![Exploitation? How Deserialization works?
● The stream of bytes is used to reconstruct the object.
● The stream of bytes has all the information(data, metadata) required to build
the object.
● While deserializing the object, JVM reads the class metadata from stream of
bytes and checks if the bytecode of class whose object is deserialized is
present within JVM otherwise the ClassNotFoundException is thrown.
● Now JVM initiates the process of creation of the object. JVM sets the static
fields and then invokes the readObject method of the class[ The default
method is invoked if the method is not overridden]
● The deserialization object is finished once readObject() returns.](https://image.slidesharecdn.com/insecurejavadeserialization-180708082802/85/Insecure-Java-Deserialization-13-320.jpg)
Insecure Java Deserialization
- 2. Hello! ● I’m Shiv Sahni ● Principal Security Consultant @ Confidential ● Author-The Grey Matter of Securing Android Applications ● OSCP/CREST CRT Certified Infosec Professional
- 3. Why is it TRENDING? ● OWASP Top 10 2017-A8-Insecure Deserialization ● Equifax’s major data breach affecting 143 million customers. ● It virtually affects all apps that accept serialized Java objects
- 4. The Process?
- 5. Serializable Objects ● The class must implement java.io.Serializable interface ● Serializable is a marker interface
- 6. Example public class KRADeck implements java.io.Serializable { public String KPI1; public String KPI1Value; public String KPI2; public String KPI2Value; public void calculateKRA() { --- System.out.println("Mailing the scores to "); --- } }
- 7. Reading and Writing Objects ● The ObjectOutputStream class contains many write methods for writing various data types, but one method in particular stands out − public final void writeObject(Object x) throws IOException ● Similarly, the ObjectInputStream class contains the following method for deserializing an object − public final Object readObject() throws IOException, ClassNotFoundException
- 8. Example: Serializing an Object --- FileOutputStream fileOut =new FileOutputStream("SijoKRAJuly.data"); ObjectOutputStream out = new ObjectOutputStream(fileOut); out.writeObject(e); out.close(); fileOut.close() --
- 9. Example: Deserializing an Object --- FileInputStream fileIn = new FileInputStream("SijoKRAJuly.data"); ObjectInputStream in = new ObjectInputStream(fileIn); e = (KRA) in.readObject(); in.close(); fileIn.close(); --
- 10. Java Serialization Algorithm 1. Write serialization magic data (“AC ED”). 2. Write description/metadata of the class associated with the object being serialized. 3. The next step of the algorithm is to write the description of the parent class, which is the immediate superclass of the class. 4. The algorithm recursively writes out the data until it finds java.lang.Object class. 5. Once it finishes writing the description/metadata it then starts with writing the actual data associated with the instance. However, this time it starts in the reverse order. Reference: Javaworld.com
- 11. Is Java Deserialization Secure? Whenever an object is serialized, the stream of bytes only contains the data, the metadata, the object member values and NO CODE!!
- 12. What is this? Deserialization of Untrusted Data?
- 13. Exploitation? How Deserialization works? ● The stream of bytes is used to reconstruct the object. ● The stream of bytes has all the information(data, metadata) required to build the object. ● While deserializing the object, JVM reads the class metadata from stream of bytes and checks if the bytecode of class whose object is deserialized is present within JVM otherwise the ClassNotFoundException is thrown. ● Now JVM initiates the process of creation of the object. JVM sets the static fields and then invokes the readObject method of the class[ The default method is invoked if the method is not overridden] ● The deserialization object is finished once readObject() returns.
- 14. Gadget Classes For abusing Java Deserialization attackers finds dangerous classes available in the namespace and not necessarily used by the system. These classes are known as Gadget classes. These classes have following properties: 1. Implements Serializable/Externalizable interface 2. Accessible from current code i.e. Present in the namespace. 3. Use member fields during or after deserialization.
- 15. Unrealistic Gadget public class SomeClass implements Serializable{ private String cmd; private void readObject(java.io.ObjectInputStream stream) throws IOException, ClassNotFoundException{ stream.defaultReadObject(); Runtime.getRuntime().exec(cmd); } }
- 16. Gadget Chains ● Attackers can abuse deserialization of untrusted data by creating chain of method calls which is known as Gadget Chains. ● These chains are SELF EXECUTING and are TRIGGERED during or after deserialization.
- 17. Gadget Chains ● Most gadget chains utilize gadgets from the middlewares/third components such as JBoss, IBM Websphere, Apache Commons Library etc. ● There are some gadget chains that do not contain any third party gadgets, they are build using JRE gadget and hence are known as GOLDEN GADGET CHAINS
- 18. Let’s see what OWASP suggests! Cheat Sheet
- 19. Q&A Time
- 20. References ● OWASP London: Unsafe Deserialization Attacks In Java - Apostolos Giannakidis ● Javaworld.com ● Wikipedia, Tutorials Point and Geeks for Geeks