Deserialization vulnerability

Deserialization vulnerability

By Abdelazim Mohammed(@intx0x80)

Thanks to:

Mazin Ahmed (@mazen160) Asim Jaweesh(@Jaw33sh)

1|Page

Table of Contents

Serialization (marshaling): ............................................................................................................................ 4 Deserialization (unmarshaling): .................................................................................................................... 4 Programming language support serialization:............................................................................................... 4 Risk for using serialization: .......................................................................................................................... 5 Serialization in Java ...................................................................................................................................... 6 Deserialization vulnerability in Java:............................................................................................................ 6 Code flow work........................................................................................................................................... 11 Vulnerability Detection:.............................................................................................................................. 12 CVE: ........................................................................................................................................................... 17 Tools: .......................................................................................................................................................... 17 Vulnerable libraries lead to RCE: ............................................................................................................... 18 Mitigation: .................................................................................................................................................. 19 Serialization in Python ................................................................................................................................ 20 Deserialization vulnerability in Python: ..................................................................................................... 21 Pickle instructions ....................................................................................................................................... 25 Exploit vulnerability: .................................................................................................................................. 26 CVE: ........................................................................................................................................................... 29 Mitigation: .................................................................................................................................................. 29 Serialization in PHP .................................................................................................................................... 30 Deserialization vulnerability in PHP: ......................................................................................................... 30 Exploit vulnerability: .................................................................................................................................. 35 CVE: ........................................................................................................................................................... 39 Mitigation: .................................................................................................................................................. 40 Serialization in Ruby................................................................................................................................... 41 Deserialization vulnerability in Ruby: ........................................................................................................ 42 Detect and exploit vulnerability:................................................................................................................ 44 CVE: ........................................................................................................................................................... 53 Tools: .......................................................................................................................................................... 53 Mitigation: .................................................................................................................................................. 53 Conclusion: ................................................................................................................................................. 56

2|Page

Introduction:

The intention of this document is to help penetration testers and students as well as to identify and test serialization vulnerabilities on future penetration testing engagements via consolidating research for serialization penetration testing techniques. In addition to that, serialization typically implemented in various platform application server and also web Application. However, this technique had some vulnerabilities and it was discovered in many application server, methods in various web applications.

3|Page

Serialization (marshaling):

It is the process of translating data structures or object state into bytes format that can be stored on disk or database or transmitted over the network.

Deserialization (marshaling):

It is the opposite process, which means to, extract data structure or object from series of bytes

Programming language support serialization:

They are many Object-oriented programming support serialization either by using syntactic sugar element or using interface to implement it. This study consented on deserialization vulnerabilities in Java, Python, PHP and Ruby as well as how can these bugs detected, exploit, and Mitigations techniques.

4|Page

Risk for using serialization:

The risk raisers, when an untrusted deserialization user inputs by sending malicious data to be de-serialized and this could lead to logic manipulation or arbitrary code execution. In this document will take example to detect and exploit it in Java, Python, PHP and ruby.

5|Page

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download