Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download ObjectInputStream
Document related concepts
no text concepts found
Transcript
JavaDeserializa,onA0acks
Angriff&Verteidigung
ChristianSchneider,@cschneider4711
AlvaroMuñoz,@pwntester(inAbsentia)
1
AboutMe
`whoami`
– Developer,WhitehatHacker&Trainer
– Freelancersince1997
– FocusonJavaEE&WebSecurity
– SpeakeratConferences
– @cschneider4711
– www.ChrisPan-Schneider.net
QuickPoll
InputStream is = request.getInputStream();
ObjectInputStream ois = new ObjectInputStream(is);
ois.readObject();
Howmanyarefamiliarwithwhatthiscodedoes?
Howmanyofyouknowtherisksassociatedwithdeserializing
untrusteddata?
Howmanyofyouknowhowtoexploitthisasa
remotecodeexecuPon(RCE)?
JavaSerializaPon
Object Graph
Object Graph
Takingasnapshotofanobjectgraphasabytestreamthatcanbe
usedtoreconstructtheobjectgraphtoitsoriginalstate
• Onlyobjectdataisserialized,notthecode
• ThecodesitsontheClassPathofthe(de)serializingend
4
A[ackSurface
UsagesofJavaserialization
inprotocols/formats/
products:
– RMI(RemoteMethod
Invocation)
– JMX(JavaManagement
Extension)
– JMS(JavaMessaging
System)
– SpringServiceInvokers
• HTTP,JMS,RMI,etc.
– Android
– AMF(ActionMessage
Format)
– JSFViewState
– WebLogicT3
– LDAPResponses
– …
5
A[acksviainternalinterfaces
Application Server
RM
I
,J
replication
MS
,e
tc.
Backend Server
https
User
RMI, JMS, etc.
Web Browser
Application Server
replication
,
MS
.
etc
I, J
RM
Attacker
Application Server
6
A[acksviaexternalinterfaces
User
Web Browser
https
https
Application Server
Attacker
WhenJavaserializaPondataisreadbackfrom
client(browser)viaCookiesetc.
7
CustomizaPonofJavaSerializaPon
• DeveloperscancustomizethisserializaPon/
deserializaPonprocess
– IndividualobjectserializaPon
via.writeObject()/.writeReplace()/.writeExternal()
– Individualobjectre-construcPonondeserializingend
via.readObject()/.readResolve()/.readExternal()
8
TriggeringExecuPonvia"MagicMethods"
ObjectInputStream
Serializable Class
4. Resolve classes of stream
resolveClass()
5. Deserialize objects
Application Code
Garbage Collector
1. Get bytes
2. Initialize ObjectInputStream
3. Read object from stream
• ois.readObject()
6. Restore object member fields
• readObject(ObjectInputStream)
• readObjectNoData()
7. Eventually replace restored object
• readResolve()
8. Optionally validate object
• validateObject()
9.Cast deserialized object to expected type
10.Use deserialized object
11.Call finalize() on GC
TriggeringExecuPonvia"MagicMethods"
ObjectInputStream
Serializable Class
4. Resolve classes of stream
resolveClass()
5. Deserialize objects
Application Code
Garbage Collector
1. Get bytes
2. Initialize ObjectInputStream
3. Read object from stream
• ois.readObject()
6. Restore object member fields
• readObject(ObjectInputStream)
• readObjectNoData()
7. Eventually replace restored object
• readResolve()
8. Optionally validate object
• validateObject()
9.Cast deserialized object to expected type
10.Use deserialized object
11.Call finalize() on GC
ExploiPng"MagicMethods"
• Abusing"magicmethods"ofgadgetswhichhave
dangerous/riskycode:
– A[ackercontrolsmemberfields’valuesof
serializedobject
– UpondeserializaPon.readObject()/.readResolve()
isinvoked
• ImplementaPonofthismethodingadgetclass
usesa0acker-controlledfields…
• …andisinfluencedinthewaya[ackerdesires…;)
11
More"MagicMethods"
• Asidefromtheclassiconesalsolesser-known
"magicmethods"help:
– .validateObject()aspartofvalidaPon
(whichdoesnotpreventa[acks)
– .readObjectNoData()upondeserializaPonconflicts
– .finalize()aspartofGC(evenalererrors)
• withdeferredexecuPonbypassing
ad-hocSecurityManagersatdeserializaPon
• WorksalsoforExternalizable’s.readExternal()
12
ToyExample
public class DangerousToy implements Serializable {
private String command;
…
forexample
calc.exe
public final Object readObject(ObjectInputStream ois)
throws OptionalDataException, ClassNotFoundException, IOException {
ois.defaultReadObject();
Runtime.getRuntime().exec(command);
}
}
13
WhatifthereisnointeresPngcode
reachedbymagicmethods?
14
ProxywithInvocaPonHandler
asCatalyzer
Proxy
Interface
Class
method1
method2
field1
field2
…
method1
method2
method2
Invocation Handler
Custom code
15
ExploiPngInvocaPonHandler
(IH)Gadgets
• A[ackerstepsuponserializaPon:
– A[ackercontrolsmemberfieldsofIHgadget,whichhasdangerouscode
– IH(aspartofDynamicProxy)getsserializedbya[ackerasfieldonwhichan
innocuousmethodiscalledfrom"magicmethod"(ofclasstodeserialize)
• ApplicaPonstepsupondeserializaPon:
– "MagicMethod"of"TriggerGadget"callsinnocuousmethodonan
a0ackercontrolledfield
– Thiscallisinterceptedbyproxy(setbya[ackerasfield)anddispatchedtoIH
• OtherIH-liketypesexistasidejava.lang.reflect.InvocaPonHandler
– javassist.uPl.proxy.MethodHandler
– org.jboss.weld.bean.proxy.MethodHandler
16
ToyExample:TriggerGadget
public class TriggerGadget implements Serializable {
Attacker controls this field, so it
private Comparator comp;
…
can set it to anything implementing
java.util.Comparator … anything,
even a Proxy
public final Object readObject(ObjectInputStream ois) throws Exception {
ois.defaultReadObject();
comp.compare("foo", "bar");
}
}
Proxy will intercept
call to “compare()”
and dispatch it to its
Invocation Handler
17
ToyExample:DangerousIH
public class DangerousHandler implements Serializable, InvocationHandler {
private String command;
…
public Object invoke(Object proxy, Method method, Object[] args) {
Runtime.getRuntime().exec(command);
}
}
Payload execution
18
RCEgadgetinBeanShell
(CVE-2016-2510)
• bsh.XThis$Handler
• Serializable
• InvocaPonHandler
• UponfuncPonintercepPon
customBeanShellcodewillbecalled
• AlmostanyJavacodecanbeincludedinthepayload
• Inordertoinvokethepayloadatriggergadgetis
neededtodispatchtheexecuPontothe
InvocaPonHandlerinvokemethod
19
RCEgadgetinBeanShell
(CVE-2016-2510)
20
PayloadGenerator"ysoserial"
• ysoserialby@frohoff&@gebl—anexcellenttool!
• Commandlineinterface(CLI)
• Generatesserializedformofpayloadwithgadget
chain
• Containsmanycurrentknowngadgets
– Newergadgetshavebeensubmi[edasPRs
• TheJavaDeserializa.onExploita.onTool
– h[ps://github.com/frohoff/ysoserial
21
Gadgetsavailableinysoserial
java -jar ysoserial.jar
Y SO SERIAL?
Usage: java -jar ysoserial.jar [payload type] '[shell command to execute]'
Available payload types:
BeanShell
C3P0
CommonsBeanutils
CommonsCollections
FileUpload
Groovy
Hibernate
JRMPClient
JRMPListener
JSON
Jdk7u21
Jython
Myfaces
ROME
Spring
…
22
PayloadgeneraPonviaysoserial
java -jar ysoserial.jar BeanShell 'calc' | xxd
0000000:
0000010:
0000020:
0000030:
0000040:
0000050:
0000060:
0000070:
0000080:
0000090:
00000a0:
00000b0:
00000c0:
00000d0:
aced
6c2e
da30
654c
164c
6172
0000
6f6d
612e
726f
0001
2f72
696f
1162
0005
5072
b4fb
000a
6a61
6174
0100
7061
6c61
7879
6874
6566
6e48
7368
7372
696f
3f82
636f
7661
6f72
146a
7261
6e67
e127
0025
6c65
616e
2e58
0017
7269
b103
6d70
2f75
3b78
6176
746f
2e72
da20
4c6a
6374
646c
5468
6a61
7479
0002
6172
7469
7000
612e
7278
6566
cc10
6176
2f49
6572
6973
7661
5175
4900
6174
6c2f
0000
7574
7200
6c65
43cb
612f
6e76
3b78
2448
2e75
6575
0473
6f72
436f
0273
696c
176a
6374
0200
6c61
6f63
7073
616e
7469
6594
697a
7400
6d70
7d00
2e43
6176
2e50
014c
6e67
6174
7200
646c
....sr..java.uti
l.PriorityQueue.
.0..?.....I..siz
eL..comparatort.
.Ljava/util/Comp
arator;xp....s}.
.....java.util.C
omparatorxr..jav
a.lang.reflect.P
roxy.'. ..C....L
..ht.%Ljava/lang
/reflect/Invocat
ionHandler;xpsr.
.bsh.XThis$Handl
23
MiPgaPonAdvices
24
MiPgaPonAdvice#1
RemoveGadget
25
TonsofGadgets
•
SpringAOP(byWouterCoekaertsin2011)
•
Firstpublicexploit:(by@pwntesterin2013)
•
Commons-fileupload(byArunBabuNeelica[uin2013)
•
Groovy(bycpnrodzc7/@frohoffin2015)
•
Commons-CollecPons(by@frohoffand@geblin2015)
•
SpringBeans(by@frohoffand@geblin2015)
•
SerialDoS(byWouterCoekaertsin2015)
•
SpringTx(by@zerothinkingin2016)
•
JDK7(by@frohoffin2016)
•
BeanuPls(by@frohoffin2016)
•
Hibernate,MyFaces,C3P0,net.sf.json,ROME(byM.Bechlerin2016)
•
Beanshell,Jython,lotsofbypasses(by@pwntesterand@cschneider4711in2016)
•
JDK7Rhino(by@ma[hias_kaiserin2016)
•
…
26
MiPgaPonAdvice#1
RemoveGadget
27
MiPgaPonAdvice#2
AdHocSecurityManager
InputStream is = request.getInputStream();
// Install Security Manager
System.setSecurityManager(new MyDeserializationSM());
// Deserialize the data
ObjectInputStream ois = new ObjectInputStream(ois);
ois.readObject();
// Uninstall (restore) Security Manager
System.setSecurityManager(null);
A[ackerscandeferexecuPon:
• finalize()method
• Playwithexpectedtypes(i.ereturnvalidtypesforthecastwhichfirelater)
Ifyoucanuninstall/restoretheSecurityManagerorrefreshthepolicy,
a[ackersmightbeabletodoitaswell
28
MiPgaPonAdvice#2
AdHocSecurityManager
InputStream is = request.getInputStream();
// Install Security Manager
System.setSecurityManager(new MyDeserializationSM());
// Deserialize the data
ObjectInputStream ois = new ObjectInputStream(ois);
ois.readObject();
// Uninstall (restore) Security Manager
System.setSecurityManager(null);
A[ackerscandeferexecuPon:
• finalize()method
• Playwithexpectedtypes(i.ereturnvalidtypesforthecastwhichfirelater)
Ifyoucanuninstall/restoretheSecurityManagerorrefreshthepolicy,
a[ackersmightbeabletodoitaswell
29
MiPgaPonAdvice#3
DefensiveDeserializaPon
class DefensiveObjectInputStream extends ObjectInputStream {
@Override
protected Class<?> resolveClass(ObjectStreamClass cls) throws IOException, ClassNotFoundException {
String className = cls.getName();
if ( /* CHECK CLASS NAME AGAINST ALLOWED/DISALLOWED TYPES */) {
throw new InvalidClassException("Unexpected serialized class", className);
}
return super.resolveClass(cls);
}
}
30
BypassingDeserializaPon
Blacklists
• Newgadgettypetobypassad-hoclook-aheadObjectInputStreamblacklist
protecPons:
public class NestedProblems implements Serializable {
private byte[] bytes … ;
…
private void readObject(ObjectInputStream in) throws IOException,
ClassNotFoundException {
ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bytes));
ois.readObject();
}
}
• DuringdeserializaPonoftheobjectgraph,anewimmaculateunprotected
ObjectInputStreamwillbeinstanPated
• A[ackercanprovideanyarbitrarybytesforunsafedeserializaPon
• BypassdoesnotworkforcaseswhereObjectInputStreamisinstrumented
31
Isthisforrealorjustfantasy?
Currentlywefoundmanybypassgadgets:
JRE:2
ThirdPartyLibraries
Apachelibraries: 6
Springlibraries: 1
Otherpopularlibraries: 2
Applica.onServers
WildFly(JBoss): 2
IBMWebSphere: 15
OracleWebLogic: 5
ApacheTomEE: 5
ApacheTomcat: 2
OracleGlassFish: 2
SerialKiller:BypassGadgetCollec,on:
h[ps://github.com/pwntester/SerialKillerBypassGadgetCollecPon
32
Example:BypassAdHoc
SecurityManagerandBlacklists
javax.media.jai.remote.SerializableRenderedImage
finalize() > dispose() > closeClient()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
…
private void closeClient() {
// Connect to the data server.
Socket socket = connectToServer();
// Get the socket output stream and wrap an object
// output stream around it.
OutputStream out = null;
ObjectOutputStream objectOut = null;
ObjectInputStream objectIn = null;
try {
out = socket.getOutputStream();
objectOut = new ObjectOutputStream(out);
objectIn = new ObjectInputStream(socket.getInputStream());
} catch (IOException e) { ... }
objectIn.readObject();
33
MiPgaPonAdvice#3
DefensiveDeserializaPon
class DefensiveObjectInputStream extends ObjectInputStream {
@Override
protected Class<?> resolveClass(ObjectStreamClass cls) throws IOException, ClassNotFoundException {
String className = cls.getName();
if ( /* CHECK CLASS NAME AGAINST ALLOWED/DISALLOWED TYPES */) {
throw new InvalidClassException("Unexpected serialized class", className);
}
return super.resolveClass(cls);
}
}
34
Whataboutother
languagesontheJVM?
35
Scala&Groovy
import java.io._
object SerializationDemo extends App {
val ois = new ObjectInputStream(new FileInputStream(“exploit.ser"))
val o = ois.readObject()
ois.close()
}
import java.io.*
File exploit = new File('exploit.ser')
try {
def is = exploit.newObjectInputStream(this.class.classLoader)
is.eachObject { println it }
} catch (e) { throw new Exception(e) } finally { is?.close() }
Sourcecode:https://github.com/pwntester/JVMDeserialization
36
Whattodothen?
37
HowtoHardenYourApplicaPons?
DONOTDESERIALIZEUNTRUSTEDDATA!!
Whenarchitecturepermitsit:
–
Useotherformatsinsteadofserializedobjects:JSON,XML,etc.
•
ButbeawareofXML-baseddeserializationattacksviaXStream,XmlDecoder,etc.
Assecond-bestoption:
Usedefensivedeserializationwithlook-aheadOISwithastrictwhitelist
•
Don’trelyongadget-blacklistingalone!
•
YoucanbuildthewhitelistwithOpenSourceagentSWAT
(SerialWhitelistApplicationTrainer:https://github.com/cschneider4711/SWAT)
•
Consideranagent-basedinstrumentingofObjectInputStream(tocatchthemall)
•
Scanyourownwhitelistedcodeforpotentialgadgets
•
StillbeawareofDoSscenarios
38
FindingVulnerabiliPes
&
GadgetsintheCode
39
FindingdeserializaPonendpoints
• CheckyourendpointsforthoseaccepPng(untrusted)serializeddata
• Findcallsto:
• ObjectInputStream.readObject()
• ObjectInputStream.readUnshared()
• …whereInputStreamisa[acker-controlled.Forexample:
InputStream is = request.getInputStream();
ObjectInputStream ois = new ObjectInputStream(is);
ois.readObject();
• …andObjectInputStreamisorextendsjava.io.ObjectInputStream
• …butisnotasafeone(eg:Commons-ioValidaPngObjectInputStream)
• Mayhappeninlibrarycode.Eg:JMS,JMX,RMI,Queues,Brokers,Spring
HTTPInvokers,etc…
40
FindinggadgetsinaHaystack
• CheckyourcodeforpotenPalgadgets,which
couldbeusedindeserializaPon:
Lookforinteres,ngmethodcalls… …reachedby:
java.lang.reflect.Method.invoke()
java.io.Externalizable.readExternal()
java.io.File()
java.io.Serializable.readObject()
java.io.ObjectInputStream()
java.io.Serializable.readObjectNoData()
java.net.URLClassLoader()
java.io.Serializable.readResolve()
java.net.Socket()
java.io.ObjectInputValidaPon.validateObject()
java.net.URL()
java.lang.reflect.InvocaPonHandler.invoke()
javax.naming.Context.lookup()
javassist.uPl.proxy.MethodHandler.invoke()
…
org.jboss.weld.bean.proxy.MethodHandler.invoke()
java.lang.Object.finalize()
<clinit>(sta.cini.alizer)
.toString(),.hashCode()and.equals()
41
WhattoCheckDuringPentests?
42
DeserializaPonEndpoint
DetecPon
Findrequests(oranynetworktraffic)carryingserializedJavaobjects:
• Easytospotduetomagicbytesatthebeginning:0xAC0xED…
•
Someweb-appsmightuseBase64tostoreserializeddata
inCookies,etc.:rO0AB…
•
Beawarethatcompressioncould’vebeenappliedbeforeBase64
• 0x1F8B0x0800…
• H4sIA…
Forac,vescans:
• Don’trelyonspecificgadgetclasses(mightbeblacklisted)
•
Be[erusegenericdenial-of-servicepayloadsandmeasurePming
•
SerialDOS(byWouterCoekaerts),jInfinity(byArshanDabirsiaghi),
OIS-DOS(byTomášPolešovský),etc.
43
DeserializaPonEndpoint
DetecPon
Tools:
•
UsecommercialorfreescannerslikeZAP/Burp
–withpluginssuchasSuperSerialtopassivelyscanforJavaserializaPon
•
Alsothinkofmassscanningofserverendpointswithscriptslike
SerializeKiller
•
UseWireSharkfornetworktraffic
•
IfallowedtoinstrumenttheappuserunPmeagentssuchasSWATtofind
outifanythinggetsdeserialized
44
ChristianSchneider,@cschneider4711,[email protected]
AlvaroMuñoz,@pwntester,[email protected]
Q&A/ThankYou!
…andremember:
DONOTDESERIALIZEUNTRUSTEDDATA!
FAQ:
https://Christian-Schneider.net/JavaDeserializationSecurityFAQ.html
Whitepaper:
https://community.hpe.com/t5/Security-Research/The-perils-of-Java-deserialization/ba-p/6838995
45
BACKUP
46
ApacheCommons-IO
ValidaPngObjectInputStream(2.5)
47
ApacheCommons-IO
ValidaPngObjectInputStream(2.5)
WhitelistConfigura,on
DoNOTuseblacklists!
48
BestsoluPon?☺
Clo
sed Status
/W :
ithd
raw
n
49
FutureLooksBright
Sta
Targ tus:
ete
d
50
JEP-290:What‘sinitforus?
"Provideaflexiblemechanismtonarrowtheclassesthatcanbedeserializedfromanyclass
availabletoanapplica.on,downtoacontext-appropriatesetofclasses."
Whitelistdefensivedeserializa,on
"Providemetricstothefilterforgraphsizeandcomplexityduringdeserializa.ontovalidate
normalgraphbehaviors."
DenialofServicemi,ga,on
"ProvideamechanismforRMI-exportedobjectstovalidatetheclassesexpectedininvoca.ons."
SecureRMI
"Thefiltermechanismmustnotrequiresubclassingormodifica.ontoexis.ngsubclassesof
ObjectInputStream."
Backwardscompa,ble,catch‘emall!
"Defineaglobalfilterthatcanbeconfiguredbyproper.esoraconfigura.onfile."
51
Configurable
