09 Feb, 2023

Deserialization vulnerabilities

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

Deserialization vulnerabilities refer to security weaknesses that occur when a maliciously crafted input is used to interfere with the normal functioning of the deserialization process. Deserialization is the process of converting a stream of data in a particular format, such as binary or JSON, into an object or data structure in memory.

Deserialization vulnerabilities can be exploited by attackers to inject arbitrary code into a vulnerable application, execute arbitrary commands, or access sensitive information. This type of vulnerability can be especially dangerous because it often goes unnoticed, as it can be triggered by an attacker simply sending a specially crafted message or request to the application.

Examples of vulnerable code on different programming languages

 Java

 
				
					import java.io.FileInputStream;
import java.io.ObjectInputStream;

public class DeserializationExample {
  public static void main(String[] args) {
    try {
      FileInputStream fileIn = new FileInputStream("data.ser");
      ObjectInputStream in = new ObjectInputStream(fileIn);
      Object obj = in.readObject();
      in.close();
      fileIn.close();
    } catch (Exception e) {
      e.printStackTrace();
    }
  }
}
				
			

This code is vulnerable to deserialization attacks because it blindly deserializes an object from a data file without checking its integrity or validating its source. An attacker could create a maliciously crafted data file and use it to execute arbitrary code on the system that runs this code.

 .NET (C#):

 
				
					using System;
using System.IO;
using System.Runtime.Serialization.Formatters.Binary;

class DeserializationExample {
  static void Main(string[] args) {
    try {
      Stream stream = File.Open("data.bin", FileMode.Open);
      BinaryFormatter formatter = new BinaryFormatter();
      Object obj = formatter.Deserialize(stream);
      stream.Close();
    } catch (Exception e) {
      Console.WriteLine(e.Message);
    }
  }
}

				
			

This code is also vulnerable to deserialization attacks because it does not validate the input data before deserializing it. An attacker could create a malicious binary file and use it to execute arbitrary code on the system that runs this code.

 PHP:

				
					<?php
$data = unserialize(file_get_contents('data.txt'));

class DeserializationExample {
  public function __wakeup() {
    exec("rm -rf /");
  }
}

				
			

This code is vulnerable to deserialization attacks because it does not validate the input data before unserializing it. An attacker could create a malicious data file that contains a serialized object of the DeserializationExample class, and use it to execute arbitrary code on the system that runs this code. The __wakeup magic method will be called automatically during the deserialization process, and in this case, it will execute the exec function to delete all files on the system.

It is important to always validate input data before deserializing it and to sanitize any data that will be used in a deserialization process. Additionally, it is recommended to use secure deserialization libraries that have been specifically designed to address these types of vulnerabilities.

Examples of exploitation Deserialization vulnerabilities

  • Remote code execution: An attacker can craft a maliciously serialized object that contains malicious code and send it to a vulnerable application. When the application deserializes the object, the malicious code will be executed, allowing the attacker to take control of the system.

  • Data theft: An attacker can craft a maliciously serialized object that contains sensitive data, such as passwords or financial information, and send it to a vulnerable application. When the application deserializes the object, the sensitive data will be extracted and sent back to the attacker.

  • Denial of service (DoS): An attacker can craft a maliciously serialized object that contains a large number of objects or a cyclical reference, causing the application to run out of memory or enter an infinite loop when it tries to deserialize the object. This can result in a denial of service attack, causing the application to become unresponsive or crash.

  • Injection attacks: An attacker can craft a maliciously serialized object that contains malicious data that can be used to inject malicious code into the application. For example, the attacker could craft an object that contains a SQL injection payload, which will be executed when the application tries to deserialize the object and access the malicious data.

Privilege escalation techniques for Deserialization vulnerabilities

Deserialization vulnerabilities can be used as a technique for privilege escalation, which is the act of exploiting a vulnerability in a system to gain elevated permissions. Here are a few ways that deserialization vulnerabilities can be used for privilege escalation:

  1. Object hijacking: An attacker can craft a maliciously serialized object that contains code that changes the permissions of the executing user or process. When the application deserializes the object, the malicious code will be executed, elevating the attacker’s privileges.

  2. Abusing trust relationships: If a vulnerable application trusts another component, such as a library or an API, an attacker can craft a maliciously serialized object that is accepted by the trusted component. When the vulnerable application deserializes the object, it will execute the malicious code, elevating the attacker’s privileges.

  3. Bypassing access controls: An attacker can craft a maliciously serialized object that bypasses access controls, such as a security sandbox or a restricted environment. When the application deserializes the object, the attacker’s code will be executed with elevated privileges.

 

General methodology and checklist for testing for Deserialization vulnerabilities

Here is a checklist for testing for deserialization vulnerabilities:

  1. Input validation: Verify that the application properly validates the input data before deserializing it. Ensure that the input data is of the correct type and format, and that it is not maliciously crafted.

  2. Secure deserialization libraries: Ensure that the application uses secure deserialization libraries, such as those that provide built-in input validation and access controls.

  3. Object types: Verify that the application only deserializes objects of trusted types and does not deserialize untrusted objects.

  4. Access controls: Ensure that the application implements strong access controls to prevent unauthorized access to sensitive data and functionality.

  5. Serialized object size: Verify that the application limits the size of serialized objects to prevent denial of service attacks.

  6. Code execution: Test the application to see if it executes code from a deserialized object.

  7. Data theft: Test the application to see if it is possible to extract sensitive data from a deserialized object.

  8. Injection attacks: Test the application to see if it is possible to inject malicious code into a deserialized object.

  9. Privilege escalation: Test the application to see if it is possible to use a deserialization vulnerability to escalate privileges.

This is a general checklist for testing for deserialization vulnerabilities. It is important to keep in mind that different applications may have unique requirements, and that additional testing may be necessary to fully assess the security of the application.

Tools set for exploiting Deserialization vulnerabilities

Manual tools:

  1. Burp Suite: A popular web application security testing platform that includes a plugin called “SerializedObjects” that can be used to test for deserialization vulnerabilities.

  2. OWASP ZAP: An open-source web application security testing platform that includes a plugin called “Serialized Objects Scanner” that can be used to test for deserialization vulnerabilities.

  3. Manual testing: Deserialization vulnerabilities can also be tested manually by sending specially crafted serialized objects to the application and observing the application’s behavior.

Automatic tools:

  1. YSoSerial: A tool that automatically generates payloads for testing deserialization vulnerabilities.

  2. Java Deserialization Scanner: A tool that can be used to scan Java applications for deserialization vulnerabilities.

  3. Serialize-Me: A tool that can be used to scan .NET applications for deserialization vulnerabilities.

  4. deser-scan: A tool that can be used to scan Python applications for deserialization vulnerabilities.

  5. Deserialization Scanner: A tool that can be used to scan PHP applications for deserialization vulnerabilities.

  6. JexBoss: A tool that can be used to test for deserialization vulnerabilities in Java applications.

  7. Daru: A tool that can be used to test for deserialization vulnerabilities in Ruby applications.

  8. NoSQLMap: A tool that can be used to test for deserialization vulnerabilities in NoSQL databases.

  9. JDeserialize: A tool that can be used to test for deserialization vulnerabilities in Java applications.

  10. Deserialization fuzzer: A tool that automatically generates and sends maliciously crafted serialized objects to an application to test for deserialization vulnerabilities.

Average CVSS score of Deserialization vulnerabilities

The Common Vulnerability Scoring System (CVSS) is a widely used method for quantifying the severity of security vulnerabilities. The average CVSS score of deserialization vulnerabilities can vary widely depending on the specifics of the vulnerability.

In general, deserialization vulnerabilities can range from low-severity issues to critical vulnerabilities. For example, a deserialization vulnerability that allows an attacker to execute arbitrary code with elevated privileges would likely receive a high CVSS score, such as 9.0 or higher. On the other hand, a deserialization vulnerability that allows an attacker to inject data into a serialized object but does not result in any other significant impact may receive a lower CVSS score, such as 4.0 or 5.0.

The Common Weakness Enumeration (CWE)

The Common Weakness Enumeration (CWE) is a classification system for software security vulnerabilities that provides a common language for describing and managing security weaknesses. In the context of deserialization vulnerabilities, the following CWEs are commonly associated with these types of vulnerabilities:

 CWE-502: Deserialization of Untrusted Data
 CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
 CWE-114: Process Control
 CWE-94: Improper Control of Generation of Code (‘Code Injection’)
 CWE-276: Incorrect Default Permissions
 CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
 CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
 CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
 CWE-284: Improper Access Control
 CWE-94: Improper Control of Generation of Code (‘Code Injection’)

Deserialization vulnerabilities exploits

Deserialization vulnerabilities can be exploited in a number of ways, depending on the specifics of the vulnerability and the environment in which it occurs. Some common exploitation techniques for deserialization vulnerabilities include:

  1. Remote Code Execution: An attacker can supply a malicious serialized object to the application, which is then deserialized and executed with the privileges of the application.

  2. Data Manipulation: An attacker can modify data within a serialized object to alter the behavior of the application or gain unauthorized access to sensitive information.

  3. Information Disclosure: An attacker can exploit a deserialization vulnerability to extract sensitive information from the application, such as passwords, secret keys, or other confidential data.

  4. Denial of Service (DoS): An attacker can create a malicious serialized object that causes the application to consume excessive resources or crash when deserialized.

  5. Code Injection: An attacker can inject malicious code into a serialized object, which is then executed when the object is deserialized.

  6. Cross-Site Scripting (XSS): An attacker can inject malicious JavaScript into a serialized object, which is then executed in the context of a vulnerable web application when the object is deserialized.

Practicing in test for Deserialization vulnerabilities

There are several ways to test for deserialization vulnerabilities, including:

  1. Vulnerable Services: Many online services and applications may be vulnerable to deserialization vulnerabilities, and can be tested by sending specially crafted serialized objects to the service and observing the results.

  2. Vulnerable Repositories: Many open-source software repositories contain vulnerable code that can be used to test for deserialization vulnerabilities. This can include software libraries, frameworks, and other code components that implement serialization and deserialization functionality.

  3. Sandbox Environments: You can set up a sandbox environment that mimics a real-world deployment, and then test for deserialization vulnerabilities by sending specially crafted serialized objects to the environment. This can be useful for testing the effects of deserialization vulnerabilities on a specific target, or for testing the behavior of custom-made serialization and deserialization functions.

  4. Automated Tools: There are a variety of automated tools available for testing for deserialization vulnerabilities, including web application scanners, fuzz testing tools, and dynamic analysis tools. These tools can help identify potential deserialization vulnerabilities and provide information on the specifics of the vulnerability and how it can be exploited.

For study Deserialization vulnerabilities

There are many resources available for learning about deserialization vulnerabilities and how to detect and exploit them. Here are a few resources you might find helpful:

  • Courses: Many online courses are available that cover deserialization vulnerabilities and how to detect and exploit them, including courses offered by platforms like Udemy, Coursera, and Pluralsight.

  • Practice Sites: There are several websites that provide opportunities to practice detecting and exploiting deserialization vulnerabilities, including websites like HackTheBox and VulnHub.

  • Videos: Many educational videos are available on platforms like YouTube and Vimeo that provide information on deserialization vulnerabilities and how to detect and exploit them. These videos can be a great way to learn about the basics of these vulnerabilities and get a hands-on understanding of how they work.

  • Books: There are several books available that cover deserialization vulnerabilities and how to detect and exploit them, including “Web Application Hacker’s Handbook” by Dafydd Stuttard and Marcus Pinto, and “Black Hat Python” by Justin Seitz.

Books with review of Deserialization vulnerabilities

  • “Web Application Hacker’s Handbook” by Dafydd Stuttard and Marcus Pinto: This book is widely regarded as a classic in the field of web application security, and provides a comprehensive guide to detecting and exploiting deserialization vulnerabilities.

  • “Black Hat Python” by Justin Seitz: This book provides an introduction to the Python programming language and demonstrates how it can be used for security testing and exploitation, including the exploitation of deserialization vulnerabilities.

  • “Secure Coding in .NET” by Brian Hastings: This book provides guidance on how to write secure code in .NET, including advice on how to avoid deserialization vulnerabilities and other security risks.

  • “Mastering PHP Security” by Shahzad Sahaib: This book provides a comprehensive guide to PHP security, including a section on how to prevent and mitigate deserialization vulnerabilities in PHP applications.

List of payloads Deserialization vulnerabilities

Deserialization vulnerabilities can be exploited by sending specially crafted payloads to the vulnerable application. Here are a few examples of payloads that can be used to exploit deserialization vulnerabilities:

  1. Gadget chains: Gadget chains are a series of objects that are combined to form a malicious payload. When the payload is deserialized, the gadget chain can be used to execute arbitrary code, escalate privileges, or steal data.

  2. Malicious classes: A malicious class is a custom class that is specifically designed to exploit a deserialization vulnerability. The class can be sent as a payload and when deserialized, can be used to execute arbitrary code, escalate privileges, or steal data.

  3. Tampered data: Tampered data is data that has been altered in some way to exploit a deserialization vulnerability. This can include modifying existing data or adding new data to the payload.

  4. Bytecode payloads: Bytecode payloads are binary payloads that are executed when deserialized. They can be used to execute arbitrary code, escalate privileges, or steal data.

These are just a few examples of the many types of payloads that can be used to exploit deserialization vulnerabilities, and the exact payload will depend on the specific vulnerability being exploited.

How to be protected from Deserialization vulnerabilities

  • Firewall Rules: Firewall rules can be used to block incoming traffic that contains payloads that are known to exploit deserialization vulnerabilities. This can include blocking incoming traffic that contains certain data types or payload structures, or blocking incoming traffic from specific IP addresses or domains.

  • Sigma Rules: Sigma rules are a set of open-source detection rules that can be used with intrusion detection systems (IDSs) to detect deserialization attacks. These rules can be used to detect and alert on suspicious activity, such as incoming traffic that contains payloads that are known to exploit deserialization vulnerabilities.

  • Input Validation: Input validation can be used to prevent malicious payloads from being sent to the vulnerable application. This can include checking the data type and structure of incoming payloads, as well as validating the data to ensure it is not malicious.

  • Whitelisting: Whitelisting is a security technique that allows only trusted payloads to be processed by the vulnerable application. This can include only allowing trusted payloads to be sent to the application, or only allowing payloads from trusted sources to be processed.

Mitigations for Deserialization vulnerabilities

  1. Object Serialization Libraries: Object serialization libraries can be used to control the types of objects that can be deserialized. This can include using a custom serialization library that only allows objects of a specific type to be deserialized, or using a library that provides enhanced security features, such as signing and encryption.

  2. Code Review: Code review can be used to identify and fix deserialization vulnerabilities in the source code of the application. This can include reviewing the code for areas where deserialization is being performed, as well as reviewing the code for areas where malicious payloads can be sent to the application.

  3. Use of a Reverse Proxy: A reverse proxy can be used to add an additional layer of security between the application and the internet. This can include using a reverse proxy to validate incoming payloads, or to block incoming payloads that contain malicious data.

Conclusion

In conclusion, deserialization vulnerabilities are a significant security threat that can be used to exploit a wide range of applications. These vulnerabilities occur when an application deserializes malicious data, which can allow attackers to execute arbitrary code or access sensitive information. To prevent deserialization attacks, it is important to implement a range of mitigation techniques, including input validation, whitelisting, object serialization libraries, code review, and the use of a reverse proxy. Additionally, it is important to stay informed of the latest developments in deserialization vulnerabilities and to regularly test and monitor applications for potential vulnerabilities. By taking these steps, organizations can help protect their applications and data from the dangers of deserialization attacks.

Other Services

Ready to secure?

Let's get in touch