!
− Path traversal
− Default key or key committed to source control
Authenticate
Trust Verify
94. 94
Strict firewall rules for deserializing listeners
Sandboxing/Hardening
− Java SecurityManager
− Transient usage can by circumvented by “deferred execution bypass gadgets”
− AppArmor/SELinux
− Docker containers
− Block (or whitelist) forking processes,
file/network I/O
Security-in-depth
Assume breach of defenses
95. 95
Find more unsafe deserialization
− Watch products with naïve mitigations
Find more gadgets/chains
Gadget finding tool improvements
Explore mediums, platforms, formats, implementations
Help with ysoserial
− Has become more active
− Needs contributors
− Lots of work to be done
Great Job Everyone…but you’re not done
Continue pwning all the things
97. 97
Stefan Esser, 2009/11/1, Shocking News in PHP Exploitation
− https://www.nds.rub.de/media/hfs/attachments/files/2010/03/hackpra09_fu_esser_php_exploits1.pdf
David Byrne, Rohini Sulatycki, 2010/6/21, Beware of Serialized GUI Objects Bearing Data
− https://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf
Stefan Esser, 2010/7/29, Utilizing Code Reuse/ROP in PHP Application Exploits
− https://www.owasp.org/images/9/9e/Utilizing-Code-Reuse-Or-Return-Oriented-Programming-In-PHP-Application-Exploits.pdf
Wouter Coekaerts, 2011/9/9, Spring Vulnerabilities
− http://wouter.coekaerts.be/2011/spring-vulnerabilities
Charlie Sommerville, 2013/1/10, Rails 3.2.10 Remote Code Execution
− https://github.com/charliesome/charlie.bz/blob/master/posts/rails-3.2.10-remote-code-execution.md
Arseniy Reutov, 2013/5/28, PHP Object Injection Revisited
− https://prezi.com/5hif_vurb56p/php-object-injection-revisited/
Stephen Coty, 2013/6/14, Writing Exploits for Exotic Bug Classes: unserialize()
− https://www.alertlogic.com/blog/writing-exploits-for-exotic-bug-classes/
Ben Murphy, 2013/6/23, Property Oriented Programming Applied to Ruby
− http://slides.com/benmurphy/property-oriented-programming#/
Robert Heaton, 2013/7/22, How to hack a Rails app using its secret_token
− http://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/
Dinis Cruz, 2013/8/6, Using XMLDecoder to execute server-side Java Code on an Restlet application
− http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
Past Work / References
98. 98
Abraham Kang, Dinis Cruz, Alvaro Munoz, 2013/8/6, RESTing on your laurels will get you pwned
− http://www.slideshare.net/DinisCruz/res-ting-on-your-laurels-will-get-you-powned4-3
Tom Van Goethem, 2013/9/11, WordPress < 3.6.1 PHP Object Injection
− https://vagosec.org/2013/09/wordpress-php-object-injection/
David Jorm, 2013/11/20, Java Deserialization Flaws: Part 1, Binary Deserialization
− https://securityblog.redhat.com/2013/11/20/java-deserialization-flaws-part-1-binary-deserialization/
Alvaro Munoz, 2013/12/16, CVE-2011-2894: Deserialization Spring RCE
− http://pwntester.com/blog/2013/12/16/cve-2011-2894-deserialization-spring-rce/
Dinis Cruz, 2013/12/22, XStream "Remote Code Execution" exploit on code from "Standard way to serialize and deserialize Objects
with XStream" article,
− http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
David Jorm, 2014/1/23, Java deserialization flaws: Part 2, XML deserialization
− https://securityblog.redhat.com/2014/01/23/java-deserialization-flaws-part-2-xml-deserialization/
Johannes Dahse, Nikolai Krein, Thorsten Holz, 2014/11/3, Code Reuse Attacks in PHP: Automated POP Chain Generation
− https://websec.files.wordpress.com/2010/11/rips_ccs.pdf
− http://syssec.rub.de/media/emma/veroeffentlichungen/2014/09/10/POPChainGeneration-CCS14.pdf
Renaud Dubourguais, Nicolas Collignon, 2013, JSF ViewState upside-down
− http://www.synacktiv.com/ressources/JSF_ViewState_InYourFace.pdf
Gabe Lawrence, Chris Frohoff 2015/1/28, Marshalling Pickles
− http://frohoff.github.io/appseccali-marshalling-pickles/
Past Work / References
99. 99
Matthias Kaiser, 2015/10/28, Exploiting Deserialization Vulnerabilities in Java
− http://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478
− https://www.youtube.com/watch?v=VviY3O-euVQ
Stephen Breen, 2015/11/6, What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This
Vulnerability.
− http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
Bernd Eckenfels, Gary Gregory, 2015/11/10, Apache Commons statement to widespread Java object de-serialisation vulnerability
− https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread
@Zerothoughts, 2016/1/21, Fun with JNDI remote code injection, Spring framework deserialization RCE
− http://zerothoughts.tumblr.com/post/137769010389/fun-with-jndi-remote-code-injection
− http://zerothoughts.tumblr.com/post/137831000514/spring-framework-deserialization-rce
Laksh Raghavan, 2016/1/21, Lessons Learned from the Java Deserialization Bug
https://www.paypal-engineering.com/2016/01/21/lessons-learned-from-the-java-deserialization-bug/
Michael Stepankin, 2016/1/25, PayPal Remote Code Execution Vulnerability
− http://artsploit.blogspot.com/2016/01/paypal-rce.html
Alvaro Muñoz, Christian Schneider, 2016/3/4, Serial Killer: Silently Pwning Your Java Endpoints , Perils of Java Deserialization
− http://rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf
− http://community.hpe.com/t5/Security-Research/The-perils-of-Java-deserialization/ba-p/6838995
2016/3/14 Gabe Lawrence, Deserialization is bad, and you should feel bad
− http://www.meetup.com/OWASP-Cork/events/229340488/
Past Work / References
100. 100
For more information on Qualcomm, visit us at:
www.qualcomm.com & www.qualcomm.com/blog
Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries.
Other products and brand names may be trademarks or registered trademarks of their respective owners
Thank you
Follow us on:
Gabe Lawrence
gabe@qualcomm.com
@gebl
Chris Frohoff
cfrohoff@qualcomm.com
@frohoff