A Modern Fairy Tale: Java Serialization - JAX London...A Modern Fairy Tale: Java Serialization...

transcript

A Modern Fairy Tale: Java Serialization

Stephen Hellberg

L3 Support Engineer, IBM

Java, Node.js, Scala, etc. Developer

Support Planner/Architect

Technical Consultant

A Modern Fairy Tale: Java Serialization

• Why we still need serialization and where we use it.

• How the built-in design is flawed

• How it is being exploited and used against us

• How to work against the dark arts rallied against us

• How even the alternative forms of Java serialization can still be open to attack

Why do we need serialization?

Common Serialization uses

Java Persistence API (JPA)

Java Persistence API (JPA) Remote EJB Remote EJB

Remote Method Invocation (RMI)Remote Method Invocation (RMI)

Java Management

Extensions (JMX)

Java Management

Extensions (JMX)

Contexts and Dependency

Injection (CDI)

Injection (CDI)HTTP cookiesHTTP cookies

HTML FormsHTML Forms REST ServicesREST Services

Anywhere you find ObjectInputStream

Java Serialization is easy to use

implements java.io.Serializable;

You just have to opt in….

Java Serialization is easy to use

FileOutputStream fos = new FileOutputStream(output);ObjectOutputStream oos = new ObjectOutputStream(fos);oos.writeObject(m);

FileInputStream fis = new FileInputStream(input);ObjectInputStream ois = new ObjectInputStream(fis);Thing t = (Thing) ois.readObject();

Then its easy to save...

... and restore objs

If you don’t opt-in

java.io.NotSerializableException:

at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184)at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:348)

Java Serialization is a useful and relatively easy to use technology

There might just be some side effects

Example

OC1 example=new OC1();

oos.writeObject(example);

public class OC1 implements Serializable { private String hello="hello";}

0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello

<STREAM_MAGIC>

<STREAM_MAGIC><STREAM_VERSION>

<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT>

<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC>

<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC><UTF8-ClassName>

<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC><UTF8-ClassName><serial-version-id>

<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC><UTF8-ClassName><serial-version-id><flags>

<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC><UTF8-ClassName><serial-version-id><flags><field count>

<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC><UTF8-ClassName><serial-version-id><flags><field count><field type(Object)>

<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC><UTF8-ClassName><serial-version-id><flags><field count><field type(Object)><UTF8-FieldName>

<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC><UTF8-ClassName><serial-version-id><flags><field count><field type(Object)><UTF8-FieldName><Class Name>

<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC><UTF8-ClassName><serial-version-id><flags><field count><field type(Object)><UTF8-FieldName><Class Name><flags>

<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC><UTF8-ClassName><serial-version-id><flags><field count><field type(Object)><UTF8-FieldName><Class Name><flags><UTF8-String value>

Element Value

STREAM_MAGIC 0xacdc

STREAM_VERSION 0x0005

TC_OBJECT 0x73

TC_CLASSDESC 0x72

UTF8-ClassName oc1.serialisation.OC1

serial-version-id 0xab5aa959379f03ef flags 0x02

field count 0x0001

field type ‘L’

UTF8-FieldName ‘hello’

Class Name ‘java.lang.String’

flags 0x787074

UTF8-String value ‘hello’

Element Value

STREAM_MAGIC 0xacdc

TC_OBJECT 0x73

TC_CLASSDESC 0x72

field count 0x0001

field type ‘L’

UTF8-FieldName ‘hello’

Class Name ‘java.lang.String’

flags 0x787074

A check that you’re talking about the same class

Element Value

STREAM_MAGIC 0xacdc

TC_OBJECT 0x73

TC_CLASSDESC 0x72

field count 0x0001

field type ‘L’UTF8-FieldName ‘hello’

Class Name ‘java.lang.String’flags 0x787074

The actual contents of the instance are self-defining

Serialization allows you to easily turn a graph of objects into a transferable form – and back again

Element Value

STREAM_MAGIC 0xacdc

TC_OBJECT 0x73

TC_CLASSDESC 0x72

field count 0x0001

Class Name ‘java.lang.String’flags 0x787074

The actual contents of the instance are self-defining

Element Value

STREAM_MAGIC 0xacdc

TC_OBJECT 0x73

TC_CLASSDESC 0x72

field count 0x0001

field type ‘I’UTF8-FieldName ‘hello’

Class Name ‘java.lang.Number’flags 0x787074

Integer value 0x0001

What happens if I do this?

“java.lang.ClassCastException: cannot assign instance of java.lang.Integer to field oc1.serialisation.OC1.hello of type java.lang.String in instance of oc1.serialisation.OC1”

Are we safe from changes to the serialization stream then?

public class OC1 {

private String hello="hello";

Element Value

field name hello

field type L

class name java.lang.String

value hello

public class OC1 {

Element Value

field name hello

field type L

class name java.lang.String

value hello

public class OC1 {

private Object hello="hello";

Element Value

field name hello

field type L

class name java.lang.Object

value hello

public class OC1 {

private Object hello="hello";

Element Value

field name hello

field type L

class name java.lang.Object

value hello

Element Value

field name hello

field type [

class name java.lang.Array

value 1,2,3,4

Element Value

field name hello

field type L

class name HashMap

value A=1,B=2

Element Value

field name hello

field type L

class name Any class name

value Any value

Why is a self defining data stream dangerous?

public class Foo {

static {System.out.println("static initializer called");

public Foo() {System.out.println("object constructor called");

What happens if we run “new Foo()”

public class Foo {

static {System.out.println("static initializer called");

public Foo() {System.out.println("object constructor called");

static initializer calledobject constructor called

Element Value

Class Name ‘org.random.Foo’

What happens if we try to deserialise Foo into OC1’s hello field?

public class OC1 {

public class Foo implements Serializable{

static { System.out.println("static initialiser called");}public Foo() { System.out.println("object constructor called");}}

What gets called - A,B, Both or Neither?

static initialiser called

“Exception in thread "main" java.lang.ClassCastException: cannot assign instance of org.random.Foo to field oc1.serialisation.OC1.hello of type java.lang.String in instance of oc1.serialisation.OC1”

A output

exception

Java Deserialization can be used to execute codeeven if it eventually fails!

That’s still useful to the bad guys.

We’ve just learnt that constructors do not get called during deserializationpublic class Foo implements Serializable{

private int data[];

public Foo() {data=new int[] {1,2,3,4};

public int size() {return data.length;

} What happens here?

Element Value

STREAM_MAGIC 0xacdc

TC_OBJECT 0x73

TC_CLASSDESC 0x72

field count 0x0001

field type ‘[’UTF8-FieldName ‘data’

Element Type I

Element Count 0x04

Values 1,2,3,4

Valid stream

private int data[];

} The answer is 4?

What happens if I do this?

Element Value

STREAM_MAGIC 0xacdc

TC_OBJECT 0x73

TC_CLASSDESC 0x72

field type nullUTF8-FieldName ‘data’

private int data[];

Code here neverGets called

private int data[];

} So NPE!

And its not just “implements Serializable” instances that are at risk

public class SubClass extends Parent implements Serializable{static { System.out.println("in SubClass class init");}public SubClass() { System.out.println("in SubClass constructor");}}

public class Parent {static { System.out.println("in Parent class init");}public Parent() { System.out.println("in Parent constructor");}}

This class just opted-in its parent

”new SubClass()”. Deserialise SubClass

in Parent class initin SubClass class initin Parent constructor

in Parent class initin SubClass class initin Parent constructorin SubClass constructor

public class SubClass extends Parent implements Serializable{static { System.out.println("in SubClass class init");}public SubClass() { System.out.println("in SubClass constructor");}}

public class Parent {static { System.out.println("in Parent class init");}public Parent() { System.out.println("in Parent constructor");}}

called

Not called

This code was called.Did the author expect

it to be part of a serialization story?

public interface IFoo {}

public class FooImpl implements IFoo {}

Is FooImpl serializable?

public interface IFoo extends Serializable{}

public class FooImpl implements IFoo {}

Is FooImpl serializable? - it is now!

Java serialization is a great gift to the bad guys

How many serialization vulnerabilities are there?

Can we be safer?

Classes can ‘opt-in’ to deserialization and take more control

public class Log implements Serializable{private File logfile;private transient FileOutputStream los;

private void readObject(ObjectInputStream in) throws IOException,ClassNotFoundException {

in.defaultReadObject();los=new FileOutputStream(logfile);

But that can still be used against them

Element Value

field name logfile

value /tmp/Foo_log

But that can still be used against them

Element Value

field name logfile

value /etc/passwd

Other ways to reduce exposure

private final void readObject(ObjectInputStream in) throwsjava.io.IOException

{ throw new java.io.IOException("forbidden");

Opt out of being deserialized (add to every class!)

Other ways to reduce exposure// reject deserialisation of any class belonging to untrustedmodule, // and of any array with more than 500 items in it

jdk.serialFilter=!untrustedmodule/.**;maxarray=500

// white-list classes from package com.myorg.trusted, // but not necessarily from its subpackages.

jdk.serialFilter=com.myorg.trusted.*

Implement class filtering

Implement your own ObjectInputSteam.

Use modularity to reduce available classes

Attackers can only call code available on your system

Create a deliberate data transfer model

public final class Packet implements Serializable{

String name;int size;List<ChildPacket> kids;

Complicated data structures

converter

And maybe stop using native serialization at all

{"name" : "foobar" ,"size" : 1 ,"kids" : [ { } , {} ]}

Complicated data structures

converter

Switching to alternatives is not a panacea

Protecting yourself against serialization exploits is hard

And remember – it’s not just your code. Its all of your dependencies too!

The self-defining design of Java Serialization is open to exploitation.

It’s all about running the code you already have. Just not how you expected

Or changing your data to invalid but useful values

How do the bad guys do this?

Data manipulation

Serialisation of data DOS attack

Element Value

STREAM_MAGIC 0xacdc

TC_OBJECT 0x73

TC_CLASSDESC 0x72

field count 0x0001

field type ‘[’UTF8-FieldName ‘data’

Element Type I

Element Count MAX_INT

Values

Gadget Chains

ObjectInputStream.readObject()AnnotationInvocationHandler.readObject()Map(Proxy).entrySet()AnnotationInvocationHandler.invoke()LazyMap.get()ChainedTransformer.transform()ConstantTransformer.transform()InvokerTransformer.transform()Method.invoke()Class.getMethod()InvokerTransformer.transform()Method.invoke()Runtime.getRuntime()InvokerTransformer.transform()Method.invoke()

Runtime.exec()

How bad is the situation though – it’s really hard to create gadget chains.

Discovery

Port 1099

Discovery – Jenkins version 2.56

Exploit

https://www.exploit-db.com/exploits/41965/

Impressive amount of tools and collateral out there – but does it really matter?

How much risk are we taking by ignoring the problem?

In 2016 Cybercrime was estimated to be worth

450 Billion Dollars@spoole167

Cybercrime is the most profitable type of crime

In 2016 The illicit drug trade was estimated to be worth

435 Billion Dollars

Cybercrime is the most profitable type of crime

• Guess which one has the least risk to the criminal ?

• Guess which is growing the fastest ?

• Guess which one is the hardest to prosecute ?

• Guess which one is predicted to reach 2100 Billion Dollars by 2019?

• Guess which one is predicted to reach 6000 Billion Dollars by 2021?

2013 2014 2015 2016 2017 2018 2019 2020 20210

Cybercrime Drug trade

That’s about €600 for every person on the planet

In Germany* it’s about €8000* each

* Insert the nearest country/currency unit relevant to you!

Don’t agree?

“The bad guys prey on the weak, vulnerable and ignorant”

That’s you

Ever googled for…?

“very trusting trust manager”

“Getting Java to accept all certs over HTTPS”

“How to Trust Any SSL Certificate”

“Disable Certificate Validation in Java”

TrustManager[] trustAllCerts = new TrustManager[]{

new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted( X509Certificate[] certs, String authType) { } public void checkServerTrusted( X509Certificate[] certs, String authType) { } public boolean isClientTrusted( X509Certificate[] cert) { return true; } public boolean isServerTrusted( X509Certificate[] cert) { return true; } }}

Ever written

something

like this?

We’ve all done something like that

We do it all the time

The whole world does it

How bad can it be?

The whole world does it

Github search “implements TrustManager” ….

We’ve found 72,609 code results!

AlwaysValidTrustManager

TrustAllServersWrappingTrustManager

A very friendly, accepting trust manager factory. Allows anything through.

all kind of certificates are accepted and trusted.

A very trusting trust manager that accepts anything

// Install the all-trusting trust managerOverTrustingTrustProvider

AllTrustingSecurityManagerPlugin.java

AcceptingTrustManagerFactory.java

AllTrustingCertHttpRequester.java

Search github for “implements serializable”

Wrap up

Today Java serialization use is widespread.

Java Persistence API (JPA)

Remote EJB

Remote Method Invocation (RMI)

Java Management

Extensions (JMX)

Injection (CDI)HTTP cookies

HTML Forms

REST Services

Much as you’d like to. You can’t escape

Reality• As developers we all need to wake up to our

responsibilities to design and code secure software.

• The bad guys exploit our ignorance and lack of attention

Thank You

OWASP Top Ten 2017 Project

.A8:2017-Insecure DeserializationA9:2017-Using Components with Known Vulnerabilities

A Modern Fairy Tale: Java Serialization - JAX London...A Modern Fairy Tale: Java Serialization...

Documents