14 Feb, 2023

Deserialization of Untrusted Data

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

Deserialization of Untrusted Data (DUD) is a vulnerability that can occur in software systems that use serialization and deserialization. Serialization is the process of converting an object’s state to a stream of bytes, while deserialization is the process of recreating the object from the stream of bytes.

In a system that uses DUD, untrusted data, such as data received from an external source, is deserialized without proper validation. This can allow an attacker to inject malicious data into the system, potentially leading to security vulnerabilities such as remote code execution, unauthorized access to sensitive data, or other malicious actions.

Examples of vulnerable code on different programming languages

C:

				
					#include <stdio.h>
#include <string.h>

void deserialize(char *data) {
  char buffer[100];
  strcpy(buffer, data);
  printf("Deserialized data: %s\n", buffer);
}

int main(int argc, char *argv[]) {
  if (argc < 2) {
    printf("Usage: %s <data>\n", argv[0]);
    return 1;
  }

  deserialize(argv[1]);
  return 0;
}
				
			

This code is vulnerable to a buffer overflow attack because it uses the strcpy function to copy data from argv[1] to the buffer array without checking the size of the data. An attacker can supply a string longer than 100 characters, which will overwrite adjacent memory and potentially allow them to execute arbitrary code.

C++:

				
					#include <iostream>
#include <string>
#include <sstream>

class Person {
 public:
  Person(std::string name, int age) : name_(name), age_(age) {}

  void Print() {
    std::cout << "Name: " << name_ << ", Age: " << age_ << std::endl;
  }

 private:
  std::string name_;
  int age_;
};

void Deserialize(std::string data) {
  std::stringstream ss(data);
  std::string name;
  int age;
  ss >> name >> age;
  Person p(name, age);
  p.Print();
}

int main(int argc, char *argv[]) {
  if (argc < 2) {
    std::cout << "Usage: " << argv[0] << " <data>" << std::endl;
    return 1;
  }

  Deserialize(argv[1]);
  return 0;
}

				
			

This code is vulnerable to a type confusion attack because it uses a stringstream to parse data from argv[1] and create a Person object. An attacker can supply a string that doesn’t match the expected format, which can result in unexpected behavior and potentially allow them to execute arbitrary code.

Python:

				
					import pickle

def deserialize(data):
    obj = pickle.loads(data)
    print("Deserialized object:", obj)

data = input("Enter serialized data:")
deserialize(data)
				
			

This code is vulnerable to a pickle injection attack because it uses the pickle.loads function to deserialize data without checking its contents. An attacker can supply a maliciously crafted pickle string, which can result in arbitrary code execution.

Ruby:

				
					require 'psych'

def deserialize(data)
  obj = Psych.load(data)
  puts "Deserialized object: #{obj}"
end

data = gets
deserialize(data)
				
			

This code is vulnerable to a YAML deserialization attack because it uses the Psych.load function to deserialize data without checking its contents. An attacker can supply a maliciously crafted YAML string, which can result in arbitrary code execution or other malicious actions.

It’s are just simple examples to illustrate the concept of DUD, and in real-world scenarios, the code would likely be more complex and contain additional security measures.

Examples of exploitation Deserialization of Untrusted Data vulnerabilities

Deserialization of Untrusted Data (DUD) is a vulnerability that arises when an application deserializes data without proper validation. This can lead to a wide range of security issues, including but not limited to: remote code execution, injection attacks, data tampering, and denial of service (DoS).

  1. Remote Code Execution: An attacker can craft a malicious serialized object that, when deserialized by the target application, will execute arbitrary code on the system. For example, an attacker could craft a serialized object in a .NET application that, when deserialized, would download and run a malicious executable.

  2. Injection Attacks: An attacker can craft a serialized object that, when deserialized, will inject code into the target application. For example, an attacker could craft a serialized object in a Java application that, when deserialized, would inject a SQL query that could be used to access sensitive data stored in a database.

  3. Data Tampering: An attacker can craft a serialized object that, when deserialized, will modify or manipulate data within the target application. For example, an attacker could craft a serialized object in a Ruby on Rails application that, when deserialized, would alter the state of an object within the application, leading to incorrect results or unexpected behavior.

  4. Denial of Service (DoS): An attacker can craft a serialized object that, when deserialized, will cause the target application to crash or become unavailable. For example, an attacker could craft a serialized object in a Python application that, when deserialized, would cause a buffer overflow, leading to a crash or denial of service.

These examples illustrate the wide range of security risks associated with DUD vulnerabilities.

Privilege escalation techniques  Deserialization of Untrusted Data vulnerabilities

Privilege escalation is a technique used to gain higher levels of access or privileges on a system than the current user has been granted. In the context of Deserialization of Untrusted Data (DUD) vulnerabilities, an attacker can use privilege escalation techniques to gain access to sensitive data or to execute arbitrary code with higher privileges.

Here are some examples of privilege escalation techniques that can be used in the context of DUD vulnerabilities:

  1. Unprivileged Deserialization: An attacker can craft a malicious serialized object that, when deserialized by the target application, will execute code with the privileges of the user who is running the application. For example, an attacker could craft a serialized object in a Java application that, when deserialized, would run code with the privileges of the user who started the application.

  2. Object Reuse: An attacker can craft a malicious serialized object that, when deserialized, will reuse an existing object within the target application. For example, an attacker could craft a serialized object in a .NET application that, when deserialized, would reuse an existing object with higher privileges, allowing the attacker to execute code with higher privileges.

  3. Type Confusion: An attacker can craft a malicious serialized object that, when deserialized, will cause the target application to treat a low-privilege object as a high-privilege object. For example, an attacker could craft a serialized object in a Ruby on Rails application that, when deserialized, would cause the application to treat a low-privilege object as an administrative user, allowing the attacker to access sensitive data or execute code with higher privileges.

General methodology and checklist for testing Deserialization of Untrusted Data vulnerabilities

The methodology for testing Deserialization of Untrusted Data (DUD) vulnerabilities involves several steps, including identifying potential attack surfaces, crafting malicious payloads, and analyzing the results to determine if a vulnerability exists.

Here is a detailed checklist for testing DUD vulnerabilities:

  1. Identify Attack Surfaces: The first step in testing for DUD vulnerabilities is to identify all potential attack surfaces within the target application. This may include web services, API endpoints, and other components that use serialization.

  2. Determine the Serialization Format: The next step is to determine the serialization format used by the target application. Common formats include JSON, XML, and binary serialization formats such as Java Serialization and .NET Serialization.

  3. Crafting Malicious Payloads: Once the attack surface and serialization format have been identified, the next step is to craft malicious payloads to test the target application. This may involve modifying existing serialized objects or creating new serialized objects that contain malicious code or data.

  4. Inject Malicious Payloads: The next step is to inject the malicious payloads into the target application and observe the results. This may involve sending the payloads to the target application via HTTP requests, or using other methods such as file uploads or direct database access.

  5. Analyze Results: The final step is to analyze the results of the testing to determine if a DUD vulnerability exists. This may involve reviewing application logs, looking for exceptions or errors, and analyzing the behavior of the target application to determine if any malicious code or data was executed or manipulated.

Follow these steps carefully and thoroughly to ensure that all potential DUD vulnerabilities are identified and properly addressed. Additionally, it is recommended to use automated tools and testing frameworks to help streamline the testing process and to reduce the risk of missed vulnerabilities. Also follow established security best practices and to stay up to date on the latest security research to ensure that the target application is protected against the latest threats.

Tools set for exploiting Deserialization of Untrusted Data vulnerabilities

Here is a list of popular tools for exploiting Deserialization of Untrusted Data (DUD) vulnerabilities:

Manual Tools:

  1. Burp Suite: Burp Suite is a popular web application security testing tool that includes features for testing serialization-related vulnerabilities. It can be used to test DUD vulnerabilities by intercepting and modifying network requests and responses. It can also be used to automate parts of the testing process by using macros or extensions.

  2. OWASP ZAP: OWASP ZAP (Zed Attack Proxy) is an open-source web application security scanner that includes features for testing DUD vulnerabilities. It can be used to test DUD vulnerabilities by intercepting and modifying network requests and responses. It also includes plugins for testing specific types of DUD vulnerabilities.

  3. Fiddler: Fiddler is a web debugging proxy tool that can be used to test DUD vulnerabilities in web applications. It can be used to intercept and modify network requests and responses, and it includes a scripting engine for automating parts of the testing process.

  4. Charles Proxy: Charles Proxy is a web debugging proxy tool that can be used to test DUD vulnerabilities in web applications. It can be used to intercept and modify network requests and responses, and it includes features for analyzing network traffic and performance.

  5. Postman: Postman is a popular API development and testing tool that can be used to test DUD vulnerabilities in APIs. It can be used to construct and send API requests and to analyze the responses. It also includes features for testing the security of APIs, such as rate limiting and authentication testing.

  6. SoapUI: SoapUI is a popular API testing tool that can be used to test DUD vulnerabilities in web services. It can be used to construct and send web service requests and to analyze the responses. It also includes features for testing the security of web services, such as testing for SOAP-related vulnerabilities.

  7. JsonView: JsonView is a browser plugin for testing DUD vulnerabilities in JSON-based APIs. It can be used to view JSON data in the browser and to test for DUD vulnerabilities by constructing and sending malicious payloads.

  8. XML Developer Tools: XML Developer Tools is a browser plugin for testing DUD vulnerabilities in XML-based APIs. It can be used to view XML data in the browser and to test for DUD vulnerabilities by constructing and sending malicious payloads.

Automated Tools:

  1. YSoSerial: YSoSerial is a tool for automatically generating malicious payloads for testing DUD vulnerabilities in .NET applications. It can be used to generate payloads that can be used to test for DUD vulnerabilities in .NET applications.

  2. JRMPListener: JRMPListener is a tool for testing DUD vulnerabilities in Java applications. It can be used to listen for incoming RMI (Remote Method Invocation) requests and to test for DUD vulnerabilities by sending malicious payloads.

  3. SerialKiller: SerialKiller is a tool for testing DUD vulnerabilities in Java applications. It can be used to generate malicious payloads that can be used to test for DUD vulnerabilities in Java applications.

  4. SerializationDumper: SerializationDumper is a tool for testing DUD vulnerabilities in .NET applications. It can be used to generate payloads that can be used to test for DUD vulnerabilities in .NET applications.

  5. Java Deserialization Scanner: Java Deserialization Scanner is a tool for testing DUD vulnerabilities in Java applications. It can be used to scan Java applications for DUD vulnerabilities and to generate reports with details about the vulnerabilities found.

  1. ysoserial.net: ysoserial.net is a tool for testing DUD vulnerabilities in .NET applications. It can be used to generate malicious payloads that can be used to test for DUD vulnerabilities in .NET applications.

  2. SerializeToFile: SerializeToFile is a tool for testing DUD vulnerabilities in .NET applications. It can be used to generate malicious payloads that can be used to test for DUD vulnerabilities in .NET applications.

  3. SerializationTester: SerializationTester is a tool for testing DUD vulnerabilities in .NET applications. It can be used to generate malicious payloads that can be used to test for DUD vulnerabilities in .NET applications.

Testing Frameworks:

  1. OWASP Juice Shop: OWASP Juice Shop is an intentionally vulnerable web application that can be used to test DUD vulnerabilities. It includes several DUD vulnerabilities that can be used to practice and improve testing skills.

  2. Hackazon: Hackazon is an intentionally vulnerable web application that can be used to test DUD vulnerabilities. It includes several DUD vulnerabilities that can be used to practice and improve testing skills.

  3. Mutillidae: Mutillidae is an intentionally vulnerable web application that can be used to test DUD vulnerabilities. It includes several DUD vulnerabilities that can be used to practice and improve testing skills.

  4. WebGoat: WebGoat is an intentionally vulnerable web application that can be used to test DUD vulnerabilities. It includes several DUD vulnerabilities that can be used to practice and improve testing skills.

This list is by no means exhaustive, but it should give you a good starting point for exploring the various tools and frameworks available for testing DUD vulnerabilities. It’s important to keep in mind that DUD vulnerabilities can be difficult to test for and that many tools and frameworks may not be able to find all potential vulnerabilities in a given application.

Average CVSS score of Deserialization of Untrusted Data vulnerabilities

The Common Vulnerability Scoring System (CVSS) is a standard for rating the severity of security vulnerabilities, ranging from 0 to 10. The score is based on various metrics, including the impact of the vulnerability on confidentiality, integrity, and availability, as well as the exploitability of the vulnerability.

The average CVSS score for Deserialization of Untrusted Data vulnerabilities can vary widely depending on the specific vulnerability and its impact. However, deserialization vulnerabilities are often considered high severity and can frequently receive CVSS scores of 7.0 or above.

The Common Weakness Enumeration (CWE)

The Common Weakness Enumeration (CWE) is a community-developed list of common software security weaknesses. The CWE includes a category for Deserialization of Untrusted Data vulnerabilities, and the top 10 most frequently reported Deserialization of Untrusted Data weaknesses in the CWE are:

CWE-502: Deserialization of Untrusted Data
CWE-501: Trust Boundary Violation through User-Controlled Deserialization
CWE-506: Embedded Malicious Code
CWE-512: Mismatched Memory Management Routines
CWE-513: Uncontrolled Pointer Dereference
CWE-117: Improper Output Neutralization for Logs
CWE-78: Improper Neutralization of Special Elements used in an OS Command
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-434: Unrestricted Upload of File with Dangerous Type
CWE-190: Integer Overflow or Wraparound

Deserialization of Untrusted Data exploits

  1. Java Deserialization Vulnerabilities: These vulnerabilities occur when untrusted data is deserialized in a Java application, which can result in the execution of malicious code.

  2. PHP Object Injection: This vulnerability occurs when untrusted data is used to create an object in a PHP application, which can result in the execution of arbitrary code.

  3. XML External Entity (XXE) Injection: This vulnerability occurs when untrusted XML data is parsed in an application, which can result in the disclosure of sensitive information or the execution of arbitrary code.

  4. Ruby on Rails YAML Deserialization: This vulnerability occurs when untrusted data is deserialized in a Ruby on Rails application using YAML, which can result in the execution of arbitrary code.

  5. Python Pickle Deserialization: This vulnerability occurs when untrusted data is deserialized in a Python application using the pickle module, which can result in the execution of arbitrary code.

  6. .NET BinaryFormatter Deserialization: This vulnerability occurs when untrusted data is deserialized in a .NET application using the BinaryFormatter, which can result in the execution of arbitrary code.

Practicing in test for Deserialization of Untrusted Data vulnerabilities

Practicing in a test environment is a great way to learn about Deserialization of Untrusted Data vulnerabilities and how to mitigate them. Here are some steps you can take to practice in a test environment:

  1. Set up a test environment: Set up a virtual machine or a dedicated server to run the application you want to test. Make sure you have the necessary tools and software installed, including a web server and a development environment.

  2. Identify the vulnerable code: Review the code of the application to identify any instances where untrusted data is deserialized. Look for places where the application is using serialization or deserialization libraries like Java’s ObjectInputStream or .NET’s BinaryFormatter.

  3. Craft malicious input: Create malicious input that can be used to exploit the vulnerability. This could involve creating a malicious serialized object or an XML document that contains malicious data.

  4. Attempt to exploit the vulnerability: Send the malicious input to the application and see if you can trigger the vulnerability. If successful, the exploit should allow you to execute arbitrary code or perform some other unauthorized action.

  5. Mitigate the vulnerability: Once you have successfully exploited the vulnerability, work on mitigating it by implementing best practices like input validation, filtering, and sanitization. You may also want to consider using a hardened serialization or deserialization library that is less prone to vulnerabilities.

For study Deserialization of Untrusted Data vulnerabilities

If you are looking to study Deserialization of Untrusted Data vulnerabilities, here are some resources that may be helpful:

  1. OWASP Deserialization Cheat Sheet: This is a comprehensive guide that covers everything from the basics of serialization and deserialization to detailed information on specific vulnerabilities and how to prevent them. It also includes sample code and examples of exploits.

  2. Java Deserialization Vulnerabilities: This is a paper written by a group of security researchers that goes into great detail about Java deserialization vulnerabilities, including common attack patterns and strategies for mitigating them.

  3. Detecting and Exploiting Java Deserialization Vulnerabilities: This is a presentation by security researcher Chris Frohoff that provides an in-depth look at Java deserialization vulnerabilities and how they can be exploited. It also includes examples of exploits and recommendations for preventing these types of vulnerabilities.

  4. Introduction to Deserialization Vulnerabilities: This is a video series by security researcher Jason Haddix that provides an overview of deserialization vulnerabilities and how they can be exploited. The series includes examples of exploits and demonstrations of how to mitigate these types of vulnerabilities.

  5. Code Review for Deserialization Vulnerabilities: This is a blog post by security researcher Soroush Dalili that provides a step-by-step guide for identifying and mitigating deserialization vulnerabilities in code. The post includes sample code and examples of exploits.

Books with review of Deserialization of Untrusted Data vulnerabilities

  1. “Securing Java: Getting Down to Business with Mobile Code, 2nd Edition” by Gary McGraw: This book covers a wide range of Java security topics, including deserialization vulnerabilities. It provides detailed information on how deserialization vulnerabilities work and how they can be exploited, as well as best practices for preventing these types of vulnerabilities.

  2. “The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities” by Mark Dowd, John McDonald, and Justin Schuh: This book is a comprehensive guide to identifying and mitigating security vulnerabilities in software, including deserialization vulnerabilities. It covers common attack patterns and strategies for preventing these types of vulnerabilities.

  3. “Web Application Security, A Beginner’s Guide” by Bryan Sullivan and Vincent Liu: This book provides an introduction to web application security, including common vulnerabilities such as deserialization vulnerabilities. It includes practical advice for mitigating these vulnerabilities and securing web applications.

  4. “Hacking Exposed 7: Network Security Secrets and Solutions” by Stuart McClure, Joel Scambray, and George Kurtz: This book is a comprehensive guide to network security, including web application security. It includes a detailed section on deserialization vulnerabilities, including how they can be exploited and how to prevent them.

  5. “Web Application Security: A Comprehensive Guide to Securing Your Application” by Andrew Hoffman and Tao Wan: This book provides a practical guide to web application security, including how to identify and mitigate deserialization vulnerabilities. It includes real-world examples of deserialization vulnerabilities and practical advice for securing web applications.

List of payloads Deserialization of Untrusted Data vulnerabilities

Here are some examples of payloads that can trigger deserialization of untrusted data vulnerabilities:

  1. Java: rO0ABQXr...

  2. PHP: O:+5:"User":25:{...}

  3. Python: cos\nsystem\n(S'echo vulnerable'\ntR.

  4. Ruby: --- !ruby/object:OpenStruct\n ...

  5. JSON: {"name": "user", "data": {...}}

These payloads are just examples, and the actual payload used to exploit the vulnerability will depend on the specific context of the application being targeted. It is important to note that deserialization of untrusted data vulnerabilities can be exploited in many different programming languages and data formats, not just the ones listed above.

How to be protected from Deserialization of Untrusted Data vulnerabilities

Preventing or mitigating deserialization of untrusted data vulnerabilities requires a multi-layered approach, and using only firewall rules or Sigma rules may not be sufficient. However, here are some examples of firewall rules and Sigma rules that can help to detect and prevent such vulnerabilities:

  1. Firewall rule: Block all traffic from untrusted sources or IP addresses.

  2. Sigma rule: title: Detect Untrusted Data Deserialization in Java\n\nlogsource:\n category: firewall\n\ndetection:\n selection:\n - "message": "*java.lang.ClassNotFoundException*"\n - "message": "*java.io.InvalidClassException*"\n\nfalsepositives:\n - False positives are possible, validate by checking the code.\n\nlevel: high\n\nrecommendation:\n - Investigate the source of the traffic and validate that the traffic is legitimate.\n - Check for updates and patches for the vulnerable library.\n\n

  3. Firewall rule: Block incoming traffic that contains serialized data, unless it is from a trusted source.

  4. Sigma rule: title: Detect Untrusted Data Deserialization in PHP\n\nlogsource:\n category: webserver\n\ndetection:\n selection:\n - "message": "*unserialize()*"\n - "message": "*__wakeup()*"\n\nfalsepositives:\n - False positives are possible, validate by checking the code.\n\nlevel: high\n\nrecommendation:\n - Check for updates and patches for the vulnerable library.\n - Implement input validation and filtering to prevent untrusted data from being deserialized.\n\n

It’s worth noting that these rules are just examples and may need to be adjusted to suit your specific environment and use case. Additionally, blocking traffic from untrusted sources or serialized data may not always be feasible, and it’s important to apply a layered approach that includes input validation, secure coding practices, and regular updates and patching of vulnerable libraries.

Mitigations for Deserialization of Untrusted Data vulnerabilities

  1. Avoid or minimize the use of deserialization whenever possible.

  2. Only deserialize data from trusted sources.

  3. Use a secure serialization protocol, such as JSON or Google Protocol Buffers, which is less susceptible to attacks.

  4. Implement input validation to prevent malicious input, such as checking data types, length, and format.

  5. Use whitelisting to restrict the classes that can be deserialized.

  6. Implement object graph flattening to avoid deserializing complex object graphs.

  7. Use sandboxing or virtualization to isolate the deserialization process.

  8. Monitor and log deserialization activities to detect and respond to attacks.

Conclusion

Deserialization of untrusted data vulnerabilities pose a significant risk to applications and systems that rely on deserialization. An attacker can exploit this vulnerability to execute arbitrary code and gain unauthorized access to the system. To mitigate these risks, it’s important to follow best practices, such as minimizing the use of deserialization, validating inputs, using secure serialization protocols, whitelisting, object graph flattening, sandboxing or virtualization, and monitoring and logging activities. By implementing these mitigations, organizations can reduce the risk of deserialization vulnerabilities and improve the security of their applications and systems.

Other Services

Ready to secure?

Let's get in touch