Insecure Deserialization
Introduction to Insecure Deserialization Vulnerability
•A08:2021-Software and Data Integrity Failures is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. A8:2017-Insecure Deserialization is now a part of this larger category.
•Insecure Deserialization Vulnerability mainly divided into 2 parts:
1. Serialization
2. Deserialization
What is Serialization?
- Serialization is the process of converting complex data structures, such as objects and their fields, into a “flatter” format that can be sent and received as a sequential stream of bytes. Serializing data makes it much simpler to:
- Write complex data to inter-process memory, a file, or a database
- Send complex data, for example, over a network, between different components of an application, or in an API call
- Crucially, when serializing an object, its state is also persisted. In other words, the object’s attributes are preserved, along with their assigned values.
What is Deserialization?
- Deserialization is the process of restoring this byte stream to a fully functional replica of the original object, in the exact state as when it was serialized. The website’s logic can then interact with this deserialized object, just like it would with any other object.
What is Insecure Deserialization vulnerability?
- Insecure deserialization is when user-controllable data is deserialized by a website. This potentially enables an attacker to manipulate serialized objects in order to pass harmful data into the application code.
- It is even possible to replace a serialized object with an object of an entirely different class. Alarmingly, objects of any class that is available to the website will be deserialized and instantiated, regardless of which class was expected. For this reason, insecure deserialization is sometimes known as an “object injection” vulnerability.
- An object of an unexpected class might cause an exception. By this time, however, the damage may already be done. Many deserialization-based attacks are completed before deserialization is finished. This means that the deserialization process itself can initiate an attack, even if the website’s own functionality does not directly interact with the malicious object. For this reason, websites whose logic is based on strongly typed languages can also be vulnerable to these techniques.
Impact of Insecure Deserialization vulnerability
- The impact of insecure deserialization can be very severe because it provides an entry point to a massively increased attack surface. It allows an attacker to reuse existing application code in harmful ways, resulting in numerous other vulnerabilities, often remote code execution.
- Even in cases where remote code execution is not possible, insecure deserialization can lead to privilege escalation, arbitrary file access, and denial-of-service attacks.
Mitigation for Insecure Deserialization vulnerability
- Integrity checks, such as digital signatures, should be applied to serialized objects to stop malicious object creation and data modification.
- Enforce strict type constraints during deserialization before creating objects as the code typically expects a specified range of classes.
- Isolate and run code that deserializes in low privilege environments where possible.
- Log deserialization exceptions and failures, such as where the incoming type is not the expected type, or the deserialization throws exceptions.
- Limit or keep track of incoming and outgoing network connectivity from deserialization servers or containers.
- Monitor deserialization, alert if a user sends deserialization requests consistently.
Insecure Deserialization Example
Here the application having multiple roles in it. But we only have the access to a simple user account and to exploit this we need to escalate our access to admin level account.
Sign in from normal user account and intercept the request.
Copy the value of session id as it looks that it is being decoded in base64 decode it in decoder.
· Smart Decode
· Base64 decoder
Modification in serialization object:
1. As we need admin access so in decoded object modify the value of username i.e. administrator. Modify the string length denoted by s and which appears after username. The length of string administrator is 13.
2. We do not know value of administrator’s “access_token” so we replace it’s value blank one.
3. As this is PHP serialization, to exploit it we have to modify it’s data types. So replaced last “s” with “i” because 0 is an integer.
4. After all these modification serialization object:
O:4:”User”:2:{s:8:”username”;s:13:”administrator”;s:12:”access_token”;i:0;}
5. Encode it again
6. As we saw in request, we have %3d (which denoted = sign) so we append %3d in base64 decoded value.
· Final value
7. Replace the value of session id with the newly created value. After forwarding the request you can see that we have access to the admin panel.
