Deserialization vulnerability
Deserialization vulnerability
By Abdelazim Mohammed(@intx0x80)
Thanks to:
Mazin Ahmed (@mazen160) Asim Jaweesh(@Jaw33sh)
1|Page
Table of Contents
Serialization (marshaling): ............................................................................................................................ 4 Deserialization (unmarshaling): .................................................................................................................... 4 Programming language support serialization:............................................................................................... 4 Risk for using serialization: .......................................................................................................................... 5 Serialization in Java ...................................................................................................................................... 6 Deserialization vulnerability in Java:............................................................................................................ 6 Code flow work........................................................................................................................................... 11 Vulnerability Detection:.............................................................................................................................. 12 CVE: ........................................................................................................................................................... 17 Tools: .......................................................................................................................................................... 17 Vulnerable libraries lead to RCE: ............................................................................................................... 18 Mitigation: .................................................................................................................................................. 19 Serialization in Python ................................................................................................................................ 20 Deserialization vulnerability in Python: ..................................................................................................... 21 Pickle instructions ....................................................................................................................................... 25 Exploit vulnerability: .................................................................................................................................. 26 CVE: ........................................................................................................................................................... 29 Mitigation: .................................................................................................................................................. 29 Serialization in PHP .................................................................................................................................... 30 Deserialization vulnerability in PHP: ......................................................................................................... 30 Exploit vulnerability: .................................................................................................................................. 35 CVE: ........................................................................................................................................................... 39 Mitigation: .................................................................................................................................................. 40 Serialization in Ruby................................................................................................................................... 41 Deserialization vulnerability in Ruby: ........................................................................................................ 42 Detect and exploit vulnerability:................................................................................................................ 44 CVE: ........................................................................................................................................................... 53 Tools: .......................................................................................................................................................... 53 Mitigation: .................................................................................................................................................. 53 Conclusion: ................................................................................................................................................. 56
2|Page
Introduction:
The intention of this document is to help penetration testers and students as well as to identify and test serialization vulnerabilities on future penetration testing engagements via consolidating research for serialization penetration testing techniques. In addition to that, serialization typically implemented in various platform application server and also web Application. However, this technique had some vulnerabilities and it was discovered in many application server, methods in various web applications.
3|Page
Serialization (marshaling):
It is the process of translating data structures or object state into bytes format that can be stored on disk or database or transmitted over the network.
Deserialization (marshaling):
It is the opposite process, which means to, extract data structure or object from series of bytes
Programming language support serialization:
They are many Object-oriented programming support serialization either by using syntactic sugar element or using interface to implement it. This study consented on deserialization vulnerabilities in Java, Python, PHP and Ruby as well as how can these bugs detected, exploit, and Mitigations techniques.
4|Page
Risk for using serialization:
The risk raisers, when an untrusted deserialization user inputs by sending malicious data to be de-serialized and this could lead to logic manipulation or arbitrary code execution. In this document will take example to detect and exploit it in Java, Python, PHP and ruby.
5|Page
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.