Serialization and de-serialization
Serialization Application: Objects facilitate transmission and storage in the network
java deserialization
Serialized object stream is to convert, format facilitate storage and transport
Deserializing serialized contrast, converted stream object
For example: json serialization, XML serialization, binary serialization, SOAP serialization
Serialization:
java.io.ObjectOutputStream
classwriteObject()
The method of the target sequence, a sequence of bytes written to the target output stream (extension .ser)
Deserialize:
java.io.ObjectInputStream
classreadObject()
Sequence of bytes read from the input stream, which is then deserialized into objects
Externalizable and achieve Serializable interface object class can be serialized.
Hazard Vulnerability
Lead to uncontrollable consequences code execution, file operations, perform database operations, etc.
Vulnerabilities principle
If the Java application for user input, that data can not be trusted to do the de-serialization process, an attacker can construct a malicious input, so deserialized objects have unintended, unexpected objects is likely to bring in the selection process arbitrary code execution.
Vulnerabilities found
Exist in WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, etc.
- HTTP request parameters, cookies and Parameters.
- RMI protocol, RMI protocol widely used based on the sequence of the full
- The same processing sequence for JMX objects
- Custom protocol for receiving and transmitting the original java object
Vulnerability Mining
OK deserialization entry point
should first find out the readObject method calls, the next step of injecting operation after the find. Generally you can search by:Source Audit: Find can use the "target", that is, to determine the call site calls the anti-serialization of function readObject.
The network behavior capture application, to find a sequence of data, such as wireshark, tcpdump etc.
Black box traffic analysis (possible interview)
In the packet transmission Java deserialization, in general, there are two transmission mode, the TCP packet, typically a binary streamed in HTTP packets, is mostly transmitted in base64. Thus there are some features in traffic:
(1) TCP: must aced0005, this also means a hexadecimal stream substantially by the start of the java deserialized;
(2) HTTP: there must be rO0AB, in fact, this is the result of base64-encoded aced0005;
Above implies the existence of anti-Java serialization, you can try to attack payload structure.
The black box java RMI
Java RMI is a remote object (class) calls the server, the default on
1099
port, to the base socket communication that remote calls based solely on deserialization and serialization.White-box code audit
(1) to observe the class implements the Serializable interface if there are problems.
(2) was observed as a function of rewriting logic method readObject if there are problems.
Class Path re-examine whether the application contains the Apache Commons Collections library
Generating a payload deserialized
Our payload data submitted
Vulnerabilities defensive
Class white list checking mechanism:
In fact, very simple principle, that is, all incoming deserialized object before deserialization process starts, type the name to make a check, do not meet the whitelist class does not deserialize operation. Obviously, this list is certainly not white Runtime exist.
Prohibit JVM execute external commands Runtime.exec
This measure can be achieved by extending the SecurityManager.