Java Deserializaiton In Action :) Day One
What is insecure deserialization?
To understand insecure deserialization, we must first understand what serialization is and how it is used in applications.
Serialization is a process during which an object in a programming language(say, a Java object) is converted into a format that can be saved to the database or transferred over a network. Whereas deserialization refers to the opposite: it's when the serialized object is read from a file or the network and converted back into an object.
Many programming languages support the serialization and deserialization of objects, including Java, PHP, Python, and Ruby.
Insecure deserialization is a type of vulnerability that arises when an attacker is able to manipulate the serialized object and cause unintended consequences in the program's flow. This can cause Dos, authentication bypass, or even RCE.
For example, if an application takes a serialized object from the user and uses the data contained in it to determine who is logged in, a malicious user might be able to tamper with that object and authenticate as someone who she is not. If the application uses an unsafe deserialization operation, the malicious user might even be able to embed code snippets in the object and get it executed during deserialization! And this is what we'll focus on today: gaining arbitrary code execution using an insecure deserialization bug in a Java application.
Serialization interface in Java
In order to understand how to exploit deserialization vulnerabilities, let's first quickly review how serialization and deserialization work in Java:
The serialization of Java classes is enabled by the class implementing the java.io.Serializable interface. Classes implement special methods: writeObject() and readObject() to handle the serialization and deserialization of objects of the class. Classes that do not implement this interface will not have any of their objects serialized or deserialized.
Exploiting Java insecure deserialization
So how can we exploit Java applications via an insecure deserialization bug? The first step is to find an entry point to insert the malicious serialized object.
Serializable objects are often used in applications to transport data in HTTP headers, parameters, or cookies in Java applications.
The Java serialized object
Java serialized objects have the following signatures. These can help you recognize potential entry points for your exploits:
- Starts with
AC ED 00 05in Hex orrO0in Base64. (You might see this within HTTP requests as cookies or parameters.) content-typeheader of an HTTP response set toapplication/x-java-serialized-object.
Since Java serialized objects contain a lot of special characters, it is common to encode them before transmission. So look out for differently encoded versions of these signatures as well.
Manipulating object data and application logic
After you discover a user-supplied serialized object, the first thing you can try is to manipulate program logic by tampering with the information stored within the objects.
For example, if the Java object is used as a cookie for access control, you can try changing the usernames, role names, and other identity markers that are present in the object and re-serialize it and relay it back to the application.
You can also try tampering with any sort of value in the object that is: a file path, file specifier, and control flow values to see if you can alter the program's flow.
From bug to code execution
So what else can we do when an application deserializes uncontrolled user input? When the application does not put any restrictions on what classes are allowed to get deserialized, all serializable classes that the current classloader can load can get deserialized. This means that arbitrary objects of arbitrary classes can be created by the user! A potential attacker can achieve RCE by constructing objects of the right classes that can lead to arbitrary commands.
The path from a Java deserialization bug to remote code execution can be convoluted. To gain code execution, a series of gadgets need to be used to reach the desired method for code execution. This works very similarly to exploiting deserialization bugs using POP chains to exploit PHP deserialization bugs I talked about in this article: Source link
