Deserialization attacks are included in OWASP Top 10 vulnerabilities [A8:2017] and listed in the Common Weakness Enumeration (CWE) database of known software weaknesses [CWE-502]. In the first half of 2024 deserialization attacks have impacted both open-source software such Python's Pickle serialization module, and CVE-2024-27322 in the R programming language and closed-source proprietary software such as CVE-2024–6327 in Progress Telerik Report Server.
Deserialization attacks are very pressing issues for defenders when they exist in public facing infrastructure because they can be used to exploit public facing applications [T1190] and remote services [T1210] giving attackers initial access to a victim's network from the public internet. In this article, we will explain what deserialization attacks are, how they work, and review a classic example of a PHP deserialization attack.
Deserialization is the latter half of the serialization/deserialization process. The "serialization" process first transforms a software object into data (formatted as JSON, XML, or a binary format) for storage or to be sent over a network. Software deserialization is the process of converting encoded "serialized" data back into its software object form. Deserialization reconstructs the software object for use by the programming language. Deserialization therefore allows serialized objects to be ingested and used dynamically within an application. Any constructs from a programming language can be serialized such as objects in Object Oriented Programming (OOP), functions, and variables such as arrays or structs.
Deserialization is used to enable data portability and software interoperability. In a very basic software program, all the code to complete the intended task is already included in the program. However, serialization and deserialization allows parts of software code such as objects, functions, and variables to be transferred between applications, deserialized, and then executed. This enables more dynamic applications since they can import objects and functions at runtime to complete tasks such as updates or adding new functions.
Deserialization attacks occur when an attacker manipulates or injects malicious data during the deserialization process, exploiting vulnerabilities in how data is transformed back into objects. Deserialization attacks are included in OWASP Top 10 vulnerabilities [A8:2017] and listed in the Common Weakness Enumeration (CWE) database of known software weaknesses [CWE-502].
Since deserialization processes typically expect trusted input, many applications fail to validate the deserialized data properly. However, this allows attackers to craft harmful payloads that, when deserialized, can execute arbitrary code on the victim's system to take control of it, escalate privileges, or otherwise compromise system integrity. Common targets include web applications, APIs, and software that handle serialized user data.
Deserialization attacks exploit the fact that deserialized objects often trigger methods or processes in the application without proper security checks. Attackers send malicious serialized data to a vulnerable application, where it gets deserialized into executable objects. Since serialized objects can contain executable code such as objects initialization methods, a deserialization attack could for example, simply pass a serialized object with a malicious initialization method with hopes that the victim will instantiate an instance of the object to execute their malicious code. However, there are many other ways that deserialization can result in unintended actions on behalf of an attacker.
Next let's cover some different types of deserialization attacks:
"Object Injection" refers to attacks where an attacker can control serialized data to inject arbitrary objects into the application during the deserialization process. By carefully crafting serialized data, the attacker can leverage the application’s deserialization mechanism to instantiate harmful objects, and gain arbitrary code execution by placing malicious code in the objects initialization function hoping that the serialized object will be instantiated.
Property Oriented Programming (POP) Chain Attacks manipulate object properties (attributes) rather than methods to achieve arbitrary code execution or other malicious outcomes. In POP Chain attacks, an attacker crafts serialized data containing modified object properties and leverages the deserialization process to trigger harmful effects, often through "magic methods" like __wakeup() or __destruct(). This is a more advanced and indirect approach than the traditional method-based exploitation often seen in Return Oriented Programming (ROP).
If an application unserializes an object, and that object’s properties can affect critical logic (e.g., file paths, command execution), an attacker might modify those properties to perform actions such as arbitrary file writes or command execution.
Gadget Chains are a method used by attackers in Java deserialization attacks. These involve leveraging classes (gadgets) in the target application’s codebase that can be manipulated to form a chain of method calls, culminating in harmful actions such as arbitrary command execution. These gadgets are often found in libraries or frameworks that the application uses, allowing attackers to execute code by abusing the available objects.
In PHP, Magic Method Exploitation refers to attacks where the attacker abuses special methods like __wakeup(), __destruct(), or __call() that are automatically triggered during the deserialization process. If these magic methods execute unsafe operations (such as file manipulation or command execution), attackers can inject malicious objects to exploit this behavior.
Reflection is a powerful feature in many programming languages (e.g., Java, C#) that allows the inspection and manipulation of objects at runtime. Attackers may leverage reflection during deserialization to modify properties or invoke methods that wouldn’t normally be accessible, leading to security flaws like arbitrary code execution or data corruption. For example, an attacker could try to exploit a vulnerable version of Log4J library by creating a serialized object with a malicious name hoping that the application will log the deserialized object name. If an unpatched version of Log4J was used to log the name of the object being deserialized, the attacker could gain remote code execution on the victim's computer.
Serialization Bombs are a form of denial-of-service (DoS) attack where a serialized object, when deserialized, consumes massive amounts of system resources such as memory or CPU, causing the application to crash. An example is the Billion Laughs Attack where nested entities rapidly expand during deserialization, overwhelming the system.
Type Confusion deserialization attacks occur when deserialization logic fails to correctly enforce type constraints. Attackers exploit this by deserializing an object into an unintended type, causing unpredictable behavior or security flaws such as remote code execution. They can also occur outside of a deserialization context.
Deserialization is a critical process in modern software that enables the transformation of data back into its original object form. However, when deserialization is done on untrusted input without proper validation, it can lead to exploitation of vulnerabilities in a software language's deserialization functions. These are known as deserialization attacks, and each language may have its own deserialization weaknesses that can be exploited. In 2024, there are still many active examples of deserialization vulnerabilities being disclosed and software developers need to take this weakness into account when building applications.
Download our Guide to Penetration Testing to learn everything you need to know to successfully plan, scope and execute your penetration testing projects
February 04 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
December 25 - Blog
It's official: Packetlabs has been recognized as one of the top penetration testing companies in 2024 on review platform Clutch.
December 10 - Blog
Hardware token protocols: what are they, and what role do they play in your organization's cybersecurity? In today's article, our ethical hackers outline the most common hardware token protocols.
© 2024 Packetlabs. All rights reserved.