I. Basic Understanding of the Java Serialization/Deserialization
- In computer science, serialization is the process of packaging program-internal object-related data in a way that allows it to be externally stored or transferred.
Java serializes objects by writing values and metadata of a class, along with all its referenced classes, into a byte stream. The serialized byte stream is reconstructed by instantiating the class described in the metadata and populating its fields with the values provided in the byte stream.
- To allow customization of the serialization and deserialization process for an object, a set of methods referred to as "Magic methods" is used. These methods are automatically called upon when objects are being processed for serialization or deserialization.
- These methods may invoke methods on deserialized objects, these methods may be abused by attackers to execute code within the class that is provided. To be able to exploit vulnerabilities, an attacker must have knowledge of the classes that exists within the application.
- An object could serializable if it was implemented interface java.io.Serializable.
- The first scenario is storing and retrieving object states. This is useful when an application needs to store the runtime state of an object, later processing or to be used in another session. The object state will typically be saved by saving its serialized state to a file system or within a database, the object can then be restored by any JVM when needed.
- The second scenario is interchanging data objects between two Java runtime environments by utilizing shared objects.
https://www.codementor.io/java/tutorial/serialization-and-deserialization-in-java
https://www.fatalerrors.org/a/rmi-deserialization-for-java-security.html
II. Insecure Deserialization
In Java applications, these gadgets are found in the libraries loaded by the application. Using gadgets that are in-scope of the application, you can create a chain of method invocations that eventually lead to RCE.
1. Gadgets Chain
Gadgets Chain is a chains of functions, start from the function that allowed in server/app's scope.
Example in Python
https://github.com/baobaovt/CodeReviewLab/tree/DemoInsecureDeserialization/DemoGadgetChains
Prevent Reflection in java for mitigration Insecure Java Deserialization
Không có nhận xét nào:
Đăng nhận xét