SlideShare a Scribd company logo

Defending against Java Deserialization Vulnerabilities

Luca Carettoni
Luca Carettoni

Java deserialization vulnerabilities have recently gained popularity due to a renewed interest from the security community. Despite being publicly discussed for several years, a significant number of Java based products are still affected. Whenever untrusted data is used within deserialization methods, an attacker can abuse this simple design anti-pattern to compromise your application. After a quick introduction of the problem, this talk will focus on discovering and defending against deserialization vulnerabilities. I will present a collection of techniques for mitigating attacks when turning off object serialization is not an option, and we will discuss practical recommendations that developers can use to help prevent these attacks.

Internet
1 of 36
Download to read offline
Defending against Java Deserialization Vulnerabilities Bay Area OWASP Meetup - September 2016 Luca Carettoni - @lucacarettoni
Agenda This talk is about defense and how to protect your application against this new old class of vulnerabilities. ● Intro to Java Deserialization bugs ● A real-life bug (SJWC serialized object injection via JSF view state) ● Discovery ● Defense
Intro to Java Deserialization bugs
From object graph data to byte stream
Serialization in Code //Instantiate the Serializable class String myPreso = “OWASP Bay Area”; // Write to disk FileOutputStream fileOut = new FileOutputStream("serial.data"); // Write object ObjectOutputStream objOut = new ObjectOutputStream (fileOut); objOut.writeObject(myPreso);
Deserialization in Code // Read from disk FileInputStream fileIn = new FileInputStream("serial.data"); // Read object ObjectInputStream objIn = new ObjectInputStream (fileIn); String myPreso = (String) objIn.readObject();
Deserialization in Bytecode [...] aload ois invokevirtual Object ObjectInputStream.readObject() checkcast String [...] Any Serializable class will work until this point. No type safety
Callback methods ● Developers can override the following methods to customize the deserialization process ○ readObject() ○ readResolve() ○ readObjectNoData() ○ validateObject() ○ finalize() Invoked by the Garbage Collector
What if…. 1. A remote service accepts Java serialized objects 2. In the classpath of the remote application, there are unrelated classes that are Serializable AND implement one of the callbacks 3. The callback’s method implements something interesting* * File I/O operations, system commands, socket operations, etc.
Unlikely? //org.apache.commons.fileupload.disk.DiskFileItem Private void readObject(ObjectInputStream in) { 703 in.defaultReadObject(); 704 705 OutputStream output = getOutputStream(); .. 709 FileInputStream input = new FileInputStream(dfosFile); 710 IOUtils.copy(input, output); 711 dfosFile.delete(); ..
The Forgotten Bug Class @matthias_kaiser™ 2005 - Marc Schonefeld 2015 - Steve Breen And many more...
A real-life bug, back from 2010 Sun Java Web Console serialized object injection via JSF view state
Sun Java Web Console README - SJWC_3.0 “The Sun Java (TM) Web Console is a web application that provides a single point on entry for many of Sun's systems management applications. The console application provides a single-sign on capability and a secure home page for many of Solaris”
JSF ViewState ● JSF ViewState uses Java deserialization to restore the UI state HTML Page <form> <input type="hidden" name="javax.faces.ViewState" value= </form>
Sun Java Web Console - Login Page ViewState ● ViewState saved client-side only ○ javax.faces.STATE_SAVING_METHOD=”client” before SJWC < 3.1 ● No encryption
A good bug ● Attractive target, as SJWC was the admin web interface for Solaris ● At the time of discovery (Jan 2010), I created a Proof-of-Concept using a known gadget based on Hashtable collisions (Crosby & Wallach, 2003) ○ https://www.ikkisoft.com/stuff/SJWC_DoS.java ● Back then, I had no idea about the infamous Apache Common Collections gadget (Gabriel Lawrence, Chris Frohoff) ○ /opt/sun/webconsole/private/container/shared/lib/commons-collections.jar ● However, I was able to leverage an Expression Language (EL) Injection-like to perform arbitrary file read ● Soon after, SJWC started using server-side ViewState ○ “Beware of Serialized GUI Objects Bearing Data” July 2010, Black Hat Vegas
In practice
Discovery
Code Review - Entry Points Look for occurrences of: ● java.io.ObjectInputStream.readObject() ● java.io.ObjectInputStream.readUnshared() And perform manual review to determine whether they use user-supplied data $ egrep -r "readObject(|readUnshared("
Code Review - Gadgets ● This is the interesting (and complex) part of exploiting Java deserialization vulnerabilities ● As a defender, assume that there are multiple game-over gadgets available in the classpath ○ For example, SJWC uses 58 dependency JARs ● If you want to learn more on how to discover gold and silver gadgets: ○ Marshalling Pickles - Gabriel Lawrence, Chris Frohoff ○ Java Deserialization Vulnerabilities, The Forgotten Bug Class - Matthias Kaiser ○ Surviving the Java serialization apocalypse - Alvaro Muñoz, Christian Schneider ○ Ysoserialpayloads - https://github.com/frohoff/ysoserial/tree/master/src/main/java/ysoserial/payloads
Discovery with no code... ● Decompile :) ● Magic bytes in the network traffic ○ 0xAC 0xED ○ rO0 ○ FvzFgDff9 ○ … ● Passive and active tools ○ https://github.com/DirectDefense/SuperSerial ○ https://github.com/johndekroon/serializekiller ○ <--ADD your favourite web scanner vendor HERE-->
Defense
Things that do NOT work ● Patching Apache Commons ● Removing dependencies from the classpath ● Black-listing only ● Using a short-lived Java Security Manager during deserialization
Your best option. All other mitigations are suboptimal. Do not use serialization when receiving untrusted data. It’s 2016, there are better options.
Option #1 - Add authentication ● Add a layer of authentication to ensure that Java serialization can be invoked by trusted parties only ○ At the network layer, using client-side TLS certs ○ At the application layer, encryption/signing of the payload Pro Cons ● Network layer solutions can be implemented with no application changes (e.g. stunnel) ● Additional operational complexity ● If enc/dec is implemented by the application, secure keys management is crucial ● Trusted parties can still abuse the application
Option #2 - Use Java Agent-based solutions ● Install a Java Agent solution to perform JVM-wide validation (blacklisting/whitelisting) ○ https://github.com/Contrast-Security-OSS/contrast-rO0 ○ https://github.com/kantega/notsoserial Pro Cons ● No application changes ● Easy to deploy and use ● Performance hit ● In certain environment, not usable (e.g. software engineer with no access to the underlying JVM container)
Option #3 - Use safe ObjectInputStream implementation ● Replace calls to ObjectInputStream with calls to a safe implementation ○ Based on look-ahead techniques ○ https://github.com/ikkisoft/SerialKiller ○ https://github.com/Contrast-Security-OSS/contrast-rO0 (SafeObjectInputStream) Pro Cons ● Full control for developers ● Requires re-factoring ● To be bulletproof*, whitelisting must be used (which requires profiling, good understanding of the app) * Still affected by DoS gadgets
Mitigations in real-life Full credit to Alvaro Muñoz and Christian Schneider
SerialKiller SerialKiller is an easy-to-use look-ahead Java deserialization library to secure application from untrusted input. https://github.com/ikkisoft/SerialKiller
How to protect your application with SerialKiller 1. Download the latest version of the SerialKiller's Jar a. This library is also available on Maven Central 2. Import SerialKiller's Jar in your project 3. Replace your deserialization ObjectInputStream with SerialKiller 4. Tune the configuration file, based on your application requirements
In practice 1/2 // Read from disk FileInputStream fileIn = new FileInputStream("serial.data"); // Read object ObjectInputStream objIn = new ObjectInputStream (fileIn); String myPreso = (String) objIn.readObject();
In practice 2/2 // Read from disk FileInputStream fileIn = new FileInputStream("serial.data"); // Read object ObjectInputStream objIn = new SerialKiller(fileIn, "/etc/sk.conf"); String myPreso = (String) objIn.readObject();
SK’s configuration 1/2 SerialKiller config supports the following settings: ● Refresh: The refresh delay in milliseconds, used to hot-reload the configuration file ● BlackList: A Java regex to define malicious classes ○ Provides a default configuration against known gadgets ● WhiteList: A Java regex to define classes used by your application ● Profiling: To trace classes being deserialized ● Logging: Java’s core logging facility
SK’s configuration 2/2 <?xml version="1.0" encoding="UTF-8"?> <config> <refresh>6000</refresh> <mode> <profiling>true</profiling> </mode> <logging> <enabled>true</enabled> <logfile>/tmp/serialkiller.log</logfile> </logging> <blacklist> [...] <!-- ysoserial's Spring1 payload --> <regexp>org.springframework.beans.factory.ObjectFactory$</regexp> </blacklist> <whitelist> <regexp>.*</regexp> </whitelist> </config>
SerialKiller v0.4 Demo
Thanks! Luca Carettoni - @lucacarettoni

Recommended

An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
joaomatosf_
 
Java Serialization Deep Dive
Java Serialization Deep DiveJava Serialization Deep Dive
Java Serialization Deep Dive
Martijn Dashorst
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Christian Schneider
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
Christopher Frohoff
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
CODE WHITE GmbH
 
Spring Boot
Spring BootSpring Boot
Spring Boot
Jiayun Zhou
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 

Recommended

An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
joaomatosf_
 
Java Serialization Deep Dive
Java Serialization Deep DiveJava Serialization Deep Dive
Java Serialization Deep Dive
Martijn Dashorst
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Christian Schneider
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
Christopher Frohoff
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
CODE WHITE GmbH
 
Spring Boot
Spring BootSpring Boot
Spring Boot
Jiayun Zhou
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in Java
CODE WHITE GmbH
 
Discover Quarkus and GraalVM
Discover Quarkus and GraalVMDiscover Quarkus and GraalVM
Discover Quarkus and GraalVM
Romain Schlick
 
Attack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationAttack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure Deserialization
Sukhpreet Singh
 
Spring data jpa
Spring data jpaSpring data jpa
Spring data jpa
Jeevesh Pandey
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java Deserialization
Shiv Sahni
 
Spring Boot
Spring BootSpring Boot
Spring Boot
koppenolski
 
Introduction to Spring Boot
Introduction to Spring BootIntroduction to Spring Boot
Introduction to Spring Boot
Purbarun Chakrabarti
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat Security Conference
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Christian Schneider
 
Understanding Reactive Programming
Understanding Reactive ProgrammingUnderstanding Reactive Programming
Understanding Reactive Programming
Andres Almiray
 
Spring core module
Spring core moduleSpring core module
Spring core module
Raj Tomar
 
Spring Boot
Spring BootSpring Boot
Spring Boot
Pei-Tang Huang
 
Spring I/O 2012: Natural Templating in Spring MVC with Thymeleaf
Spring I/O 2012: Natural Templating in Spring MVC with ThymeleafSpring I/O 2012: Natural Templating in Spring MVC with Thymeleaf
Spring I/O 2012: Natural Templating in Spring MVC with Thymeleaf
Thymeleaf
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
Miroslav Stampar
 
Spring Framework - AOP
Spring Framework - AOPSpring Framework - AOP
Spring Framework - AOP
Dzmitry Naskou
 
Jdbc complete
Jdbc completeJdbc complete
Jdbc complete
Sandeep Rawat
 
Introduction to spring boot
Introduction to spring bootIntroduction to spring boot
Introduction to spring boot
Santosh Kumar Kar
 
Developing Faster with Swagger
Developing Faster with SwaggerDeveloping Faster with Swagger
Developing Faster with Swagger
Tony Tam
 
Spring Boot
Spring BootSpring Boot
Spring Boot
HongSeong Jeon
 
Spring Boot & WebSocket
Spring Boot & WebSocketSpring Boot & WebSocket
Spring Boot & WebSocket
Ming-Ying Wu
 
Play framework
Play frameworkPlay framework
Play framework
Andrew Skiba
 
Breakfast cereal for advanced beginners
Breakfast cereal for advanced beginnersBreakfast cereal for advanced beginners
Breakfast cereal for advanced beginners
Truptiranjan Nayak
 

More Related Content

What's hot

BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat Security Conference
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Christian Schneider
 
Spring Boot & WebSocket
Spring Boot & WebSocketSpring Boot & WebSocket
Spring Boot & WebSocket
Ming-Ying Wu
 

What's hot (20)

Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in Java
 
Discover Quarkus and GraalVM
Discover Quarkus and GraalVMDiscover Quarkus and GraalVM
Discover Quarkus and GraalVM
 
Attack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationAttack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure Deserialization
 
Spring data jpa
Spring data jpaSpring data jpa
Spring data jpa
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java Deserialization
 
Spring Boot
Spring BootSpring Boot
Spring Boot
 
Introduction to Spring Boot
Introduction to Spring BootIntroduction to Spring Boot
Introduction to Spring Boot
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
 
Understanding Reactive Programming
Understanding Reactive ProgrammingUnderstanding Reactive Programming
Understanding Reactive Programming
 
Spring core module
Spring core moduleSpring core module
Spring core module
 
Spring Boot
Spring BootSpring Boot
Spring Boot
 
Spring I/O 2012: Natural Templating in Spring MVC with Thymeleaf
Spring I/O 2012: Natural Templating in Spring MVC with ThymeleafSpring I/O 2012: Natural Templating in Spring MVC with Thymeleaf
Spring I/O 2012: Natural Templating in Spring MVC with Thymeleaf
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
 
Spring Framework - AOP
Spring Framework - AOPSpring Framework - AOP
Spring Framework - AOP
 
Jdbc complete
Jdbc completeJdbc complete
Jdbc complete
 
Introduction to spring boot
Introduction to spring bootIntroduction to spring boot
Introduction to spring boot
 
Developing Faster with Swagger
Developing Faster with SwaggerDeveloping Faster with Swagger
Developing Faster with Swagger
 
Spring Boot
Spring BootSpring Boot
Spring Boot
 
Spring Boot & WebSocket
Spring Boot & WebSocketSpring Boot & WebSocket
Spring Boot & WebSocket
 

Similar to Defending against Java Deserialization Vulnerabilities

Java Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant VulnerabilitiesJava Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant Vulnerabilities
Lumension
 
Creating Scalable JVM/Java Apps on Heroku
Creating Scalable JVM/Java Apps on HerokuCreating Scalable JVM/Java Apps on Heroku
Creating Scalable JVM/Java Apps on Heroku
Joe Kutner
 

Similar to Defending against Java Deserialization Vulnerabilities (20)

Play framework
Play frameworkPlay framework
Play framework
 
Breakfast cereal for advanced beginners
Breakfast cereal for advanced beginnersBreakfast cereal for advanced beginners
Breakfast cereal for advanced beginners
 
Dynamic Proxy by Java
Dynamic Proxy by JavaDynamic Proxy by Java
Dynamic Proxy by Java
 
Where is my cache architectural patterns for caching microservices by example
Where is my cache architectural patterns for caching microservices by exampleWhere is my cache architectural patterns for caching microservices by example
Where is my cache architectural patterns for caching microservices by example
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Aug penguin16
Aug penguin16Aug penguin16
Aug penguin16
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
 
Object Oriented Programming-JAVA
Object Oriented Programming-JAVAObject Oriented Programming-JAVA
Object Oriented Programming-JAVA
 
Java 2 computer science.pptx
Java 2 computer science.pptxJava 2 computer science.pptx
Java 2 computer science.pptx
 
Java Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant VulnerabilitiesJava Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant Vulnerabilities
 
FEATURES OF JAVA
FEATURES OF JAVAFEATURES OF JAVA
FEATURES OF JAVA
 
XPages Blast - ILUG 2010
XPages Blast - ILUG 2010XPages Blast - ILUG 2010
XPages Blast - ILUG 2010
 
Creating Scalable JVM/Java Apps on Heroku
Creating Scalable JVM/Java Apps on HerokuCreating Scalable JVM/Java Apps on Heroku
Creating Scalable JVM/Java Apps on Heroku
 
Jdk Tools For Performance Diagnostics
Jdk Tools For Performance DiagnosticsJdk Tools For Performance Diagnostics
Jdk Tools For Performance Diagnostics
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
 
Java programming and security
Java programming and securityJava programming and security
Java programming and security
 
Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.
 
Profiling documentforaltrec
Profiling documentforaltrecProfiling documentforaltrec
Profiling documentforaltrec
 
Writing Android Libraries
Writing Android LibrariesWriting Android Libraries
Writing Android Libraries
 
1 .java basic
1 .java basic1 .java basic
1 .java basic
 

Recently uploaded

Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理
F
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024
SOFTTECHHUB
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Priya Reddy
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
AS
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
kumargunjan9515
 
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
gragchanchal546
 

Recently uploaded (20)

Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 

Defending against Java Deserialization Vulnerabilities

  • 1. Defending against Java Deserialization Vulnerabilities Bay Area OWASP Meetup - September 2016 Luca Carettoni - @lucacarettoni
  • 2. Agenda This talk is about defense and how to protect your application against this new old class of vulnerabilities. ● Intro to Java Deserialization bugs ● A real-life bug (SJWC serialized object injection via JSF view state) ● Discovery ● Defense
  • 3. Intro to Java Deserialization bugs
  • 4. From object graph data to byte stream
  • 5. Serialization in Code //Instantiate the Serializable class String myPreso = “OWASP Bay Area”; // Write to disk FileOutputStream fileOut = new FileOutputStream("serial.data"); // Write object ObjectOutputStream objOut = new ObjectOutputStream (fileOut); objOut.writeObject(myPreso);
  • 6. Deserialization in Code // Read from disk FileInputStream fileIn = new FileInputStream("serial.data"); // Read object ObjectInputStream objIn = new ObjectInputStream (fileIn); String myPreso = (String) objIn.readObject();
  • 7. Deserialization in Bytecode [...] aload ois invokevirtual Object ObjectInputStream.readObject() checkcast String [...] Any Serializable class will work until this point. No type safety
  • 8. Callback methods ● Developers can override the following methods to customize the deserialization process ○ readObject() ○ readResolve() ○ readObjectNoData() ○ validateObject() ○ finalize() Invoked by the Garbage Collector
  • 9. What if…. 1. A remote service accepts Java serialized objects 2. In the classpath of the remote application, there are unrelated classes that are Serializable AND implement one of the callbacks 3. The callback’s method implements something interesting* * File I/O operations, system commands, socket operations, etc.
  • 10. Unlikely? //org.apache.commons.fileupload.disk.DiskFileItem Private void readObject(ObjectInputStream in) { 703 in.defaultReadObject(); 704 705 OutputStream output = getOutputStream(); .. 709 FileInputStream input = new FileInputStream(dfosFile); 710 IOUtils.copy(input, output); 711 dfosFile.delete(); ..
  • 11. The Forgotten Bug Class @matthias_kaiser™ 2005 - Marc Schonefeld 2015 - Steve Breen And many more...
  • 12. A real-life bug, back from 2010 Sun Java Web Console serialized object injection via JSF view state
  • 13. Sun Java Web Console README - SJWC_3.0 “The Sun Java (TM) Web Console is a web application that provides a single point on entry for many of Sun's systems management applications. The console application provides a single-sign on capability and a secure home page for many of Solaris”
  • 14. JSF ViewState ● JSF ViewState uses Java deserialization to restore the UI state HTML Page <form> <input type="hidden" name="javax.faces.ViewState" value= </form>
  • 15. Sun Java Web Console - Login Page ViewState ● ViewState saved client-side only ○ javax.faces.STATE_SAVING_METHOD=”client” before SJWC < 3.1 ● No encryption
  • 16. A good bug ● Attractive target, as SJWC was the admin web interface for Solaris ● At the time of discovery (Jan 2010), I created a Proof-of-Concept using a known gadget based on Hashtable collisions (Crosby & Wallach, 2003) ○ https://www.ikkisoft.com/stuff/SJWC_DoS.java ● Back then, I had no idea about the infamous Apache Common Collections gadget (Gabriel Lawrence, Chris Frohoff) ○ /opt/sun/webconsole/private/container/shared/lib/commons-collections.jar ● However, I was able to leverage an Expression Language (EL) Injection-like to perform arbitrary file read ● Soon after, SJWC started using server-side ViewState ○ “Beware of Serialized GUI Objects Bearing Data” July 2010, Black Hat Vegas
  • 19. Code Review - Entry Points Look for occurrences of: ● java.io.ObjectInputStream.readObject() ● java.io.ObjectInputStream.readUnshared() And perform manual review to determine whether they use user-supplied data $ egrep -r "readObject(|readUnshared("
  • 20. Code Review - Gadgets ● This is the interesting (and complex) part of exploiting Java deserialization vulnerabilities ● As a defender, assume that there are multiple game-over gadgets available in the classpath ○ For example, SJWC uses 58 dependency JARs ● If you want to learn more on how to discover gold and silver gadgets: ○ Marshalling Pickles - Gabriel Lawrence, Chris Frohoff ○ Java Deserialization Vulnerabilities, The Forgotten Bug Class - Matthias Kaiser ○ Surviving the Java serialization apocalypse - Alvaro Muñoz, Christian Schneider ○ Ysoserialpayloads - https://github.com/frohoff/ysoserial/tree/master/src/main/java/ysoserial/payloads
  • 21. Discovery with no code... ● Decompile :) ● Magic bytes in the network traffic ○ 0xAC 0xED ○ rO0 ○ FvzFgDff9 ○ … ● Passive and active tools ○ https://github.com/DirectDefense/SuperSerial ○ https://github.com/johndekroon/serializekiller ○ <--ADD your favourite web scanner vendor HERE-->
  • 23. Things that do NOT work ● Patching Apache Commons ● Removing dependencies from the classpath ● Black-listing only ● Using a short-lived Java Security Manager during deserialization
  • 24. Your best option. All other mitigations are suboptimal. Do not use serialization when receiving untrusted data. It’s 2016, there are better options.
  • 25. Option #1 - Add authentication ● Add a layer of authentication to ensure that Java serialization can be invoked by trusted parties only ○ At the network layer, using client-side TLS certs ○ At the application layer, encryption/signing of the payload Pro Cons ● Network layer solutions can be implemented with no application changes (e.g. stunnel) ● Additional operational complexity ● If enc/dec is implemented by the application, secure keys management is crucial ● Trusted parties can still abuse the application
  • 26. Option #2 - Use Java Agent-based solutions ● Install a Java Agent solution to perform JVM-wide validation (blacklisting/whitelisting) ○ https://github.com/Contrast-Security-OSS/contrast-rO0 ○ https://github.com/kantega/notsoserial Pro Cons ● No application changes ● Easy to deploy and use ● Performance hit ● In certain environment, not usable (e.g. software engineer with no access to the underlying JVM container)
  • 27. Option #3 - Use safe ObjectInputStream implementation ● Replace calls to ObjectInputStream with calls to a safe implementation ○ Based on look-ahead techniques ○ https://github.com/ikkisoft/SerialKiller ○ https://github.com/Contrast-Security-OSS/contrast-rO0 (SafeObjectInputStream) Pro Cons ● Full control for developers ● Requires re-factoring ● To be bulletproof*, whitelisting must be used (which requires profiling, good understanding of the app) * Still affected by DoS gadgets
  • 28. Mitigations in real-life Full credit to Alvaro Muñoz and Christian Schneider
  • 29. SerialKiller SerialKiller is an easy-to-use look-ahead Java deserialization library to secure application from untrusted input. https://github.com/ikkisoft/SerialKiller
  • 30. How to protect your application with SerialKiller 1. Download the latest version of the SerialKiller's Jar a. This library is also available on Maven Central 2. Import SerialKiller's Jar in your project 3. Replace your deserialization ObjectInputStream with SerialKiller 4. Tune the configuration file, based on your application requirements
  • 31. In practice 1/2 // Read from disk FileInputStream fileIn = new FileInputStream("serial.data"); // Read object ObjectInputStream objIn = new ObjectInputStream (fileIn); String myPreso = (String) objIn.readObject();
  • 32. In practice 2/2 // Read from disk FileInputStream fileIn = new FileInputStream("serial.data"); // Read object ObjectInputStream objIn = new SerialKiller(fileIn, "/etc/sk.conf"); String myPreso = (String) objIn.readObject();
  • 33. SK’s configuration 1/2 SerialKiller config supports the following settings: ● Refresh: The refresh delay in milliseconds, used to hot-reload the configuration file ● BlackList: A Java regex to define malicious classes ○ Provides a default configuration against known gadgets ● WhiteList: A Java regex to define classes used by your application ● Profiling: To trace classes being deserialized ● Logging: Java’s core logging facility
  • 34. SK’s configuration 2/2 <?xml version="1.0" encoding="UTF-8"?> <config> <refresh>6000</refresh> <mode> <profiling>true</profiling> </mode> <logging> <enabled>true</enabled> <logfile>/tmp/serialkiller.log</logfile> </logging> <blacklist> [...] <!-- ysoserial's Spring1 payload --> <regexp>org.springframework.beans.factory.ObjectFactory$</regexp> </blacklist> <whitelist> <regexp>.*</regexp> </whitelist> </config>
  • 36. Thanks! Luca Carettoni - @lucacarettoni