[Learning] Java Deserialization Vulnerabilities

 

I. Basic Understanding of the Java Serialization/Deserialization

- In computer science, serialization is the process of packaging program-internal object-related data in a way that allows it to be externally stored or transferred.

Java serializes objects by writing values and metadata of a class, along with all its referenced classes, into a byte stream. The serialized byte stream is reconstructed by instantiating the class described in the metadata and populating its fields with the values provided in the byte stream.

- To allow customization of the serialization and deserialization process for an object, a set of methods referred to as "Magic methods" is used. These methods are automatically called upon when objects are being processed for serialization or deserialization. 

- These methods may invoke methods on deserialized objects, these methods may be abused by attackers to execute code within the class that is provided. To be able to exploit vulnerabilities, an attacker must have knowledge of the classes that exists within the application.

- An object could serializable if it was implemented interface java.io.Serializable.

- The first scenario is storing and retrieving object states. This is useful when an application needs to store the runtime state of an object, later processing or to be used in another session. The object state will typically be saved by saving its serialized state to a file system or within a database, the object can then be restored by any JVM when needed.

- The second scenario is interchanging data objects between two Java runtime environments by utilizing shared objects.

https://www.codementor.io/java/tutorial/serialization-and-deserialization-in-java

https://www.fatalerrors.org/a/rmi-deserialization-for-java-security.html

II. Insecure Deserialization

The path from a Java deserialization bug to remote code execution (RCE) can be convoluted. To gain code execution, a series of gadgets need to be used to reach the desired method for code execution.

In Java applications, these gadgets are found in the libraries loaded by the application. Using gadgets that are in-scope of the application, you can create a chain of method invocations that eventually lead to RCE.

1. Gadgets Chain

Gadgets Chain is a chains of functions, start from the function that allowed in server/app's scope.

Example in Python

https://github.com/baobaovt/CodeReviewLab/tree/DemoInsecureDeserialization/DemoGadgetChains

base class of String in Python

All subclasses of <class object>

Choose class warnings

sys module was defined in class warnings

Find the modules which created warnings

Call modules os and successfuly execute command

These pictures above is an example about chains of gadget that from String in python to Exec os function.

Abuse Gadgat chains we can attack Insecure Deserialization system/server/app and leverage with RCE.

2. Demo Insecure Deserialization Lab 

https://github.com/baobaovt/CodeReviewLab/tree/DemoInsecureDeserialization

You can download/clone this lab from github 

- First, import all java file to your ide

- Run DemoServer jar file on Terminal/CMD ( java -jar <jarfile>)

- run client with IDE.

This is RMI client/server which connected to each other and send/receive Object data with Serialize/Deserialize.

You can custom object from client-side with Reflection and change private value such as isAdmin, logCommand

Use gadget chains from BadAttributeValueExpException class to trigger toString() method and excute arbitrary command (ex: whoami)

Prevent Reflection in java for mitigration Insecure Java Deserialization