자바 역직렬화

The Java Deserialization vulnerability is a serious vulnerability that can lead to an RCE attack. It is an attack method that has been highlighted since 2017.

The first reason why Java deserialization attacks are possible is because we change the object into a byte stream. These byte streams are stored in DB or Web. Later, when a byte stream is needed, it is retrieved and converted back into an object. Changing a byte stream to its original object value is called Java deserialization.

Let's start with the most basic question

Why do we need Java serialization/re-serialization itself necessary?

This relates to the basic way data is stored/processed.

Data can be divided into two main categories.

They value format data and reference format data. If it consists of value-formatted data, it can be treated immediately, as a kind of variable. It's much more advantageous for storing and communicating data. On the other hand, data in reference format cannot be handled directly because it points to data like a kind of pointer. Therefore, when serialized, it is processed as value-formatted data, allowing all necessary information to be processed and stored directly quickly. That's why it's going through a seemingly cumbersome serialization process of serialization.

 

import pickle

import os

import base64

class TestClass:

def __reduce__(self):

return os.system, ("cat /etc/passwd", )

ClassA = TestClass()

# ClassA 직렬화

ClassA_dump = base64.b64encode(pickle.dumps(ClassA))

print(ClassA_dump)

# 역직렬화

print(pickle.loads(base64.b64decode(ClassA_dump)))

 

이는 간단한 직렬화/역직렬화 파이썬 예시입니다. 원래 조건 등을 설명하려면 자바를 보면서 하나씩 설명하면 좋지만, 실무에도 별로 도움이 안 되기 때문에 그냥 간단한 파이썬 예시를 가져왔습니다. 척 봐도 알 수 있듯이, 굉장히 쉬운 구문으로 되어있습니다. 크게 어려운 부분은 없지요. 그러나 이러한 간단한 내용에 데이터 형식 구체화만 들어가면 간단한 직렬화/역직렬화는 충분히 뚫을 수 있게 됩니다. 조금 더 이해하고 싶으신 분은 이 내용을 직접 파이썬에 실행시켜보시고, 원하는 값을 조금씩 넣거나 바꾸어보면서 어떤 값이 도출되는지 직접 확인해보세요.

 

So, what is the effective response to Java counter-serialization attacks?

The basic method is the same. It is necessary to go through an appropriate verification and filtering process before receiving a specific value from an attacker/user. And to be more specific, is it possible for a user to send Java de-serialized data to a web server in the normal use of the web? Do you remember sending data corresponding to Java reverse serialization when you usually use the Internet? End users rarely send that type of data to a web server unless they intercept and send packets in the middle. Usually, the web itself will handle it on its own.

So Web servers, or web pages, should always be suspicious of the source of the users who send Java back-serialized data. When sending such data, it will be necessary to perform authentication in advance to prevent data leakage.