 That's it. Hi everyone. I won't take too long because the dinner is approaching so This talk is gonna be on this realization bug. So if you are a pentester, this will this talk will give you a good trick that will probably be able to reuse this year at least and if you're cis and min this will expose you a problem that is Getting more popular and and yeah, so it's a practical talk But the technical one So who am I before starting the talk? I'm a researcher at go-saker. So basically I'm doing analyzing varieties and trying to find new ones on a popular Software I'm also doing various tool to help pentester and other security analyst Some of the tool I do I do find security bug as Pierre David mentioned so it's a statistical system I also do one for a dotnet and other burp extension for Helping pentest pentest task I'm a volunteer at for nerd sec for a few years. I'm doing challenges and It's the second time. I'm giving a conference here So now getting into the subject. So why we are here So what do all these application have in comments so late at the last year all those Application were available to the same ability class So it's the same pattern not exactly the same exploitation but it's really the same ability class and All those are Java application But we'll see I'll try to highlight also the design principle and the design problem related to this flaw That also apply to other language and other library So the common thing is that they all use Serization functionality that are accessible remotely so I Will divide this talk so first we're gonna go to the basic So just explain what is this realization to make sure you understand off Serization is used Properly, so what's the real use case then we'll go into exploitation scenario to see how we can Use alternate behavior and expect unexpected behavior based on this functionality I'll also give example of other language just to show that there's our small differences But it's same principle that will apply you. So what is this realization? So I'll give a basic overview. So first what is this realization? It's when you transform data and you put it in a format that is ready to be transfer or store So why do we do this? We do this transformation either to persist a state. So for example to do storage of a State of the application a session or anything We can do caching with civilization Also communication between process if we need to restore something in another process and And what will be the most interesting case will be network communication because if we're talking about client server communication That's much much more potential for security For pentester to get remote code execution then and when it's all local communication So that will be the main focus of our different attack So as does Serization work. I have a visual representation So we have one application running in this case. It's a client application we have various object in memory and We cannot just copy the memory representation because Object will have tons of reference of caching property that we don't necessarily need to transfer That's why we're doing a transformation and we'll extract some of the field potentially So then we will create Will serialize to an object. So it will be a format so here we're gonna talk about native serialization, but It's same as Jason XML a protobuf being called all those are can be considered serialization format But there they will have difference obviously in their representation and When the other application will is receive this format it will be able to restore this state And reconstruct the object out of it. So I have list a couple of formats But what's the main difference between? native serialization in Java and for example Jason so the main difference is that Java native Serization you can add custom behavior to Object that are being deserialized In Jason it's static and info so you can list property, but you cannot Add custom behavior when deserialization occur at least not in the most popular lives So I have a couple of example Just to give you an example so here optionally for Serizable object we can In Java Create a read object method and this read object method will be called when the object get deserialized So if it's a communication over a network when the server will receive the object if it's a custom Serizable object with a read object this will be execute when it's deserialized I have another example here That is doing other thing, but in general it can be more complex calling other classes. These are really basic example and One thing to remember is from a design printer view From a security perspective, I mean As soon as you have custom behavior that library we are introducing for the attacker it's an additional entry point so Contrary to static data like Jason if I know that I can Instantiate any class of your application and trigger those read object. Maybe I will be able to Instantiate class that are not expected to be called. So then those read object Behavior could be triggered in an expected way and one thing to mention Like in the example on the left The object state will be restored so the property will be filled and then some execution will occur So then the attacker has an interesting entry point because you'll be able to initialize the object as you want And then the behavior will be executed. So this introduce much more possibilities so In the code we'll see just an example of Java deserialization So if the server receive a pillow it will do read object to deserialize the object So internally what he will do in the byte stream. It will find the class name Based on this it will load the class if it's not already load it will instantiate a class No constructor is called so by default no method is called and it's only if read object method or implement that they will be called and The common cast that we see this is not something that happened prior those steps so The execution of the read object method will happen even if the object is not a comment So it will trigger in the end a cast exception But this is does not stop an attacker from sending any type that is available in the application So there are no assertion that in this case common object will be sent to the server It can be any object So we'll look at one example that was a the most common one to the application we mentioned previously So we'll look at common collection. So we need two ingredients to have a vulnerable to engage in to have a Venerable application first we need deserialization if you're not doing deserialization your application is not vulnerable for sure So if you have property app Lee proprietary application I'm gonna show it in the end and a tool that will be able to scan your application and find if you're using deserialization Somewhere in your application potentially in legacy application functionality and The other ingredient that is needed to have a successful exploitation is have par for Serial is a ball class and those serials ball class will call them gadget these are class that are salesable with interesting read object method and One trig we can do unexpected behavior that will lead to remote code execution So the main design flaw is you shouldn't do deserialization and accept any class Any type of object on your class pad because you'll have so many libraries that you don't have looked at that could Create a bad behavior So this is one of the popular gadget that all the application I mentioned a prior add in their class path so those are a class on the right from a live common collection from Apache and I Won't go into the detail of how the gadget works because I want to stay eye level to just to make sure you understand the design principle that is the design flaw but in the end those class can lead to Remote code execution and the interesting to to notice is that some of the class the chain transformer are not a class with the read object method and the way they are trig is that they are We're using an invocation handler and invocation handler is sales ball object that is Another entry point so it's not only a series of all a class that are interesting to attack because invocation handler in Java it's going to be a combination of Invocation handler and a proxy so the way to work. It's like in a script. So if you want to do marking on object you can Replace if instead of calling class test you could mock a Class that will likely implement test, but instead all all the call will be redirect to a proxy They are deposit to an invocation handler so the idea is that Proxy are sale as a ball so in your gadget You will put an instance of a proxy and it will reference to an invocation handler that will you'll be Your interesting entry point so all invocation handler in the class path Of your application can be a trig by an attacker and it was the case of common collection They were using an invocation handler from the GDK, but in the end it was calling a common collection classes so I will do a demo of A tool that you could use in a pentest that is wrapping tons of of gadget So you do you don't have to build yourself all the chain of that I present previously Okay, so this demo I choose J bus because visually it's a more Easy to understand because most of the venable software were available over a Remote admin client so it was all come in line a client But this one it's over HTTP so it will be more visual and easier to understand so we have all the version of J bus here and the interesting end point is a invoker Just zoom a bit At this URL invoker jmx invoker servlet and this endpoint receive a serialized object So if we're using the application or the admin panel and we see serialized object in the in Bar proxy, for example, then we know we have a potential to replace those serialized object with our malicious gadget And that's what we'll just do So I'll just zoom out So the tool I'll be demoing is a white soil cell So I think it's visible So it's pretty easy to use When you enter no argument, it will list you all the gadget available So the idea is that gadget will only work if the needed classes are on the class path so if for example, you have the Common connection library on the class path of the verbal application it will work but if it's not the case you might need to rely on another variation and The argument are quite easy to to set up so the first argument will be the The payload so in this case we'll use a common connection one and The second argument will be the command will execute so in this case I'll just run calculator, but you could replace this tool So I'm doing a get to our river shell and then execute it for Re-having a river shell on the server So This so the output will be a serialized object we can if needed we can an accord it into base 64 The output is just the payload, but in our case will just send save it to a file To Nordsec.bin Just show back the comment so the only two argument were needed was the which gadget we're gonna use and then the comment being execute so this you replace this with your river shell and Where I'm saving it to Nordsec.bin So on that f I have burp in repeater So I will be sending an HTTP request to the renewable endpoint and if I send nothing I will get this organization error telling me the empty value I get an error Instead I will load from the file. I've just saved the Nordsec.bin and This is the serialized Gadget so and as soon as I will send it then I get execution because My server is running on the same machine. So this is just a visual confirmation and the Okay, okay, it's actually a really reliable exploit So if you see in your assessment over noble all the gboss web sphere all those Java container a lot of them add remote API like this So that's so that's for identifying exploiting actually with gadget Those available services so the basic methodology is you need to first find serialized object going through your proxy Sometime it will be in wire shark if it's not HTTP requests First then I mean the second step will be to generate a gadget so In this case with the wire so sale we will able to generate one for common collection Then we replace the initial object by it and then we just replay the the request or continue that with the protocol If it doesn't work You can repeat the same thing with different gadgets So it just trial and error since you are if you're doing a black box test You won't know for sure what are available classes on the remote application, but you can just try one after the other If it doesn't work It might be a specific protocol sometime if the Read ends or other primitive type prior reading the object You'll need to just follow the sequence of the protocol until a read object is done and you'll be able to do the same thing so that's a little detail and If it doesn't work it might be that it's not available So a there are whitelist thing the class that could be deserialized or there could be a blacklist in place So that's the demo. I've just did so that's from an attacker point of view or if you're doing pen test That's what you would do a black box But what if you have a proper proprietary application in Java for example, and you want to know I'm available to that this and Because you could have so many endpoint sometime. You don't remember the legacy one So To I'll do give do an example of how you can scan your application or even property Proprietary application that you don't have the source code from So what you'll look for is two thing the two ingredient I mentioned prior so the deserialization operation so this is the design flaw and Potentially the gadget to exploit so if you have if you are testing an application and you are able to download a trial Or download the application you could do a scanning and potentially find the interesting endpoint that are Exposed that do deserialization. So this will give you some ends and Also, if the gadget are not Part of the known you might need to build a custom payload for from this so So the demo I'll do is with the find security bugs. This is the static and SS2. I'm maintaining so in this case, I'll just analyze the same application as Privacy so in this case it will be gboss But if you have an application you could do the same thing So find security bugs the command line are at work. You specify directly or jar But if you want to scan completely All your application you could extract all the list of jar and then passing it to the The tool and it will scan everything. So in this case gboss, it's around 2000 meg of binary jar file so What I've done I've created List contains all the jar and I will pass this the content of this file to the tool so The command just looked like this Okay, so the command is in detail. It's not that it's interesting But I will be analyzing all the jar of the gboss and I will be creating a report out of it so this could take a couple of minutes, so I have already a report produce and One little detail to mention is that I don't have the source code of Gboss right now. So it's only scanning the binary format. So this is interesting because you'll have a full coverage of the class available and You'll be able to reproduce this on a proprietary application also So I'll let this scan but I have already the the result So we're looking for two type of thing first the desalization part. So As an attacker if you're looking at the big application you want to know where in the application Desalization occur. So you have you'll have obviously couple of false positive because as I mentioned previously serialization is used for multiple use case and it's not always a remotely accessible But here in the gboss we can quickly see by the package name that We'll find some remoting packages. So this is a remoting API. So most likely accessible from remote and other Rest easy is also something Accessible for a rest API so could have a potential so we could analyze those We have a reference to in which method and in which class the desalization occurs so we can review With a disassembler or decompiler Now that we know that it's a Venerable to desalization we need to find gadgets. So we could try the gadget from a why so sale But if we didn't win have a known one that that work In the next version of find security bugs there will be a gadget finder for a Based on multiple heuristics So basically we don't want to list all the serializable class in the the application because there would be a couple of thousand Possibly so those are all a case where desalization it's solables class with a Risky operation being done sometime reflection or Other behavior also invocation handler also identify as a variant of those and the third Occurrence that it will find is actually the vulnerable Gadget that was found in a common collection So with this tool if you want to do research and find your own gadget if you're stuck because some Because currently a library are proactively patching those so they add switch to make them not Serializable remotely or add switch So the gadget are still there, but not exploitable So we need to find new ones So if you want to find you ones That's a one way that you could help you because it will highlight you some interesting class instead of looking at all the code of All the library in your application So that's from a defense perspective if you have You're maintaining a web application in Java you could use also the plug-in in your ID to do the scanning also and And I'll quickly go to the other language so that's just to highlight that this is Design flow that apply to multiple type of library. So it's not just Natives civilization in Java as soon as you see custom feature that occur during parsing it It's something that we have saw also on other library in other language that they decide to add custom behavior That could be triggered by inserting a specific keyword or specific part in XML for example So any library that has custom behavior to this organization Will could lead potentially to unexpected behavior and a remote code execution potentially So We'll look at the PHP case. So PHP answer lies method There's no possibility to whitelist the class that you want to answer allies So really if you are doing answer lies PHP, which is you should never do Your opponent to all the class that are allowed from your file So anything that you have include will be accessible and will be able to be this allies This will include obviously also all the class of a PHP API and The interesting trigger here. There's no read method like in Java, but all the magic method can be trig Accidentally that mean that if you're desalizing an object that an attacker send it will also call the destruct method When the script will finish execute So then you could have also a chain of execution that would lead to remote code execution In general that the chain will be a quite complex It will be a chain across multiple object, but here I have a small example that is easier to understand So this is taken from a clue CTF and the challenge was There was a answer lies operation that was being done and You add also sort of access to source code So you add a couple of PHP file also with the application and what one of the class SQL DB was having this deconstruct method a destruct method and Each time the SQL DB was being closed It was calling a square close and then create log and the create log was doing a SQL queries So from the developer perspective, he didn't intend that this method will be called remotely. It's all the variable Coming from the local object, but the attacker this class become an endpoint because I Can call the destruct method with any state that I want of this object so any field I can Put it in the state that I want So in this case the interesting part was the create log operation and it was doing SQL query with sanitization, but Sanitization what it will do it will It will if you add a single code it will add a backslash and the proper Escaping but here the thing to notice is that the log table the table is not between codes and In this case, we don't need to add code. So we'll be able to just a straight injection So the way the get the gadget or the malicious payload will work is you serialize this class with the malicious value log table and Once it will execute it will trigger the SQL injection So that's for the example in PHP in Python, it's also a bit different. There's a pickle which is a highly documented that you shouldn't use in remote API, but you'll find it Not often but more often in CTF And the interesting part is the reduced method. So like the read object method in Java You can specify a custom reduce method and this method will be called one object RDC allies and The main difference with Java is that you're not dealing with all the object You can also even serialize this method in the object that you want. So you can also see allies code Code section with the object. So here we have a basic Example so code box calling call.exe and The remote application that doesn't even need to have this class in in its application will Serialize this class and the reduce method as we can see is doing the code that we want to it to execute so in this case it's creating a process and in the exam or the Serialized version we can see that the code of the reduced method is also bundled. So this is probably the most Easy way to exploit the serialization because we don't need to yes Yeah, potentially But yeah, yeah, but then you would need to use another API that is available. Yeah That's something I'm not sure but I would have to check So the main difference to remember is that in the case of Pico The reduced method the code is serialized with the object. So it's not just property and data So solution the instead of Doing patch and doing whitelist so for existing application If you have legacy Java application that are doing Serialization you could add a blacklist to make make reduce the risk of Having known gadget being used as a exploitation vector For a new application you should simply choose a library that are not doing fancy a behavior on this realization So using Jason Protobuf if you need a compact Protocol so That's something to remember at design because afterward it will bite you as you have more Problem to maintain it and patch for the different gadget One of the project you can use autorebox for Java is not so sale It will a blacklist by default all the known gadget, but it's just a guacamole game until Somebody find another gadget So that's it I'm done with my clock in my demo. So if you have any question Don't hesitate to ask them now or afterward