.NET Serialization: Detecting and defending vulnerable endpoints

Transcript

1. .NET SERIALIZATION Alvaro Muñoz pwntester

2. > whoami § Alvaro Muñoz a.k.a. @pwntester - Principal security

   researcher with Micro Focus Fortify - Presented my research at different conferences such as: - BlackHat, Defcon, RSA, OWASP AppSecEU, AppSecUSA, JavaOne, etc. - Responsibly reported critical vulnerabilities to companies/frameworks such as: - Microsoft, Oracle, Workday, Salesforce, HPE, Pivotal, Apache, Atlassian, Lightbend, etc.

3. Some serialization experience http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/ http://www.pwntester.com/blog/2013/12/16/cve-2011-2894-deserialization-spring-rce/ https://gist.github.com/pwntester/ab70e88821b4a6633c06 https://github.com/pwntester/SerialKillerBypassGadgetCollection 3 XM

   LDecoder XStream Spring RCE Gafget Apache Commons Collections RCE Gadget Look-Ahead Bypass M ultiple RCE Gadgets JRE 8u20 RCE Gadget JSON Deserialization 2013 2014 2015 2016 2017 2018 … 2012

4. 4 1001010 0101001 0101010

5. 5

6. 6 Tic Tic Tic Tic Tic Tic Tic Tac Tac

   Tac Tac Tac Tac Tac Tac 10101011001010110 1010101011011 1000 1000 1010101011010 101010110010101001

7. Agenda 1. Serialization 101 2. .NET serializers 1. Native 2.

   3rd Party 3. Detecting vulnerable endpoints 4. Fixing vulnerable endpoints Inside

8. Serialization 101

9. Marshalling Pickles

10. Marshalling Pickles 10

11. Marshalling Pickles 11

12. Marshalling Pickles 12 Pickle Rick

13. Marshalling Pickles 13 Pickle Rick

14. Marshalling Pickles 14 Type Discriminator Pickle Rick

15. Marshalling Pickles 15 Pickle Rick

16. Marshalling Pickles 16 Pickle Rick

17. Marshalling Pickles 17 Morty Pickle Rick

18. Marshalling Pickles 18 Pickle Rick Morty

19. Methods Invoked to Fully Reconstruct Objects § Deserialization callbacks: -

    Java: - readObject/readResolve - .NET: - Deserialization constructor overload • <Type> (SerializationInfo, StreamingContext) - IDeserializationCallback.OnDeserialization(Object) - [OnDeserializing]/[OnDeserialized] annotated methods § Setters 19

20. Gadgets § Attacker controls: § Gadget: - Type which contains

    one or more methods invoked during the deserialization process that under controlled circumstances may do bad things 20 Type Type Property Values

21. System.Windows.Data.ObjectDataProvider set_MethodName() BeginQuery() QueryWorker() InvokeMethodOnInstance() Refresh() set_ObjectType() set_ObjectInstance()

22. Gadgets 22

23. ysoserial.net 23

24. 24

25. .NET Formatters

26. Introduction § Attacks on .NET formatters are not new §

    James Forshaw already introduced them at BlackHat 2012 for - BinaryFormatter (Binary) - NetDataContractSerializer (XML) § Lack of Remote Code Execution gadgets until 2017

27. Vulnerable in default configuration § BinaryFormatter (Binary) - BinaryMessageFormatter (Binary)

    [MSMQ] - ObjectStateFormatter (Binary) [ViewState] - LosFormatter (Binary) § NetDataContractSerializer (XML) § SoapFormatter (XML) § FastJSON (JSON) § Sweet.Jayson (JSON) 27

28. BinaryFormatter 28

29. Eg: AppHarbor 29

30. Eg: AppHarbor 30

31. Super-Cookie AntiPattern 31 https://blog.appharbor.com/2012/04/04/cookietempdataprovider-for-asp-net (now deleted)

32. Actually that advice is everywhere :( 32

33. Silently removed from ASP.NET MVC 33

34. Demo 34

35. Azure Active Directory Application Proxy

36. 36

37. Vulnerable if developers mess it up (1/2) §Attacker can control

    Expected Type: -DataContractSerializer (XML) -DataContractJsonSerializer (JSON) -XmlSerializer (XML) - XmlMessageSerializer (XML) [MSMQ] 37

38. XmlSerializer 38 DotNetNuke CMS (CVE-2017-9822 ) Do not let users

    control Expected Type

39. Vulnerable if developers mess it up (2/2) § Insecure Configuration:

    - JavaScriptSerializer (JSON) - JSON.NET (JSON) - FSPickler (JSON) 39

40. JavaScriptSerializer 40 Do not use Type Resolver

41. JSON.NET 41 Do not use TypeNameHandling != None

42. Detecting Vulnerable Endpoints

43. Passive §Magic numbers: §Burp plugin - pwntester/dotnet-deserialization-scanner -False Positives -

    Some Images may contain similar bytes - May appear in signed ViewState AAEAAAD/////…

44. Active §Send payload and watch execute (DAST) -Use ysoserial.net to

    generate: - DoS gadget (sleep) - URL gadget (DNS Lookup) §Instrument deserialize methods (IAST) -Monitor running application 44

45. Static § Single dataflow+controlflow - Track data to be deserialized

    - eg: BinaryFormatter § Dual dataflow+controlflow - Track data to be deserialized and expected type - eg: XmlSerializer 45

46. Fixing vulnerable endpoints 46

47. 1 - Stop using it

48. 1 - Stop using it § Do you really need

    it? - eg: Nancy (CVE-2017-9785) - NCSRF cookie (CSRF token) § Do you really need Type discriminators in JSON/XML? - eg: Breeze (CVE-2017-9424 ) - Type information not needed since it works with JS clients 48

49. JSON.NET 49 Use TypeNameHandling == None

50. 2 - Sign and verify it § Use HMAC, never

    MD5(secret + data) | SHA1(secret + data) § Examples: - AppHarbor - Azure Active Directory § ASP.NET MVC Futures -> ASP.NET MVC - Uses the DataProtection API which offers both Integrity and Confidentiality § ASP.NET ViewState 50

51. Signed Cookie 51 DataProtector.Protect(bytes) == Sign it (and optionally encrypt

    it)

52. ViewState § ViewState contains the page state serialized using ObjectStateFormatter.

    § Since 4.5.2 ASP.NET ignores `EnableViewStateMac` and will always sign and encrypt the ViewState - Patch was applied retroactively back to 1.1 § Still found hundreds (200+) of servers using old versions without signing/encryption! 52

53. ViewState § In 4.5 Microsoft added Purpose to derive unique

    keys for each request 53 KDF Encryption Key Validation Key Encryption Key Validation Key (per-request) Purposes Strings MachineKey (per-request) keys

54. ViewState § PrimaryPurpose and some specific purposes are easily predictable,

    but what about ViewStateUserKey … 54 URL: /Account/Register

55. ViewState 55

56. Careful with leaking the keys § Leak web.config through XXE

    vulnerabilities - eg: AfterLogic WebMail Pro ASP.NET 6.2.6 - Administrator Account Disclosure via XXE § Leak web.config through Padding Oracle - (MS10-070) (CVE-2010-3332) § Vulnerability in .NET Framework Could Allow Information Disclosure - (MS15-041) (CVE-2015-1648) 56

57. Yellow Screen of Death 57 https://www.troyhunt.com/owasp-top-10-for-net-developers-part-6/

58. Don’t make it public 58

59. Careful with One-Click Installers 59

60. Careful with leaking the key 60 https://msdn.microsoft.com/en-us/library/ms178199(v=vs.85).aspx You can help

    prevent modification to your application configuration by encrypting sections of configuration files. For more information, see “Encrypting Configuration Information Using Protected Configuration” (https://msdn.microsoft.com/en- us/library/53tyfkaw(v=vs.85).aspx)

61. 3 - Bind it § Constrain allowed types § Serialization

    binders - Allows users to control class loading and mandate what class to load. § Also Known As “look-ahead deserialization” in Java 61

62. Strict White List 62 Credit: Jonathan Birch - Microsoft Corporation

63. Strict White List 63

64. Never use BlackLists or Broad WhiteLists 64

65. Bypass Gadgets 65 System.Data.DataSet

66. Also … 66 •Don’t use IsAssignableFrom • Attackers can find

    a generic Object type in the Object graph to place the payload. •Don’t return null for unexpected types • Some serializers fall back to a default binder, allowing exploits. •Don’t use reflection to look up types: Assembly.Load(assemblyName).GetType(typeName); • Reflection is slow, and a malicious user can DoS your application by forcing it to spend memory and time loading irrelevant assemblies. Credit: Jonathan Birch - Microsoft Corporation

67. 4 - Replace It § Structured Data Approaches: - You

    define how you want your data to be structured once, then you can use special generated source code to easily write and read your structured data to and from a variety of data streams and using a variety of languages. - Eg: Google Protocol Buffers § Untyped JSON/XML - Eg: Json.NET with TypeNameHandling.None 67

68. Mahalo! [email protected] @pwntester

69. 69