Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
JavaDeserializa,onA0acks Angriff&Verteidigung ChristianSchneider,@cschneider4711 AlvaroMuñoz,@pwntester(inAbsentia) 1 AboutMe `whoami` – Developer,WhitehatHacker&Trainer – Freelancersince1997 – FocusonJavaEE&WebSecurity – SpeakeratConferences – @cschneider4711 – www.ChrisPan-Schneider.net QuickPoll InputStream is = request.getInputStream(); ObjectInputStream ois = new ObjectInputStream(is); ois.readObject(); Howmanyarefamiliarwithwhatthiscodedoes? Howmanyofyouknowtherisksassociatedwithdeserializing untrusteddata? Howmanyofyouknowhowtoexploitthisasa remotecodeexecuPon(RCE)? JavaSerializaPon Object Graph Object Graph Takingasnapshotofanobjectgraphasabytestreamthatcanbe usedtoreconstructtheobjectgraphtoitsoriginalstate • Onlyobjectdataisserialized,notthecode • ThecodesitsontheClassPathofthe(de)serializingend 4 A[ackSurface UsagesofJavaserialization inprotocols/formats/ products: – RMI(RemoteMethod Invocation) – JMX(JavaManagement Extension) – JMS(JavaMessaging System) – SpringServiceInvokers • HTTP,JMS,RMI,etc. – Android – AMF(ActionMessage Format) – JSFViewState – WebLogicT3 – LDAPResponses – … 5 A[acksviainternalinterfaces Application Server RM I ,J replication MS ,e tc. Backend Server https User RMI, JMS, etc. Web Browser Application Server replication , MS . etc I, J RM Attacker Application Server 6 A[acksviaexternalinterfaces User Web Browser https https Application Server Attacker WhenJavaserializaPondataisreadbackfrom client(browser)viaCookiesetc. 7 CustomizaPonofJavaSerializaPon • DeveloperscancustomizethisserializaPon/ deserializaPonprocess – IndividualobjectserializaPon via.writeObject()/.writeReplace()/.writeExternal() – Individualobjectre-construcPonondeserializingend via.readObject()/.readResolve()/.readExternal() 8 TriggeringExecuPonvia"MagicMethods" ObjectInputStream Serializable Class 4. Resolve classes of stream resolveClass() 5. Deserialize objects Application Code Garbage Collector 1. Get bytes 2. Initialize ObjectInputStream 3. Read object from stream • ois.readObject() 6. Restore object member fields • readObject(ObjectInputStream) • readObjectNoData() 7. Eventually replace restored object • readResolve() 8. Optionally validate object • validateObject() 9.Cast deserialized object to expected type 10.Use deserialized object 11.Call finalize() on GC TriggeringExecuPonvia"MagicMethods" ObjectInputStream Serializable Class 4. Resolve classes of stream resolveClass() 5. Deserialize objects Application Code Garbage Collector 1. Get bytes 2. Initialize ObjectInputStream 3. Read object from stream • ois.readObject() 6. Restore object member fields • readObject(ObjectInputStream) • readObjectNoData() 7. Eventually replace restored object • readResolve() 8. Optionally validate object • validateObject() 9.Cast deserialized object to expected type 10.Use deserialized object 11.Call finalize() on GC ExploiPng"MagicMethods" • Abusing"magicmethods"ofgadgetswhichhave dangerous/riskycode: – A[ackercontrolsmemberfields’valuesof serializedobject – UpondeserializaPon.readObject()/.readResolve() isinvoked • ImplementaPonofthismethodingadgetclass usesa0acker-controlledfields… • …andisinfluencedinthewaya[ackerdesires…;) 11 More"MagicMethods" • Asidefromtheclassiconesalsolesser-known "magicmethods"help: – .validateObject()aspartofvalidaPon (whichdoesnotpreventa[acks) – .readObjectNoData()upondeserializaPonconflicts – .finalize()aspartofGC(evenalererrors) • withdeferredexecuPonbypassing ad-hocSecurityManagersatdeserializaPon • WorksalsoforExternalizable’s.readExternal() 12 ToyExample public class DangerousToy implements Serializable { private String command; … forexample calc.exe public final Object readObject(ObjectInputStream ois) throws OptionalDataException, ClassNotFoundException, IOException { ois.defaultReadObject(); Runtime.getRuntime().exec(command); } } 13 WhatifthereisnointeresPngcode reachedbymagicmethods? 14 ProxywithInvocaPonHandler asCatalyzer Proxy Interface Class method1 method2 field1 field2 … method1 method2 method2 Invocation Handler Custom code 15 ExploiPngInvocaPonHandler (IH)Gadgets • A[ackerstepsuponserializaPon: – A[ackercontrolsmemberfieldsofIHgadget,whichhasdangerouscode – IH(aspartofDynamicProxy)getsserializedbya[ackerasfieldonwhichan innocuousmethodiscalledfrom"magicmethod"(ofclasstodeserialize) • ApplicaPonstepsupondeserializaPon: – "MagicMethod"of"TriggerGadget"callsinnocuousmethodonan a0ackercontrolledfield – Thiscallisinterceptedbyproxy(setbya[ackerasfield)anddispatchedtoIH • OtherIH-liketypesexistasidejava.lang.reflect.InvocaPonHandler – javassist.uPl.proxy.MethodHandler – org.jboss.weld.bean.proxy.MethodHandler 16 ToyExample:TriggerGadget public class TriggerGadget implements Serializable { Attacker controls this field, so it private Comparator comp; … can set it to anything implementing java.util.Comparator … anything, even a Proxy public final Object readObject(ObjectInputStream ois) throws Exception { ois.defaultReadObject(); comp.compare("foo", "bar"); } } Proxy will intercept call to “compare()” and dispatch it to its Invocation Handler 17 ToyExample:DangerousIH public class DangerousHandler implements Serializable, InvocationHandler { private String command; … public Object invoke(Object proxy, Method method, Object[] args) { Runtime.getRuntime().exec(command); } } Payload execution 18 RCEgadgetinBeanShell (CVE-2016-2510) • bsh.XThis$Handler • Serializable • InvocaPonHandler • UponfuncPonintercepPon customBeanShellcodewillbecalled • AlmostanyJavacodecanbeincludedinthepayload • Inordertoinvokethepayloadatriggergadgetis neededtodispatchtheexecuPontothe InvocaPonHandlerinvokemethod 19 RCEgadgetinBeanShell (CVE-2016-2510) 20 PayloadGenerator"ysoserial" • ysoserialby@frohoff&@gebl—anexcellenttool! • Commandlineinterface(CLI) • Generatesserializedformofpayloadwithgadget chain • Containsmanycurrentknowngadgets – Newergadgetshavebeensubmi[edasPRs • TheJavaDeserializa.onExploita.onTool – h[ps://github.com/frohoff/ysoserial 21 Gadgetsavailableinysoserial java -jar ysoserial.jar Y SO SERIAL? Usage: java -jar ysoserial.jar [payload type] '[shell command to execute]' Available payload types: BeanShell C3P0 CommonsBeanutils CommonsCollections FileUpload Groovy Hibernate JRMPClient JRMPListener JSON Jdk7u21 Jython Myfaces ROME Spring … 22 PayloadgeneraPonviaysoserial java -jar ysoserial.jar BeanShell 'calc' | xxd 0000000: 0000010: 0000020: 0000030: 0000040: 0000050: 0000060: 0000070: 0000080: 0000090: 00000a0: 00000b0: 00000c0: 00000d0: aced 6c2e da30 654c 164c 6172 0000 6f6d 612e 726f 0001 2f72 696f 1162 0005 5072 b4fb 000a 6a61 6174 0100 7061 6c61 7879 6874 6566 6e48 7368 7372 696f 3f82 636f 7661 6f72 146a 7261 6e67 e127 0025 6c65 616e 2e58 0017 7269 b103 6d70 2f75 3b78 6176 746f 2e72 da20 4c6a 6374 646c 5468 6a61 7479 0002 6172 7469 7000 612e 7278 6566 cc10 6176 2f49 6572 6973 7661 5175 4900 6174 6c2f 0000 7574 7200 6c65 43cb 612f 6e76 3b78 2448 2e75 6575 0473 6f72 436f 0273 696c 176a 6374 0200 6c61 6f63 7073 616e 7469 6594 697a 7400 6d70 7d00 2e43 6176 2e50 014c 6e67 6174 7200 646c ....sr..java.uti l.PriorityQueue. .0..?.....I..siz eL..comparatort. .Ljava/util/Comp arator;xp....s}. .....java.util.C omparatorxr..jav a.lang.reflect.P roxy.'. ..C....L ..ht.%Ljava/lang /reflect/Invocat ionHandler;xpsr. .bsh.XThis$Handl 23 MiPgaPonAdvices 24 MiPgaPonAdvice#1 RemoveGadget 25 TonsofGadgets • SpringAOP(byWouterCoekaertsin2011) • Firstpublicexploit:(by@pwntesterin2013) • Commons-fileupload(byArunBabuNeelica[uin2013) • Groovy(bycpnrodzc7/@frohoffin2015) • Commons-CollecPons(by@frohoffand@geblin2015) • SpringBeans(by@frohoffand@geblin2015) • SerialDoS(byWouterCoekaertsin2015) • SpringTx(by@zerothinkingin2016) • JDK7(by@frohoffin2016) • BeanuPls(by@frohoffin2016) • Hibernate,MyFaces,C3P0,net.sf.json,ROME(byM.Bechlerin2016) • Beanshell,Jython,lotsofbypasses(by@pwntesterand@cschneider4711in2016) • JDK7Rhino(by@ma[hias_kaiserin2016) • … 26 MiPgaPonAdvice#1 RemoveGadget 27 MiPgaPonAdvice#2 AdHocSecurityManager InputStream is = request.getInputStream(); // Install Security Manager System.setSecurityManager(new MyDeserializationSM()); // Deserialize the data ObjectInputStream ois = new ObjectInputStream(ois); ois.readObject(); // Uninstall (restore) Security Manager System.setSecurityManager(null); A[ackerscandeferexecuPon: • finalize()method • Playwithexpectedtypes(i.ereturnvalidtypesforthecastwhichfirelater) Ifyoucanuninstall/restoretheSecurityManagerorrefreshthepolicy, a[ackersmightbeabletodoitaswell 28 MiPgaPonAdvice#2 AdHocSecurityManager InputStream is = request.getInputStream(); // Install Security Manager System.setSecurityManager(new MyDeserializationSM()); // Deserialize the data ObjectInputStream ois = new ObjectInputStream(ois); ois.readObject(); // Uninstall (restore) Security Manager System.setSecurityManager(null); A[ackerscandeferexecuPon: • finalize()method • Playwithexpectedtypes(i.ereturnvalidtypesforthecastwhichfirelater) Ifyoucanuninstall/restoretheSecurityManagerorrefreshthepolicy, a[ackersmightbeabletodoitaswell 29 MiPgaPonAdvice#3 DefensiveDeserializaPon class DefensiveObjectInputStream extends ObjectInputStream { @Override protected Class<?> resolveClass(ObjectStreamClass cls) throws IOException, ClassNotFoundException { String className = cls.getName(); if ( /* CHECK CLASS NAME AGAINST ALLOWED/DISALLOWED TYPES */) { throw new InvalidClassException("Unexpected serialized class", className); } return super.resolveClass(cls); } } 30 BypassingDeserializaPon Blacklists • Newgadgettypetobypassad-hoclook-aheadObjectInputStreamblacklist protecPons: public class NestedProblems implements Serializable { private byte[] bytes … ; … private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException { ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bytes)); ois.readObject(); } } • DuringdeserializaPonoftheobjectgraph,anewimmaculateunprotected ObjectInputStreamwillbeinstanPated • A[ackercanprovideanyarbitrarybytesforunsafedeserializaPon • BypassdoesnotworkforcaseswhereObjectInputStreamisinstrumented 31 Isthisforrealorjustfantasy? Currentlywefoundmanybypassgadgets: JRE:2 ThirdPartyLibraries Apachelibraries: 6 Springlibraries: 1 Otherpopularlibraries: 2 Applica.onServers WildFly(JBoss): 2 IBMWebSphere: 15 OracleWebLogic: 5 ApacheTomEE: 5 ApacheTomcat: 2 OracleGlassFish: 2 SerialKiller:BypassGadgetCollec,on: h[ps://github.com/pwntester/SerialKillerBypassGadgetCollecPon 32 Example:BypassAdHoc SecurityManagerandBlacklists javax.media.jai.remote.SerializableRenderedImage finalize() > dispose() > closeClient() 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 … private void closeClient() { // Connect to the data server. Socket socket = connectToServer(); // Get the socket output stream and wrap an object // output stream around it. OutputStream out = null; ObjectOutputStream objectOut = null; ObjectInputStream objectIn = null; try { out = socket.getOutputStream(); objectOut = new ObjectOutputStream(out); objectIn = new ObjectInputStream(socket.getInputStream()); } catch (IOException e) { ... } objectIn.readObject(); 33 MiPgaPonAdvice#3 DefensiveDeserializaPon class DefensiveObjectInputStream extends ObjectInputStream { @Override protected Class<?> resolveClass(ObjectStreamClass cls) throws IOException, ClassNotFoundException { String className = cls.getName(); if ( /* CHECK CLASS NAME AGAINST ALLOWED/DISALLOWED TYPES */) { throw new InvalidClassException("Unexpected serialized class", className); } return super.resolveClass(cls); } } 34 Whataboutother languagesontheJVM? 35 Scala&Groovy import java.io._ object SerializationDemo extends App { val ois = new ObjectInputStream(new FileInputStream(“exploit.ser")) val o = ois.readObject() ois.close() } import java.io.* File exploit = new File('exploit.ser') try { def is = exploit.newObjectInputStream(this.class.classLoader) is.eachObject { println it } } catch (e) { throw new Exception(e) } finally { is?.close() } Sourcecode:https://github.com/pwntester/JVMDeserialization 36 Whattodothen? 37 HowtoHardenYourApplicaPons? DONOTDESERIALIZEUNTRUSTEDDATA!! Whenarchitecturepermitsit: – Useotherformatsinsteadofserializedobjects:JSON,XML,etc. • ButbeawareofXML-baseddeserializationattacksviaXStream,XmlDecoder,etc. Assecond-bestoption: Usedefensivedeserializationwithlook-aheadOISwithastrictwhitelist • Don’trelyongadget-blacklistingalone! • YoucanbuildthewhitelistwithOpenSourceagentSWAT (SerialWhitelistApplicationTrainer:https://github.com/cschneider4711/SWAT) • Consideranagent-basedinstrumentingofObjectInputStream(tocatchthemall) • Scanyourownwhitelistedcodeforpotentialgadgets • StillbeawareofDoSscenarios 38 FindingVulnerabiliPes & GadgetsintheCode 39 FindingdeserializaPonendpoints • CheckyourendpointsforthoseaccepPng(untrusted)serializeddata • Findcallsto: • ObjectInputStream.readObject() • ObjectInputStream.readUnshared() • …whereInputStreamisa[acker-controlled.Forexample: InputStream is = request.getInputStream(); ObjectInputStream ois = new ObjectInputStream(is); ois.readObject(); • …andObjectInputStreamisorextendsjava.io.ObjectInputStream • …butisnotasafeone(eg:Commons-ioValidaPngObjectInputStream) • Mayhappeninlibrarycode.Eg:JMS,JMX,RMI,Queues,Brokers,Spring HTTPInvokers,etc… 40 FindinggadgetsinaHaystack • CheckyourcodeforpotenPalgadgets,which couldbeusedindeserializaPon: Lookforinteres,ngmethodcalls… …reachedby: java.lang.reflect.Method.invoke() java.io.Externalizable.readExternal() java.io.File() java.io.Serializable.readObject() java.io.ObjectInputStream() java.io.Serializable.readObjectNoData() java.net.URLClassLoader() java.io.Serializable.readResolve() java.net.Socket() java.io.ObjectInputValidaPon.validateObject() java.net.URL() java.lang.reflect.InvocaPonHandler.invoke() javax.naming.Context.lookup() javassist.uPl.proxy.MethodHandler.invoke() … org.jboss.weld.bean.proxy.MethodHandler.invoke() java.lang.Object.finalize() <clinit>(sta.cini.alizer) .toString(),.hashCode()and.equals() 41 WhattoCheckDuringPentests? 42 DeserializaPonEndpoint DetecPon Findrequests(oranynetworktraffic)carryingserializedJavaobjects: • Easytospotduetomagicbytesatthebeginning:0xAC0xED… • Someweb-appsmightuseBase64tostoreserializeddata inCookies,etc.:rO0AB… • Beawarethatcompressioncould’vebeenappliedbeforeBase64 • 0x1F8B0x0800… • H4sIA… Forac,vescans: • Don’trelyonspecificgadgetclasses(mightbeblacklisted) • Be[erusegenericdenial-of-servicepayloadsandmeasurePming • SerialDOS(byWouterCoekaerts),jInfinity(byArshanDabirsiaghi), OIS-DOS(byTomášPolešovský),etc. 43 DeserializaPonEndpoint DetecPon Tools: • UsecommercialorfreescannerslikeZAP/Burp –withpluginssuchasSuperSerialtopassivelyscanforJavaserializaPon • Alsothinkofmassscanningofserverendpointswithscriptslike SerializeKiller • UseWireSharkfornetworktraffic • IfallowedtoinstrumenttheappuserunPmeagentssuchasSWATtofind outifanythinggetsdeserialized 44 ChristianSchneider,@cschneider4711,[email protected] AlvaroMuñoz,@pwntester,[email protected] Q&A/ThankYou! …andremember: DONOTDESERIALIZEUNTRUSTEDDATA! FAQ: https://Christian-Schneider.net/JavaDeserializationSecurityFAQ.html Whitepaper: https://community.hpe.com/t5/Security-Research/The-perils-of-Java-deserialization/ba-p/6838995 45 BACKUP 46 ApacheCommons-IO ValidaPngObjectInputStream(2.5) 47 ApacheCommons-IO ValidaPngObjectInputStream(2.5) WhitelistConfigura,on DoNOTuseblacklists! 48 BestsoluPon?☺ Clo sed Status /W : ithd raw n 49 FutureLooksBright Sta Targ tus: ete d 50 JEP-290:What‘sinitforus? "Provideaflexiblemechanismtonarrowtheclassesthatcanbedeserializedfromanyclass availabletoanapplica.on,downtoacontext-appropriatesetofclasses." Whitelistdefensivedeserializa,on "Providemetricstothefilterforgraphsizeandcomplexityduringdeserializa.ontovalidate normalgraphbehaviors." DenialofServicemi,ga,on "ProvideamechanismforRMI-exportedobjectstovalidatetheclassesexpectedininvoca.ons." SecureRMI "Thefiltermechanismmustnotrequiresubclassingormodifica.ontoexis.ngsubclassesof ObjectInputStream." Backwardscompa,ble,catch‘emall! "Defineaglobalfilterthatcanbeconfiguredbyproper.esoraconfigura.onfile." 51 Configurable