5. The Chick has to break out of the shell 1
@pavanw3b
1:
https://www.youtube.com/watch?v=ozMPRSZ8Ykk
6. ● Many people in Security don’t understand 1
● Hard to find for most
● OWASP Top 10 2021 A8: Software & Data Integrity Failure
● It’s fun!
● It’s a Python day, but same in any technology
1:
Observed most candidates fail to explain clearly in the interviews
Why talk about Insecure Deserialization Weakness?
@pavanw3b
13. Let’s look at Bruce, I mean Object
character = {“first_name”: “Bruce”, “last_name”: “Banner”}
● Dictionary in Python
● Character is an Object
● Object: Material seen, touched etc
● Object in OOP: An instance of class
● Class: A defines the characters and features
13
@pavanw3b
14. I thought Python dict is a data type.
Are you saying it’s a class?
The diff got thinner and now it’s the same!
More details: https://stackoverflow.com/a/35959047
14
@pavanw3b
15. Stored. Why?
● Manage state
● Persist as data for processing later
● Recreate objects even if the program is terminated
● Stored on Disk, Database, Caches, Socket, Message Bus etc
15
@pavanw3b
16. Transmitted. Why?
● Server to client - end user
● For consumption by different technology
● Two machines: Machine A wants to send rich object to Machine B
instead of plain data.
16
@pavanw3b
17. Reconstructed. Why?
● Server to client - end user
● Another technology needs to process
● Could be a shared, micro service
17
@pavanw3b
18. Why we Serialize?
● Object in one environment can’t be understood by another
● Pass data at different layers
○ Client to server
○ File-DB to business layer etc
● Micro services
● OOP & MVC influences to see everything in Object and Model.
18
@pavanw3b
20. Python Pickle
● A python default module for serialize-deserialize
● We consider built-in modules over third-party
● Implements binary protocol
20
Unpickling
@pavanw3b
● Convert serialized data back to Objects
Pickling = Serializing, Marshalling, Flattening
● Converts Objects into Byte Stream
● dump() vs dumps(): Pickled File vs byte stream object
21. Now the problem is
● Not Secure
● Only unpickle data you trust
● Leads to RCE otherwise
21
@pavanw3b
22. Let’s take a deeper look
python serialize-to-file.py python deserialize-from-file.py
22
@pavanw3b
23. I can control the object. How do I RCE?
● Use the same way as Serialization
● Serialize a RCE payload and pass it to (Insecure) Deserialization
● Problem: The payload should be an Object!
● Solution: __reduce__()
● Special instruction on how to handle certain object when it fails natively.
● E.g.: Open File
23
@pavanw3b
25. Why __reduce__() exists: The Solution
25
Returns:
● Callable object that gets
initialized when expanded
● A tuple of arguments to
the object
@pavanw3b
27. Target: Django Application
● User Form data pickled and set to Cookie
● Cookie value unpickled on the next request
● Expected base64encoded “user” cookie
● Design: Get User object from the client side
● #MVC
27
@pavanw3b
28. Getting Reverse Shell from the Target
● Use __reduce__ and return os.system with your RCE Payload
● Serialize it, base64encode it and print
● Edit user cookie and reload
28
@pavanw3b
29. Why Pickle does it this way?
● Not because pickles contain code
● Because they create objects by calling constructors named in the pickle
● Pickle Virtual Machine (PVM)
● Serialized stream is actually instructions
● Handles the Opcodes directly!
29
@pavanw3b
30. Common places to check for insecure deserialization
● Cookie values
● Files: User supplied, log files, panda dataframe to binary
● Social media feeds / tweets
● User controlled data gets converted into Objects
30
@pavanw3b
31. Watch out for in White box Code Reviews
● Python: pickle.loads(), pickle.load(), yaml.load()
● Php: unserialize()
● Java: XMLdecoder, XStream.fromXML(),
ObjectInputStream().readObject(), readObject,
readObjectNodData, readResolve, readExternal,
readUnshared, Serializable etc
31
@pavanw3b
32. Watch out for in Black box dynamic testing
● Python: data ends with dot (.)
● Java: AC ED 00 Hex, ro0 in base64,
Content-type: application:x-java-serialized-object
● .NET: AAEAAAD//////
32
@pavanw3b
33. Utilities for detection and exploitation
● frohoff/ysoserial: Java
java -jar ./ysoserial-0.0.4-all.jar CommonsCollections1 ‘ping domain.com’ > payload
● pwntester/ysoserial.net: .NET
● Burp Extension: Java Deserialization Scanner by federicodotta
33
@pavanw3b
34. Remediate
● Don’t spoil your Pickle: Don’t unpickle untrusted data
● Other language: Use Look Ahead along with a Whitelist of Classes
● Be careful about the whitelist: DoS - Billion laughs attack incase of Hash,
Array etc Classes
● Fix: Java 9: Serial Filters or check the depth or size
34
@pavanw3b
35. Design & Configurations Recommendations
● Prefer language-agnostic formats: JSON, YAML over native binary
● Sign data with hmac and check it is not tampered with
● Don’t rely on WAFs alone: They don’t have visibility to internal
● Avoid generic serialization, use class-specific serialization
35
@pavanw3b
36. References:
pickle — Python object serialization — Python 3.10.5 documentation
Pickling Objects in Python
BlackHat 2011 - Sour Pickles, A serialised exploitation guide in one part
Class vs. Type in Python - Stack Overflow
Deserialization - OWASP Cheat Sheet Series
36
@pavanw3b
