CWE-502 可信数据的反序列化
Deserialization of Untrusted Data
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: Medium
基本描述
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
扩展描述
It is often convenient to serialize objects for communication or to save them for later use. However, deserialized data or code can often be modified without using the provided accessor functions if it does not use cryptography to protect itself. Furthermore, any cryptography would still be client-side security -- which is a dangerous security assumption.
Data that is untrusted can not be trusted to be well-formed.
When developers place no restrictions on "gadget chains," or series of instances and method invocations that can self-execute during the deserialization process (i.e., before the object is returned to the caller), it is sometimes possible for attackers to leverage them to perform unauthorized actions, like generating a shell.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 913 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 913 cwe_View_ID: 1003 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 913 cwe_View_ID: 699 cwe_Ordinal: Primary
-
cwe_Nature: PeerOf cwe_CWE_ID: 915 cwe_View_ID: 1000
适用平台
Language: [{'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'Ruby', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'PHP', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'Python', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'JavaScript', 'cwe_Prevalence': 'Undetermined'}]
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Integrity | ['Modify Application Data', 'Unexpected State'] | Attackers can modify unexpected objects or data that was assumed to be safe from modification. |
| Availability | DoS: Resource Consumption (CPU) | If a function is making an assumption on when to terminate, based on a sentry in a string, it could easily never terminate. |
| Other | Varies by Context | The consequences can vary widely, because it depends on which objects or methods are being deserialized, and how they are used. Making an assumption that the code in the deserialized object is valid is dangerous and can enable exploitation. |
可能的缓解方案
['Architecture and Design', 'Implementation']
策略:
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Implementation
策略:
When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Implementation
策略:
Explicitly define a final object() to prevent deserialization.
['Architecture and Design', 'Implementation']
策略:
Make fields transient to protect them from deserialization. An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Implementation
策略:
Avoid having unnecessary types or gadgets available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Whitelist acceptable classes. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.
示例代码
例
This code snippet deserializes an object from a file and uses it as a UI button:
bad Java
ObjectInputStream in = new ObjectInputStream(new FileInputStream(file));
javax.swing.JButton button = (javax.swing.JButton) in.readObject();
in.close();
This code does not attempt to verify the source or contents of the file before deserializing it. An attacker may be able to replace the intended file with a file that contains arbitrary malicious code which will be executed when the button is pressed.
To mitigate this, explicitly define final readObject() to prevent deserialization. An example of this is:
good Java
throw new java.io.IOException("Cannot be deserialized"); }
例
In Python, the Pickle library handles the serialization and deserialization processes. In this example derived from [R.502.7], the code receives and parses data, and afterwards tries to authenticate a user based on validating a token.
bad Python
def dataReceived(self, data):
# Code that would be here would parse the incoming data
# After receiving headers, call confirmAuth() to authenticate
def confirmAuth(self, headers):
try:
token = cPickle.loads(base64.b64decode(headers['AuthToken']))
if not check_hmac(token['signature'], token['data'], getSecretKey()):
raise AuthFail
self.secure_data = token['data']
except:
raise AuthFail
Unfortunately, the code does not verify that the incoming data is legitimate. An attacker can construct a illegitimate, serialized object "AuthToken" that instantiates one of Python's subprocesses to execute arbitrary commands. For instance,the attacker could construct a pickle that leverages Python's subprocess module, which spawns new processes and includes a number of arguments for various uses. Since Pickle allows objects to define the process for how they should be unpickled, the attacker can direct the unpickle process to call Popen in the subprocess module and execute /bin/sh.
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2015-8103 | Deserialization issue in commonly-used Java library allows remote execution. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8103 |
| CVE-2015-4852 | Deserialization issue in commonly-used Java library allows remote execution. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4852 |
| CVE-2013-1465 | Use of PHP unserialize function on untrusted input allows attacker to modify application configuration. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1465 |
| CVE-2012-3527 | Use of PHP unserialize function on untrusted input in content management system might allow code execution. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3527 |
| CVE-2012-0911 | Use of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0911 |
| CVE-2012-0911 | Content management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0911 |
| CVE-2011-2520 | Python script allows local users to execute code via pickled data. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2520 |
| CVE-2012-4406 | Unsafe deserialization using pickle in a Python script. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4406 |
| CVE-2003-0791 | Web browser allows execution of native methods via a crafted string to a JavaScript function that deserializes the string. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0791 |
Notes
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| CLASP | Deserialization of untrusted data | ||
| The CERT Oracle Secure Coding Standard for Java (2011) | SER01-J | Do not deviate from the proper signatures of serialization methods | |
| The CERT Oracle Secure Coding Standard for Java (2011) | SER03-J | Do not serialize unencrypted, sensitive data | |
| The CERT Oracle Secure Coding Standard for Java (2011) | SER06-J | Make defensive copies of private mutable components during deserialization | |
| The CERT Oracle Secure Coding Standard for Java (2011) | SER08-J | Do not use the default serialized form for implementation defined invariants | |
| Software Fault Patterns | SFP25 | Tainted input to variable |
相关攻击模式
- CAPEC-586
引用
-
REF-462 PHP unserialization vulnerabilities: What are we missing?
-
REF-463 Marshalling Pickles: How deserializing objects can ruin your day
-
REF-465 Black Hat EU 2010 - Attacking Java Serialized Communication
-
REF-468 Deserialize My Shorts: Or How I Learned to Start Worrying and Hate Java Object Deserialization