An Overview Of Deserialization Vulnerabilities and Attacks
By Tom Seest
What Are Deserialization Vulnerabilities and Attacks?
Deserialization can be vulnerable to attacks. Some serialization libraries have 40 or more constructors, which can make it difficult for attackers to force the execution of a function. Fortunately, there are a few tricks to make deserialization safer, including avoiding the use of default constructors and ensuring that object types have different constructors.
This photo was taken by Mikhail Nilov and is available on Pexels at https://www.pexels.com/photo/man-in-black-crew-neck-shirt-with-face-paint-8108389/.
Table Of Contents
What Are Ysoserial Vulnerabilities?
Ysoserialization vulnerabilities can be abused by attackers. This technique involves using gadget chains to send malicious inputs into a gadget. For example, malicious input is passed into a kicker-off gadget and then sequentially to other gadgets (including a sink-gadget). Luckily, there are pre-built gadget chains that can be used to detect these vulnerabilities.
Some of these vulnerabilities can also occur with XML data. In particular, the XMLDecoder and XStream APIs are susceptible. To minimize the risks, it is recommended to use a language-agnostic serialization such as JSON, YAML, or XML.
The most common target for these attacks is serialized Java objects. Objects that start with the ASCII O are also vulnerable to these attacks. In order to prevent this, use regular expressions to check for objects that start with a character that resembles an ASCII character.
Deserialization vulnerabilities can also be exploited for other attacks. Insecure deserialization attacks can allow attackers to execute arbitrary code. They can use untrusted data to cause a denial-of-service attack or bypass authentication. They can also exploit serialization vulnerabilities to compromise server-side applications.
Another example of a Ysoserialization vulnerability is when the attacker modifies a serializable object’s command field. If the attacker controls the field methodName, then he can make the object do anything he wants. For example, the attacker could modify the command field of a serializable object to gain administrator privileges.
This photo was taken by Mikhail Nilov and is available on Pexels at https://www.pexels.com/photo/man-in-black-crew-neck-shirt-8108390/.
What Are Lookahead Objectinputstream Vulnerabilities?
Java applications that send and receive data via serialized streams should be careful not to implement the Lookahead ObjectInputStream trick. This approach can be dangerous because it does not check what you’re deserializing before decoding it. This can result in malicious objects being sent to applications.
The best way to avoid malicious deserialization attacks is to challenge the deserialization mechanism that your application is using. To do this, you should consider adopting a safe data interchange format, such as JSON, or structured data approaches, such as Google Protocol Buffers. Alternatively, you can try using whitelisted classes, which restrict deserialization for only specific classes.
Deserialization attacks rely on the lack of trust in the data being sent to the application. Because untrusted data may not be well-formed, there’s a risk that malicious objects will use it to abuse application logic. This could lead to a denial of service (DFS), or even arbitrary code execution. Deserialization code can also make dangerous assumptions about the data, which can be exploited.
Lookahead ObjectInputStream solutions can mitigate the deserialization flaw by using a whitelist implementation. By doing so, you can check input against a whitelist of safe values and avoid attacks. However, a whitelist implementation does require an intelligent set of information about vulnerable classes. These solutions are not perfect, and you might miss some of them.
Another look-ahead ObjectInputStream trick is to use a runtime agent to monitor the deserialization process. This protects your application from the exploits that use this technique. The lookahead ObjectInputStream trick can be a good protection technique for your Java applications. However, it is a very common approach that can lead to application security vulnerabilities.
This photo was taken by Mikhail Nilov and is available on Pexels at https://www.pexels.com/photo/man-in-black-leather-jacket-8108391/.
Do Deserialization Vulnerabilities Involve Input Validation?
Deserialization vulnerabilities and attacks occur when a program accepts a serialized object from an untrusted source. These attacks often target Java and PHP applications. While serialized objects are an efficient way to store data, they can also be manipulated, which can cause major problems for an application.
Fortunately, there are several ways to prevent these attacks. One way is to use monitoring tools such as Threat Stack or Detectify to detect suspicious deserializations. These tools enable you to set up notifications for common vulnerable components and can help you protect your system from these attacks. You can also set your firewall to detect deserialization attacks.
Deserialization vulnerabilities and attacks can lead to remote code execution, privilege escalation, or denial of service. This can affect a variety of applications, including web applications. Web application firewalls can help protect against these vulnerabilities by blocking potentially malicious user input. But if you don’t want to use a firewall, you can always use a software tool.
A new vulnerability was recently discovered in GitHub Enterprise Server, which allows for remote code execution. An attacker who can successfully exploit this vulnerability could execute malicious code by using server-side request forgery. GitHub has fixed this vulnerability. While this vulnerability does not affect users, it compromises the integrity and confidentiality of data stored on the server.
Deserialization vulnerabilities in software can also affect Java applications. A remote attacker could exploit this vulnerability by sending a specially crafted serialized Java object to a vulnerable system. Such exploits allow the attacker to execute arbitrary code with root privilege. In many cases, these vulnerabilities may even lead to a complete compromise of the host operating system.
An improper input validation vulnerability in Juniper Networks Junos OS is another example of this problem. It can allow a remote attacker to inject a malicious serialized Java object by sending a specially crafted HTTP request. The attacker can then execute arbitrary commands using the resulting serialized data.
CVE-2020-5341: CVE-2019-3340 describes a vulnerability that affects the Java RMI protocol. A remote attacker could exploit this vulnerability to execute arbitrary code on the affected system.
This photo was taken by Mikhail Nilov and is available on Pexels at https://www.pexels.com/photo/man-in-black-jacket-wearing-black-sunglasses-8108401/.
What Is Java’s Built-In Concept Of Serialization?
Java’s built-in concept of serialization can lead to serious security vulnerabilities. Java applications can be attacked using exploits that take advantage of this inherent vulnerability. One such exploit is the exploitation of Java’s ‘objects’. These objects represent real-world entities, and a typical Java program will generate many of them. Each object contains attributes, which indicate its state, and methods, which define how the object responds. In addition, each object has an identity, which is the name given to it and allows the application to interact with other objects.
Typical Java applications implement many libraries and are composed of multiple classes and methods. This makes managing the application and preventing serialization attacks challenging. A hacker can duplicate a particular class or invoke a particular method and link them together in unexpected ways. This allows an attacker to manipulate the flow of data through the application, altering its behavior during deserialization.
An attacker can exploit a flaw in Java by altering the command field of a serializable object. This will cause the JVM to call A.readObject() method, which will execute the attacker’s command instead of “top.” The attacker can use this vulnerability to gain remote code execution.
Another common serialization vulnerability is that of XML. This serialization mechanism is not secure and makes it possible for an attacker to overwrite the contents of a file. This can cause a denial of service (DoS) attack. A further flaw is that an attacker can manipulate the Value property of a System.ComponentModel.DataAnnotations.ValidationException has a property named Value, which is of type Object. The value property can be set to any object type and exploited by an attacker. Using this vulnerability, an attacker can inject malicious code into a vulnerable application and trigger the attack.
An attacker can also exploit these vulnerabilities if an attacker has access to the service. Java’s serialization vulnerabilities are becoming increasingly responsible for vulnerabilities against internet-accessible services. In addition, Java is vulnerable to unsafe deserialization vulnerabilities. Fortunately, there are tools available that can actively identify and remediate these vulnerabilities. One of these tools is the Metasploit Framework.
This photo was taken by Mikhail Nilov and is available on Pexels at https://www.pexels.com/photo/a-woman-in-black-leather-jacket-sitting-near-the-sink-8108559/.
