OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization

Deserialize My Shorts

Or How I Learned to Start Worrying and Hate

Java Object Deserialization

Chris Frohoff (@frohoff)

Gabriel Lawrence (@gebl) (in spirit)

2

@gebl spreading The Good Word abroad

OWASP Cork, Ireland Chapter Meeting 2016/3/14

3

snapshots one or more “live”, in-memory objects into a flat, serial stream of data that can be

stored or transmitted for reconstitution and use by a different process or the same process at

some point

Formats

− Binary: Java Serialization, Ruby Marshal, Protobuf, Thrift, Avro, MS-NRBF, Android Binder/Parcel, IIOP

− Hybrid/Other: PHP Serialization, Python pickle, Binary XML/JSON

− Readable: XML, JSON, YAML

Platform/Formats may have multiple implementations and/or sub-formats

Serializing Objects

a.k.a. “marshaling”, “pickling”, “freezing”, ”flattening”

4

Remote/Interprocess Communication (RPC/IPC)

− Communicating data to different system/process

− Wire protocols, web services, message brokers

Caching/Persistence

− Communicating data to process’ future self

− Databases, cache servers, file systems

Tokens

− Communicating data to different system/process and back

− HTTP cookies, HTML form parameters, API auth tokens

Purposes and Mediums

Why and where

5

Crash Course: Java (de)serialization

6

java.io.ObjectOutputStream java.io.ObjectInputStream

public void writeObject(Object) public Object readObject()

public void writeUTF(String) public String readUTF()

public void writeInt(int) public int readInt()

public void writeFloat(float) public float readFloat()

public void writeBoolean(boolean) public boolean readBoolean()

public void writeByte(byte) public byte readByte()

… …

Java Serialization API

readObject() and writeObject() are open-ended/polymorphic* *yes, that is scary

7

Stream starts with magic & version:

− ObjectStreamConstants.STREAM_MAGIC (short, 0xACED);

− ObjectStreamConstants.STREAM_VERSION (short, 0x0005);

Polymorphic values’ serialized form prefixed with “type code”

− ObjectStreamConstants.TC_*: 0x70-0x7E

− TC_NULL=0x70, TC_REFERENCE=0x71, TC_CLASSDESC=0x72, TC_OBJECT=0x73, TC_STRING=0x74,

TC_ARRAY=0x75, TC_CLASS=0x76, TC_LONGSTRING=0x7C, TC_PROXYCLASSDESC=0x7D,

TC_ENUM=0x7E

String (UTF-8) serialized form:

− String length (int), String bytes*

Boolean serialized form:

− value (byte, 1=True, 0=False)

Java Serialized Form

Uncustomized, default, simple (de)serialization

8

Java Serialized Form

Uncustomized, default, simple (de)serialization

Object serialized form:

− TC_OBJECT (byte, 0x73)

− Class Description (or ref)

− TC_CLASSDESC (byte, 0x72)

− Class Name (String)

− Serial Version UID (long)

− Field Descriptions*

− Field Type Code (byte)

− Field Name (String)

− Field Type (String, for non-primitive)

− Field values*

− [Primitive serialized form] | [Object serialized form] | ref

− Causes recursive calls to writeObject()/readObject() or read*()/write*()

• Refs: Later representations of same object substituted with incrementing “handles” to save space and preserve referential relationships

• TC_REFERENCE (byte, 0x71)

• Handle number (int)

• > 0x7e0000

• Field Type Codes:'B'=byte, 'C'=char, 'D'=double, 'F'=float, 'I'=int, 'J'=long, 'L'=class/interface, 'S'=short, 'Z'=boolean, '['=array,

9

Must implement java.io.Serializable (or java.io.Externalizable) interface

− Including all nested values

Serializable classes must have access to no-arg ctor of first non-Serializable superclass

− Uses bytecode magic to circumvent normal instantiation requirements (MagicAccessorImpl)

Skips fields marked with “transient” keyword

Serial Version UIDs in serialized form and target deserialized class must match

− By default implicitly generated based on class structure

− Can be explicitly defined in class if responsible for own serialized for compatibility

Supports java.lang.reflect.Proxy instances

− Runtime generated class with interfaces implemented and java.lang.reflect.InvocationHandler

− Serialized form includes (Serializable) InvocationHandler instance and interfaces

Java Serialization Caveats

10

Java Serialization Format

0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I..0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp..0000050: 0001 7400 0548 656c 6c6f ..t..Hello

11

Java Serialization Format

0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I..0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp..0000050: 0001 7400 0548 656c 6c6f ..t..Hello

final static short STREAM_MAGIC = (short)0xaced;final static short STREAM_VERSION = 5;

12

Java Serialization Format

final static byte TC_OBJECT = (byte)0x73;

0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I..0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp..0000050: 0001 7400 0548 656c 6c6f ..t..Hello

13

Java Serialization Format

final static byte TC_CLASSDESC = (byte)0x72;

0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I..0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp..0000050: 0001 7400 0548 656c 6c6f ..t..Hello

14

Java Serialization Format

className:(utf)

0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I..0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp..0000050: 0001 7400 0548 656c 6c6f ..t..Hello

15

Java Serialization Format

primitiveDesc:prim_typecode fieldName

0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I..0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp..0000050: 0001 7400 0548 656c 6c6f ..t..Hello

16

Java Serialization Format

objectDesc:obj_typecode fieldName className1

0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I..0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp..0000050: 0001 7400 0548 656c 6c6f ..t..Hello

17

Java Serialization Format

Value for SomeNumber

0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I..0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp..0000050: 0001 7400 0548 656c 6c6f ..t..Hello

18

Java Serialization Format

final static byte TC_STRING = (byte)0x74;TC_STRING newHandle (utf)

0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I..0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp..0000050: 0001 7400 0548 656c 6c6f ..t..Hello

19

java.io.Serializable

− void writeObject(ObjectOutputStream): customize object serialization

− Use ObjectOutputStream write*(), defaultWriteObject(), and/or putFields()

− void readObject(ObjectInputStream): customize object deserialization

− Use ObjectInputStream read*(), defaultReadObject(), and/or readFields()

− Object writeReplace(): provide stand-in object for serialization

− Object readResolve(): provide stand-in object for deserialization

java.io.Externalizable: fully customized and explicit serialization

− void readExternal(ObjectInput): manually read fields from stream

− void writeExternal(ObjectOutput): manually write fields to stream

Customizing Java Serialization

Implement interfaces/methods on class to be (de)serialized

20

Java Serialization Stream Header

− 0xACED 0x0005 …

− “rO0AB…”

GZIP Header

− 0x1F8B 0x0800 …

− “H4sIA…”

Anywhere you see a fully qualified class name

− org.apache.commons.collections.functors.InvokerTransformer

Some sequences to recognize

21

22

Code reuse attack (a la ROP)

Uses “gadget” classes already in scope of application

Create chain of instances and method invocations

− Start with “kick-off” gadget that executes during or after deserialization

− End in “sink” gadget that executes arbitrary code/commands

− Use other “helper” gadgets to chain start gadget execution to end gadget

Serialize chain and send to vulnerable deserialization in application

Chain executed in application during/after deserialization

Profit

Property-Oriented Programming / Object Injection

Earliest POP research we

found was by Stefan Esser

(@i0n1c), “Utilizing Code

Reuse/ROP in PHP

Application Exploits"

23

Rube-Goldberg-esque

Gadget chains are generally carrier-medium, application, and OS/platform agnostic

− Relies only on code available to application

− Not necessarily code used by application

Gadget Classes

− Target common libraries/frameworks. Library sprawl FTW.

− “Proxy” gadgets versatile

− Deserialization hook methods for self-execution

Gadget hunting and chain construction is an art

− Can be frustrating and tedious

− Rich IDEs help, but custom tools are better

− https://github.com/frohoff/inspector-gadget (out of scope for talk)

Property-Oriented Programming / Object Injection

24

A Simple Java Gadget Chain

ObjectInputStream.readObject()

“calc.exe”

25

Time-Lapse of Deserialization

ObjectInputStream.readObject() called

ObjectInputStream

readObject()

defaultReadObject()

26

Time-Lapse of Deserialization

CacheManager instance allocated

CacheManager

ObjectInputStream

readObject()

readObject()

defaultReadObject()

27

Time-Lapse of Deserialization

CacheManager.readObject() called

CacheManager

ObjectInputStream

readObject()

readObject()

defaultReadObject()

28

Time-Lapse of Deserialization

ObjectInputStream.defaultReadObject() called

CacheManager

ObjectInputStream

readObject()

readObject()

defaultReadObject()

29

Time-Lapse of Deserialization

CommandTask instance allocated and referenced by CacheManager.initHook field

CacheManager

ObjectInputStream

readObject()

readObject()

defaultReadObject()

CommandTask

run()

30

Time-Lapse of Deserialization

CommandTask.run() called

CacheManager

ObjectInputStream

readObject()

readObject()

defaultReadObject()

CommandTask

run()

31

Time-Lapse of Deserialization

Runtime.exec() called

CacheManager

ObjectInputStream

readObject()

readObject()

defaultReadObject()

CommandTask

run()

Runtime

exec()

“calc.exe”

32

Time-Lapse of Deserialization

Target program run

CacheManager

ObjectInputStream

readObject()

readObject()

defaultReadObject()

CommandTask

run()

Runtime

exec()

“calc.exe”

33

Target java.lang.Runtime.exec(String cmd)

Uses gadgets in JDK and Apache Commons-Collections library

Self-executing during deserialization

− Executes before object returned to caller

A Java + Commons-Collections Gadget Chain

Similar POP techniques previously applied to

Java Serialization by Wouter Coekaerts

(@WouterCoekaerts) and implemented by

Alvaro Muñoz (@pwntester)

34

Call Chain

35

Gadget Chain Construction Code and Call Tree

36

Demos

37

Contains multiple gadget chain payloads and a few exploits

Create payload to execute calc.exe using CommonsCollections1 chain:$ java -jar ysoserial-0.0.1-all.jar CommonsCollections1 calc.exe | xxd | head -3

0000000: aced 0005 7372 0032 7375 6e2e 7265 666c ....sr.2sun.refl

0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41 ect.annotation.A

0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174 nnotationInvocat

$ java -jar ysoserial-0.0.1-all.jar CommonsCollections1 calc.exe > payload.bin

$ cat payload.bin | nc somehost 5555

Send exploit payload to RMI Registry listener:$ java -cp ysoserial-0.0.1-all.jar ysoserial.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe

ysoserial

A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization

38

Code Execution via Java Serializable

JSF (MyFaces) ViewState form parameters deserialized

39

40

RMIRegistry

41

42

Imperfect Mitigations

Cover in more detail later to include new information

− Look-ahead deserialization with custom ObjectInputStream subclass

− Apply SecurityManager only during deserialization

43

This is not a new problem

44

This is not a language problem

45

This is not a format problem

46

We have trust issues

47

We have trust issues.

48

Other languages/platforms

− PHP unserialize()

− Python pickle

− Ruby/Rails deserialization fiasco (YAML, XML, JSON, Marshal)

− Recent stuff: “Instagram’s Million Dollar Bug”

Java

− JSF EL Injection

− Recent stuff: “RCE in Oracle NetBeans Opensource Plugins”, “Reliable OS Shell with EL Injection”

− Commons FileUpload

− XMLDecoder/Xstream/Kryo

− Recent stuff: “Serialization Must Die”

− Recent Serializable: SerialDOS

Only covering Remote Code Execution via Java Serializable/Externalizable API today

− Original AppSecCali 2015 “Marshalling Pickles” talk covers some of the others

Out-of-scope related must-see/read stuff

Google or see references

49

50

2011/9/9 — Spring Vulnerabilities

Wouter Coekarts (@WouterCoekaerts)

51

2011/9 — 2013/3 (18 months)

52

2013/03/05 — IBM Cognos BI RCE

Pierre Ernst

53

? ?: Many JSF impls without encryption/signing enabled

2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858

Timeline of Java Serializable Pwnage

Vulnerable (or Likely) Products/Projects Gadgets/Chains

2011/9/9 Wouter Coekaerts: Spring AOP

* very much not to scale

54

? ?: Many JSF impls without encryption/signing enabled

2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858

Timeline of Java Serializable Pwnage

Vulnerable (or Likely) Products/Projects Gadgets/Chains

2011/9/9 Wouter Coekaerts: Spring AOP

* very much not to scale

55

2013/3 — 2013/12 (9 months)

56

2013/12/16 — Deserialization Spring RCE

Alvaro Muñoz (@pwntester)

57

2013/12 — 2015/1 (14 months)

58

2015/1/28 — Marshalling Pickles, ysoserial

Gabe Lawrence (@gebl) and Chris Frohoff (@frohoff) — AppSec California 2015

59

2015/1/28 — Marshalling Pickles, ysoserial

Gabe Lawrence (@gebl) and Chris Frohoff (@frohoff) — AppSec California 2015

60

? ?: Many JSF impls without encryption/signing enabled

2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858

Timeline of Java Serializable Pwnage

Vulnerable (or Likely) Products/Projects Gadgets/Chains

2011/9/9 Wouter Coekaerts: Spring AOP

2015/1/28 @frohoff: Commons Collections, Groovy, Spring Beans/Core

* very much not to scale

61

? ?: Many JSF impls without encryption/signing enabled

2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858

Timeline of Java Serializable Pwnage

Vulnerable (or Likely) Products/Projects Gadgets/Chains

2011/9/9 Wouter Coekaerts: Spring AOP

2015/1/28 @frohoff: Commons Collections, Groovy, Spring Beans/Core

* very much not to scale

62

2015/1 — 2015/10 (9 months)

63

2015/1 — 2015/10 (9 months)

64

2015/10/28 — Exploiting Deserialization Vulnerabilities in Java

Matthias Kaiser (@matthias_kaiser) — HackPra WS 2015

65

2015/10/28 — Exploiting Deserialization Vulnerabilities in Java

Matthias Kaiser (@matthias_kaiser) — HackPra WS 2015

Hey, that’s us!

66

2015/10/28 — Exploiting Deserialization Vulnerabilities in Java

Matthias Kaiser (@matthias_kaiser) — HackPra WS 2015

Hey, that’s us!

67

2015/11/6 — What Do WebLogic, WebSphere, …

Stephen Breen (@breenmachine)

My Birthday

68

2015/11/6-10 — Social Media Kills My Phone Battery

Misunderstanding and misinformation abound

69

2015/11/8-16 — Evasive Maneuvers by Dev Community

Innovative Solutions and (Some) Sensible Responses

70

? ?: Many JSF impls without encryption/signing enabled

2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858

2015/10/27 @matthias_kaiser: Atlassian Bamboo CVE-2015-8360

2015/11/4 @mwulftange and @matthias_kaiser: Commvault Edge Server CVE-2015-7253

2015/11/6 @matthias_kaiser: Oracle WebLogic CVE-2015-4852

2015/11/6 @breenmachine: JBoss AS CVE-2015-7501, WebSphere CVE-2015-7450, Jenkins CVE-2015-8103, OpenNMS

2015/11/9 Joel Bernstein: Apache SOLR (SOLR-8262)

2015/11/12 Andrew Purtell: Apache HBase (HBASE-14799)

2015/11/13 @matthias_kaiser and @mwulftange: Symantec Endpoint Protection Manager CVE-2015-6555

2015/11/17 n/a: Unify OpenScape (various) CVE-2015-8237, CVE-2015-8238

2015/12/4 n/a: Apache OpenJPA, Commons JCS

2015/12/9 @pwntester, @matthias_kaiser, @cschneider4711: ActiveMQ CVE-2015-5254

2015/12/9 n/a: Cisco (various) CVE-2015-6420

2015/12/16 cpnrodzc7: TomEE CVE-2015-8581

2015/12/17 Sim Yih Tsern: Apache Camel CVE-2015-5348

2015/12/18 n/a: VMWare vCenter/vRealize (various) CVE-2015-6934

2015/12/27 n/a: Apache Batchee, Apache OpenWebBeans

2015/12/30 n/a: McAfee ePolicy Orchestrator CVE-2015-8765

Timeline of Java Serializable Pwnage

Vulnerable (or Likely) Products/Projects Gadgets/Chains

2011/9/9 Wouter Coekaerts: Spring AOP

2015/1/28 @frohoff: Commons Collections, Groovy, Spring Beans/Core

* very much not to scale

71

? ?: Many JSF impls without encryption/signing enabled

2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858

2015/10/27 @matthias_kaiser: Atlassian Bamboo CVE-2015-8360

2015/11/4 @mwulftange and @matthias_kaiser: Commvault Edge Server CVE-2015-7253

2015/11/6 @matthias_kaiser: Oracle WebLogic CVE-2015-4852

2015/11/6 @breenmachine: JBoss AS CVE-2015-7501, WebSphere CVE-2015-7450, Jenkins CVE-2015-8103, OpenNMS

2015/11/9 Joel Bernstein: Apache SOLR (SOLR-8262)

2015/11/12 Andrew Purtell: Apache HBase (HBASE-14799)

2015/11/13 @matthias_kaiser and @mwulftange: Symantec Endpoint Protection Manager CVE-2015-6555

2015/11/17 n/a: Unify OpenScape (various) CVE-2015-8237, CVE-2015-8238

2015/12/4 n/a: Apache OpenJPA, Commons JCS

2015/12/9 @pwntester, @matthias_kaiser, @cschneider4711: ActiveMQ CVE-2015-5254

2015/12/9 n/a: Cisco (various) CVE-2015-6420

2015/12/16 cpnrodzc7: TomEE CVE-2015-8581

2015/12/17 Sim Yih Tsern: Apache Camel CVE-2015-5348

2015/12/18 n/a: VMWare vCenter/vRealize (various) CVE-2015-6934

2015/12/27 n/a: Apache Batchee, Apache OpenWebBeans

2015/12/30 n/a: McAfee ePolicy Orchestrator CVE-2015-8765

Timeline of Java Serializable Pwnage

Vulnerable (or Likely) Products/Projects Gadgets/Chains

2011/9/9 Wouter Coekaerts: Spring AOP

2015/1/28 @frohoff: Commons Collections, Groovy, Spring Beans/Core

* very much not to scale

72

2016/1/21-22 — JNDI/JRMP Remote Loading Gadget

@zerothoughts

73

2016/1/25 — PayPal Remote Code Execution

Michael Stepankin and Mark Litchfield

74

2016/1/26-2/24 — JDK <7u21, Beanutils Gadget Chains

Chris Frohoff (@frohoff)

75

2016/2/24 — serianalyzer, Gadgets, Clients, etc.

Moritz Bechler (@mbechler)

76

2016/3/4 — Serial Killer & The Perils of Java Deser.

Alvaro Muñoz (@pwntester) and Christian Schneider (@cschneider4711) — RSAC 2016

77

2016/3/4 — Serial Killer & The Perils of Java Deser.

Alvaro Muñoz (@pwntester) and Christian Schneider (@cschneider4711) — RSAC 2016

78

? ?: Many JSF impls without encryption/signing enabled

2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858

2015/10/27 @matthias_kaiser: Atlassian Bamboo CVE-2015-8360

2015/11/4 @mwulftange and @matthias_kaiser: Commvault Edge Server CVE-2015-7253

2015/11/6 @matthias_kaiser: Oracle WebLogic CVE-2015-4852

2015/11/6 @breenmachine: JBoss AS CVE-2015-7501, WebSphere CVE-2015-7450, Jenkins CVE-2015-8103, OpenNMS

2015/11/9 Joel Bernstein: Apache SOLR (SOLR-8262)

2015/11/12 Andrew Purtell: Apache HBase (HBASE-14799)

2015/11/13 @matthias_kaiser and @mwulftange: Symantec Endpoint Protection Manager CVE-2015-6555

2015/11/17 n/a: Unify OpenScape (various) CVE-2015-8237, CVE-2015-8238

2015/12/4 n/a: Apache OpenJPA, Commons JCS

2015/12/9 @pwntester, @matthias_kaiser, @cschneider4711: ActiveMQ CVE-2015-5254

2015/12/9 n/a: Cisco (various) CVE-2015-6420

2015/12/16 cpnrodzc7: TomEE CVE-2015-8581

2015/12/17 Sim Yih Tsern: Apache Camel CVE-2015-5348

2015/12/18 n/a: VMWare vCenter/vRealize (various) CVE-2015-6934

2015/12/27 n/a: Apache Batchee, Apache OpenWebBeans

2015/12/30 n/a: McAfee ePolicy Orchestrator CVE-2015-8765

2016/1/25 Michael Stepankin and Mark Litchfield: PayPal

2016/2/9 n/a: Adobe Experience Manager CVE-2016-0958

2016/2/24 @mbechler: Jenkins CVE-2016-0788

2016/3/16 n/a: TomEE (#2) CVE-2016-0779

Timeline of Java Serializable Pwnage

Vulnerable (or Likely) Products/Projects Gadgets/Chains

2011/9/9 Wouter Coekaerts: Spring AOP

2015/1/28 @frohoff: Commons Collections, Groovy, Spring Beans/Core

2016/1/22 @zerothoughts: Spring-TX

2016/1/26 @frohoff: JDK 7u21, variation on Commons Collections

2016/2/24 @frohoff: Beanutils

2016/2/29 @mbechler: Hibernate, MyFaces, C3P0, net.sf.json, ROME, variation on Spring, JRMPClient, JRMPListener

2016/3/4 @pwntester and @cschneider4711: Beanshell, Jython, lots of bypasses

2016/3/9 @matthias_kaiser: variation on Commons Collections

* very much not to scale

79

? ?: Many JSF impls without encryption/signing enabled

2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858

2015/10/27 @matthias_kaiser: Atlassian Bamboo CVE-2015-8360

2015/11/4 @mwulftange and @matthias_kaiser: Commvault Edge Server CVE-2015-7253

2015/11/6 @matthias_kaiser: Oracle WebLogic CVE-2015-4852

2015/11/6 @breenmachine: JBoss AS CVE-2015-7501, WebSphere CVE-2015-7450, Jenkins CVE-2015-8103, OpenNMS

2015/11/9 Joel Bernstein: Apache SOLR (SOLR-8262)

2015/11/12 Andrew Purtell: Apache HBase (HBASE-14799)

2015/11/13 @matthias_kaiser and @mwulftange: Symantec Endpoint Protection Manager CVE-2015-6555

2015/11/17 n/a: Unify OpenScape (various) CVE-2015-8237, CVE-2015-8238

2015/12/4 n/a: Apache OpenJPA, Commons JCS

2015/12/9 @pwntester, @matthias_kaiser, @cschneider4711: ActiveMQ CVE-2015-5254

2015/12/9 n/a: Cisco (various) CVE-2015-6420

2015/12/16 cpnrodzc7: TomEE CVE-2015-8581

2015/12/17 Sim Yih Tsern: Apache Camel CVE-2015-5348

2015/12/18 n/a: VMWare vCenter/vRealize (various) CVE-2015-6934

2015/12/27 n/a: Apache Batchee, Apache OpenWebBeans

2015/12/30 n/a: McAfee ePolicy Orchestrator CVE-2015-8765

2016/1/25 Michael Stepankin and Mark Litchfield: PayPal

2016/2/9 n/a: Adobe Experience Manager CVE-2016-0958

2016/2/24 @mbechler: Jenkins CVE-2016-0788

2016/3/16 n/a: TomEE (#2) CVE-2016-0779

Timeline of Java Serializable Pwnage

Vulnerable (or Likely) Products/Projects Gadgets/Chains

2011/9/9 Wouter Coekaerts: Spring AOP

2015/1/28 @frohoff: Commons Collections, Groovy, Spring Beans/Core

2016/1/22 @zerothoughts: Spring-TX

2016/1/26 @frohoff: JDK 7u21, variation on Commons Collections

2016/2/24 @frohoff: Beanutils

2016/2/29 @mbechler: Hibernate, MyFaces, C3P0, net.sf.json, ROME, variation on Spring, JRMPClient, JRMPListener

2016/3/4 @pwntester and @cschneider4711: Beanshell, Jython, lots of bypasses

2016/3/9 @matthias_kaiser: variation on Commons Collections

* very much not to scale

80

* very much not to scale

81

* very much not to scale

82

* very much not to scale

83

Recent — Qualcomm Red Team Exercise

A colleague tried something new

Performed some new targeted scanning on internal network

Scripted ysoserial against various listeners

− Attempted multiple payload types

− Executed DNS lookup (logged at DNS server) with name of payload type

Results

− Discovered undisclosed vulnerabilities in 6 products (i.e. 0days)

84

Recent — Deser Vulnerability Reported to Qualcomm

85

$ java -jar target/ysoserial-0.0.5-SNAPSHOT-all.jar

Y SO SERIAL?

Usage: java -jar ysoserial-[version]-all.jar [payload type] '[command to execute]'

Available payload types:

BeanShell1

C3P0

CommonsBeanutils1

CommonsCollections1

CommonsCollections2

CommonsCollections3

CommonsCollections4

CommonsCollections5

FileUpload1

Groovy1

Hibernate1

Hibernate2

JRMPClient

JRMPListener

JSON1

Jdk7u21

Jython1

Myfaces1

Myfaces2

ROME

Spring1

Spring2

Recent — ysoserial dev activity picking up

86

Recent — Good Guy Glenn

Glenn Lewis (@gmlewis)

87

Mitigation

88

Fundamental vulnerability is in doing unsafe deserialization, not in having gadgets available

More will be always found

Transitive dependencies cause library sprawl

Cross-library gadget chains

Auto-detection difficult

Gadget Whack-a-Mole

DO NOT rely on this!

89

Fundamental vulnerability is in doing unsafe

deserialization

90

Fundamental vulnerability is in doing unsafe

deserialization

91

Avoid open-ended (de)serialization when possible

− If the serialization includes a class name, it’s probably bad

− ObjectInputStream.readObject() is not safe

− Lots of non-open-ended JVM serialization frameworks available

− https://github.com/eishay/jvm-serializers/wiki

Simple format and/or data types

− Strings, Numbers, Arrays, Maps, etc.

− Manually serialize complex objects

Keep session state on the server when possible

− Beware of lateral attacks! (memcached, redis, database, etc.)

Abstenence

Avoid magic

92

Whitelist/Blacklist classes

− Use subclass of ObjectInputStream0

− override resolveClass() to allow/disallow classes

− http://www.ibm.com/developerworks/library/se-lookahead/

− Blacklisting ≈ Gadget whack-a-mole

− Difficult without robust library support

− Runtime Agents can help

− Strip Serilaizable/Externalizable interfaces from classes

− Instrument native ObjectInputStream.resolveClass()

− Subclass circumventable by “bypass gadgets”

Restrict Deserialization

Use with Caution. This is a band-aid.

93

Encryption != Authentication

− See JSF Padding Oracle attacks

Authenticate channels

− TLS Client Certs, SASL, DB/Cache/Broker credentials

Authenticate content

− HMAC or Authenticated Encryption with secret key

Must be verified pre-deserialization!

− Don’t read credentials with readObject()

− readUTF() is probably OK

Pro-tip: Don’t leak crypto keys!

− Path traversal

− Default key or key committed to source control

Authenticate

Trust Verify

94

Strict firewall rules for deserializing listeners

Sandboxing/Hardening

− Java SecurityManager

− Transient usage can by circumvented by “deferred execution bypass gadgets”

− AppArmor/SELinux

− Docker containers

− Block (or whitelist) forking processes,

file/network I/O

Security-in-depth

Assume breach of defenses

95

Find more unsafe deserialization

− Watch products with naïve mitigations

Find more gadgets/chains

Gadget finding tool improvements

Explore mediums, platforms, formats, implementations

Help with ysoserial

− Has become more active

− Needs contributors

− Lots of work to be done

Great Job Everyone…but you’re not done

Continue pwning all the things

96

The Future

97

Stefan Esser, 2009/11/1, Shocking News in PHP Exploitation− https://www.nds.rub.de/media/hfs/attachments/files/2010/03/hackpra09_fu_esser_php_exploits1.pdf

David Byrne, Rohini Sulatycki, 2010/6/21, Beware of Serialized GUI Objects Bearing Data− https://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf

Stefan Esser, 2010/7/29, Utilizing Code Reuse/ROP in PHP Application Exploits− https://www.owasp.org/images/9/9e/Utilizing-Code-Reuse-Or-Return-Oriented-Programming-In-PHP-Application-Exploits.pdf

Wouter Coekaerts, 2011/9/9, Spring Vulnerabilities− http://wouter.coekaerts.be/2011/spring-vulnerabilities

Charlie Sommerville, 2013/1/10, Rails 3.2.10 Remote Code Execution− https://github.com/charliesome/charlie.bz/blob/master/posts/rails-3.2.10-remote-code-execution.md

Arseniy Reutov, 2013/5/28, PHP Object Injection Revisited− https://prezi.com/5hif_vurb56p/php-object-injection-revisited/

Stephen Coty, 2013/6/14, Writing Exploits for Exotic Bug Classes: unserialize()− https://www.alertlogic.com/blog/writing-exploits-for-exotic-bug-classes/

Ben Murphy, 2013/6/23, Property Oriented Programming Applied to Ruby− http://slides.com/benmurphy/property-oriented-programming#/

Robert Heaton, 2013/7/22, How to hack a Rails app using its secret_token− http://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/

Dinis Cruz, 2013/8/6, Using XMLDecoder to execute server-side Java Code on an Restlet application− http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html

Past Work / References

98

Abraham Kang, Dinis Cruz, Alvaro Munoz, 2013/8/6, RESTing on your laurels will get you pwned− http://www.slideshare.net/DinisCruz/res-ting-on-your-laurels-will-get-you-powned4-3

Tom Van Goethem, 2013/9/11, WordPress < 3.6.1 PHP Object Injection− https://vagosec.org/2013/09/wordpress-php-object-injection/

David Jorm, 2013/11/20, Java Deserialization Flaws: Part 1, Binary Deserialization− https://securityblog.redhat.com/2013/11/20/java-deserialization-flaws-part-1-binary-deserialization/

Alvaro Munoz, 2013/12/16, CVE-2011-2894: Deserialization Spring RCE− http://pwntester.com/blog/2013/12/16/cve-2011-2894-deserialization-spring-rce/

Dinis Cruz, 2013/12/22, XStream "Remote Code Execution" exploit on code from "Standard way to serialize and deserialize Objects with XStream" article, − http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html

David Jorm, 2014/1/23, Java deserialization flaws: Part 2, XML deserialization− https://securityblog.redhat.com/2014/01/23/java-deserialization-flaws-part-2-xml-deserialization/

Johannes Dahse, Nikolai Krein, Thorsten Holz, 2014/11/3, Code Reuse Attacks in PHP: Automated POP Chain Generation− https://websec.files.wordpress.com/2010/11/rips_ccs.pdf

− http://syssec.rub.de/media/emma/veroeffentlichungen/2014/09/10/POPChainGeneration-CCS14.pdf

Renaud Dubourguais, Nicolas Collignon, 2013, JSF ViewState upside-down− http://www.synacktiv.com/ressources/JSF_ViewState_InYourFace.pdf

Gabe Lawrence, Chris Frohoff 2015/1/28, Marshalling Pickles− http://frohoff.github.io/appseccali-marshalling-pickles/

Past Work / References

99

Matthias Kaiser, 2015/10/28, Exploiting Deserialization Vulnerabilities in Java− http://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478

− https://www.youtube.com/watch?v=VviY3O-euVQ

Stephen Breen, 2015/11/6, What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.− http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

Bernd Eckenfels, Gary Gregory, 2015/11/10, Apache Commons statement to widespread Java object de-serialisation vulnerability− https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread

@Zerothoughts, 2016/1/21, Fun with JNDI remote code injection, Spring framework deserialization RCE− http://zerothoughts.tumblr.com/post/137769010389/fun-with-jndi-remote-code-injection

− http://zerothoughts.tumblr.com/post/137831000514/spring-framework-deserialization-rce

Laksh Raghavan, 2016/1/21, Lessons Learned from the Java Deserialization Bughttps://www.paypal-engineering.com/2016/01/21/lessons-learned-from-the-java-deserialization-bug/

Michael Stepankin, 2016/1/25, PayPal Remote Code Execution Vulnerability− http://artsploit.blogspot.com/2016/01/paypal-rce.html

Alvaro Muñoz, Christian Schneider, 2016/3/4, Serial Killer: Silently Pwning Your Java Endpoints , Perils of Java Deserialization− http://rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf

− http://community.hpe.com/t5/Security-Research/The-perils-of-Java-deserialization/ba-p/6838995

2016/3/14 Gabe Lawrence, Deserialization is bad, and you should feel bad− http://www.meetup.com/OWASP-Cork/events/229340488/

Past Work / References

100

For more information on Qualcomm, visit us at:

www.qualcomm.com & www.qualcomm.com/blog

Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries.

Other products and brand names may be trademarks or registered trademarks of their respective owners

Thank youFollow us on:

Gabe Lawrence

[email protected]

@gebl

Chris Frohoff

[email protected]

@frohoff