Json Attack
Json Attack
Json Attack
• Alvaro Muñoz
• Security Research with HPE
• @pwntester
• Oleksandr Mirosh
• Security Research with HPE
Introduction
• 2016 was the year of Java Deserialization apocalypse
• Known vector since 2011
• Previous lack of good RCE gadgets in common libraries
• Apache Commons-Collections Gadget caught many off-guard.
• Solution?
• Stop using Java serialization
• Use a secure JSON/XML serializer instead
• Do not let history repeat itself
• Is JSON/XML/<Put your favorite format here> any better?
• Raise awareness for .NET deserialization vulnerabilities
Agenda
1. Attacking JSON serializers
• Affected Libraries
• Gadgets
• Demo
2. Attacking .NET serializers
• Affected formatters
• Gadgets
• Demo
3. Generalizing the attack
• Demo
Is JSON any better?
Introduction
Refresh()
InvokeMethodOnInstance()
BeginQuery()
ObjectDataProvider
{"$type": "System.Windows.Data.ObjectDataProvider, PresentationFramework",
"ObjectInstance":{
"$type":"System.Diagnostics.Process, System”},
"MethodParameters":{
"$type":"System.Collections.ArrayList, mscorlib",
"$values":["calc"]},
"MethodName":"Start"
}
http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/com/sun/rowset/JdbcRowSetImpl.java/
JdbcRowSetImpl.setAutoCommit
http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/com/sun/rowset/JdbcRowSetImpl.java/
Gadgets: non RCE
Arbitrary Getter call
• org.antlr.stringtemplate.StringTemplate (Java)
• toString
• Can be used to chain to other gadgets such as the infamous
TemplatesImpl.getOutputProperties()
• System.Windows.Forms.BindingSource (.NET)
• set_DataMember
XXE
• System.Xml.XmlDocument/XmlDataDocument (.NET < 4.5.2)
• set_InnerXml
• System.Data.DataViewManager (.NET < 4.5.2)
• set_DataViewSettingCollectionString
Analyzed Libraries
• Arbitrary Code Execution Requirements:
1. Attacker can control type of reconstructed objects
• Can specify Type
• _type, $type, class, classname, javaClass, …
• Library loads and instantiate Type
2. Library/GC will call methods on reconstructed objects
3. There are gadget chains starting on method executed upon/after
reconstruction
Categorization
• Format includes type discriminator
1. Default
2. Configuration setting
{ "$type": "Newtonsoft.Json.Samples.Stockholder, Newtonsoft.Json.Tests",
"FullName": "Steve Stockholder",
"Businesses": {
"$type": "System.Collections.Generic.List`1[[Newtonsoft.Json.Samples.Business, Newtonsoft.Json.Tests]], mscorlib",
"$values": [ {
"$type": "Newtonsoft.Json.Samples.Hotel, Newtonsoft.Json.Tests",
"Stars": 4,
"Name": "Hudson Hotel”
}]}}
• Type control
1. Cast after deserialization
2. Inspection of expected type
Expected Type’s Object Graph Inspection
• Invokes
• Setter
• Should never be used with untrusted data
• Example:
• KalikoCMS
• CVE-2017-10712
JavaScriptSerializer
• System.Web.Script.Serialization.JavaScriptSerializer
• By default, it will not include type discriminator information
• Type Resolver can be used to include this information.
JavaScriptSerializer sr = new JavaScriptSerializer(new SimpleTypeResolver());
string reqdInfo = apiService.authenticateRequest();
reqdDetails det = (reqdDetails)(sr.Deserialize<reqdDetails>(reqdInfo));
• Invokes:
• Setters
• Serialization Constructors
• Can be used securely as long as the expected type cannot be controlled by
users.
Json.Net
• It does not include Type discriminators unless TypeNameHandling setting
other than None is used
• Performs an inspection of Expected Type’s Object Graph
public class Message {
[JsonProperty(TypeNameHandling = TypeNameHandling.All)]
public object Body { get; set; }
}
• Invokes:
• Setters
• Serialization callbacks
• Type Converters
• Use SerializationBinder to whitelist Types if TypeNameHandling is
required
Demo 1: Breeze (CVE-2017-9424)
http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/com/sun/rowset/JdbcRowSetImpl.java/
Unsafe Deserialization & Entrypoint
https://github.com/Breeze/breeze.server.net/blob/master/AspNet/Breeze.ContextProvider/ContextProvider.cs
Demo 1: Breeze (CVE-2017-9424)
Similar Research
• Java Unmarshaller Security
• Author: Moritz Bechler
• Parallel research published on May 22, after our research was accepted for
BlackHat and abstract was published J.
• Focus exclusively on Java
• Overlaps with our research on:
• Jackson and JSON-IO libraries
• JdbcRowSetImpl.setAutoCommit gadget
• Include other interesting gadgets
• https://github.com/mbechler/marshalsec
.NET Formatters
Introduction
• Attacks on .NET formatters are not • Goals:
new • Raise awareness about perils of .NET
• James Forshaw already introduced deserialization
them at BlackHat 2012 for • Present new vulnerable formatters
• BinaryFormatter scenarios
• NetDataContractSerializer • Present new gadgets
• Need new gadgets that works with
• Lack of RCE gadget until recently L Formatters other than BinaryFormatter
PSObject Gadget (CVE-2017-8565)
• Bridges to custom deserializer
https://github.com/stangelandcl/pash-1/blob/master/System.Management.Automation/System.Management.Automation/PSObject.cs
PSObject Gadget (CVE-2017-8565)
https://github.com/stangelandcl/pash-1/blob/master/System.Management.Automation/System.Management.Automation/InternalDeserializer.cs
PSObject Gadget (CVE-2017-8565)
https://github.com/stangelandcl/pash-1/blob/master/System.Management.Automation/System.Management.Automation/LanguagePrimitives.cs
PSObject Gadget (CVE-2017-8565)
https://github.com/stangelandcl/pash-1/blob/master/System.Management.Automation/System.Management.Automation/LanguagePrimitives.cs
XAML Payload
System.Windows.Markup.XamlReader.Parse() --> Process.Start(“calc”)
<ResourceDictionary
xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
xmlns:System="clr-namespace:System;assembly=mscorlib"
xmlns:Diag="clr-namespace:System.Diagnostics;assembly=system">
<ObjectDataProvider x:Key="LaunchCalc“
ObjectType="{x:Type Diag:Process}"
MethodName="Start">
<ObjectDataProvider.MethodParameters>
<System:String>calc</System:String>
</ObjectDataProvider.MethodParameters>
</ObjectDataProvider>
</ResourceDictionary>
.NET Native Formatters
Name Format Additional requirements Comments
https://github.com/dnnsoftware/Dnn.Platform/blob/a142594a0c18a589cb5fb913a022eebe34549a8f/DNN%20Platform/Library/Services/Personalization/PersonalizationController.cs#L72
Sink
https://github.com/dnnsoftware/Dnn.Platform/blob/a142594a0c18a589cb5fb913a022eebe34549a8f/DNN%20Platform/Library/Common/Utilities/XmlUtils.cs#L201
Video
Wrap-Up
Main Takeaways
• Do not deserialize untrusted data!
• … no, seriously, do not deserialize untrusted data!
• … ok, if you really need to:
• Make sure to evaluate the security of the chosen library
• Avoid libraries without strict Type control
• Type discriminators are necessary but not sufficient condition
• Never use user-controlled data to define the deserializer expected Type
• Do not roll your own format
Thank you!
Alvaro Muñoz (@pwntester) & Oleksandr Mirosh