Exploiting insecure Deserialization

With real world example.

Image for post
Image for post

Insecure Deserialization: — To understand it first we have to learn about what is serialization and deserialization.

Serialization: Converting the state of an object into any format like byte stream is known as serialization.

There are so many interpreted language like JavaScript, Excel and PowerShell used for data serialization. After serialization state of objects persisted such as send data over network persist it in XML, JSON format.

Benefits:

· To simplify interaction and generation of documents.

· It is good in communication protocols as we can pass objects in TCP sockets because serialization at one end reflect to other end.

· We can import serialized object into another custom applications.

· Make application structure fragile.

· In relational database, every time no need to create new columns per updating.

Deserialization: Conversion of coming byte stream data from a file (XML, JSON) into network object or in data object is known as deserialization.

Serialization and deserialization is a technique to send and receive data between distributed components of web applications. Most of programming language and modern systems (API, micro services, and 3-tier architecture) uses serialization and deserialization technique as they are highly distributed and components communicate with each other and share information.

If in between of the communication attacker modifies the serialized data and application doesn’t validate it before process then it may lead to insecure Deserialization and can be used to carry out severe attacks such as RCE, access control bypass, performing unintended actions, and database manipulation.

Working: Let’s understand it first with a basic diagram.

· During testing, application assigns the cookie in a serialized data stream.

Image for post
Image for post

· We can decode it easily as this data seems to be in base64 encoding. In burp decoder do Smart decode -> and then Decode as base 64. We get this decoded value.

O:4:”User”:2:{s:8:”username”;s:4:”test”;s:5:”admin”;b:0;}

· Now we can modify according to serialized data according to our requirement. Like modifying the username or modifying the access assigned to it.

O:4:”User”:2:{s:8:”username”;s:4:”test”;s:5:”admin”;b:1;}

· After modification, again encode it as base 64 add %3d at last just as we got equal sign(=) while smart decoding it. So updated deserialized stream

Image for post
Image for post

Serialized Object Composition/Formation

Let’s understand serialized object in respect of PHP.

· ‘b’ : Represents Boolean

· ‘i’ : Represents Integer

· ‘d’ : Represents Float

· ‘s’ : Represents String

· ‘a’: Represents array

· ‘0’: Represents Object

Exploitation:

The application have multiple roles in it. But we only have the access to a simple user account and to exploit this we need to escalate our access to admin level account.

Sign in from normal user account and intercept the request.

Image for post
Image for post

Copy the value of session id as it looks that it is being decoded in base64 decode it in decoder.

· Smart Decode

Image for post
Image for post

· Base64 decoder

Image for post
Image for post

· Modification in serialization object

o As we need admin access so in decoded object modify the value of username i.e. administrator. Modify the string length denoted by s and which appears after username. The length of string administrator is 13.

o We do not know value of administrator’s “access_token” so we replace it’s value blank one.

o As this is PHP serialization, to exploit it we have to modify it’s data types. So replaced last “s” with “i” because 0 is an integer.

After all these modification serialization object:

O:4:”User”:2:{s:8:”username”;s:13:”administrator”;s:12:”access_token”;i:0;}

· Encode it again

Image for post
Image for post

As we saw in request, we have %3d (which denoted = sign)so we append %3d in base64 decoded value.

· Final value

Image for post
Image for post

Replace the value of session id with the newly created value:

Image for post
Image for post

After forwarding the request you can see that we have access to the admin panel.

Preventive measures /Mitigation

· Do not trust user data and perform data validation.

· The method of serialization should be encrypted not encoded.

· Maintain integrity checks to prevent data tampering on serialized object.

· Run Deserialization code in low privilege environment.

· Monitoring is more important for that application where serialization happens.

Written by

Security enthusiast working to secure web for others https://twitter.com/BoredSecEngg

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store