Insecure Deserialization

In this assignment, you will:

  1. Find an insecure deserialization vulnerability in an object storage API
  2. Exploit the vulnerability to gain remote code execution
  3. Perform reconnaissance to find secrets
  4. Circumvent network and HTTP filtering to exfiltrate

Insecure Deserialization

Insecure deserialization is a vulnerability class that arises when untrusted data is parsed into runtime data. When the deserialization library in use supports parsing code or even invoking code defined on parsed data, arbitrary remote code execution can be gained by an attacker.

You have obtained access to a copy of the vulnerable object storage API server. It is available in Canvas as source code in vuln03.py. You should be able to run this code directly given that the necessary dependencies are installed.

Your goal for this assignment is to locate a deserialization vulnerability in this API, and exploit it to obtain access to secret data. You can attempt to exploit a running instance of the API at http://storage.nëu.lol:port/, where port = 6429 + group.

Locating the Vulnerability

The API builds on the SSRF challenge’s S3 wrapper API server. Study the API endpoint handlers defined in this file.

  • Does the API ever perform deserialization? Where?
  • What serialization framework is in use? Is it known to have deserialization vulnerabilities?

Once you have achieved remote code execution, you can search the server for secret data to exfiltrate.

Network Filtering

If you have achieved remote code execution, you might have noticed that you are unable to transmit outbound traffic. Without that ability, how will you recover any secrets you steal?

  • Could you tunnel the data out over a permitted network port?
  • Could you return the data over the existing connection?

HTTP Filtering

If you attempt to use the existing connection, the natural option is to directly return the secret as the data returned from the deserialization procedure. However, DevSecOps has noticed strange activity from the API and has applied a security patch that performs additional checks on deserialized data.

  • Given the error message 401 no json, no secrets, what could these checks entail?

Submission Instructions

  1. Upload a tgz archive to Canvas containing the following files:
    • A README.md describing what your attack does and the secret(s) you stole
    • The source code for your attack
  2. Extra credit. Implement an additional exfiltration method.

© 2022 wkr