2/14/2020 Data Deserialization

Data Deserialization
Computer data is generally organized in data structures such as arrays, records,
graphs, classes, or other configurations for efficiency. When data structures need to be
stored or transmitted to another location, such as across a network, they need to go
through a process called serialization. This process converts and changes the data
organization into a linear format that is needed for storage or transmission across
computing devices.
Using Java as an example platform for serialization, an object of type Address would
logically have members of street, city, state, and postal code as shown in the diagram
below.

Once serialized, this data is converted into a linear data format (such as the XML text
form in the diagram) representing the Address object.
The deserialization process from the linear data is the reverse, and causes the Address
object to be instantiated in memory as shown in this diagram:

https://www.cisecurity.org/blog/data-deserialization/ 1/5
2/14/2020 Data Deserialization

What is Serialization Used For?

The process of serialization has been used as far back as the 1980s in the Courier RPC
application protocol of the Xerox Network Systems protocol suite. Serialization is
needed for data storage and data transportation between nodes on a network
because with computers, data is stored and transported linearly. Serialization is also
used to pass information between computers for remote method invocation where a
procedure/function found on a remote machine can be invoked as if it is on the local
computer. Using serialization, an object can be transferred across domains through
firewalls, as well as be used for different languages and platforms.
The formats of serialized objects are standardized so as to be able to be read by
different platforms, if needed. Some of the platforms that support serialization
processes include python, perl, php, ruby, and Java. The Microsoft .Net platform also
supports serialization functions by utilizing the XMLSerializer and
DataContractSerializer classes, as well as the more powerful but more vulnerable
BinaryFormatter and NetDataContractSerializer classes. XML, YAML, and JSON are
amongst the most popularly used formats of serialized data.

What are the Vulnerabilities?

Vulnerabilities in the serialization processes have been discovered as far back as 2003,
such as the jsscript.c thaw function vulnerability with Mozilla rev 3.2. Since then, a
variety of deserialization bugs have been discovered. Mitre lists 37 CVEs related to
deserialization, with the Apache Commons Collections deserialization bug discovered
in 2015 garnering the greatest amount of attention.

https://www.cisecurity.org/blog/data-deserialization/ 2/5
2/14/2020 Data Deserialization

A security exploit against a vulnerable serialization process involves an attacker

injecting malicious data into the serialized data, such that the injection would
instantiate into malicious code upon deserialization. Before deserialization occurs on
serialized data, an attacker could exploit this process by inserting malicious data in the
linear form of the data as illustrated below:

Once this exploited data is then instantiated in computer memory through

deserialization, the malicious code of the attacker would be in a usable form to
perform further malicious activities commanded by the attacker:

https://www.cisecurity.org/blog/data-deserialization/ 3/5
2/14/2020 Data Deserialization

What is the Impact of These Vulnerabilities?

The serialization vulnerability is of high impact as it could allow an attacker to perform
remote code execution and remotely administer the victim machine. The surface for
this attack is increased by web accessible servers running software that is vulnerable
to deserialization exploits. The most widely used software that was vulnerable to
deserialization exploits, prior to being patched, is the Apache Commons Collections
library.
The Apache Commons Collections library allows serialization and is used in 70 other
software libraries. As long as the Apache Commons Collections library is referenced in
the class-path of any library, an attacker can use that library to call the deserialization
method of the Commons Collections library and instantiate their malicious code on
the machine. Apache has since released patches to disable deserialization of unsafe
data for the Commons Collections library.

MS-ISAC Recommendations
Best practices to protect against deserialization vulnerability exploits include the
following measures:

Apply all the latest patches after appropriate testing and keep your software up-
to-date. Information on the most recent Apache Commons Collection patch is
available in MS-ISAC Cybersecurity Advisory 2015-152:
https://msisac.cisecurity.org/advisories/2016/2015-152.cfm 
(https://msisac.cisecurity.org/advisories/2016/2015-152.cfm)
Adhere to the principle of least privilege by minimizing or disabling access to
administrative privileges to reduce impact of exploit.
When developing software, minimize usage of deserialization by reducing
unnecessary data transfers across applications/systems and reducing the
amount of files written to disk. Also consider developing your own format for
data transfer if needed, to reduce probability of misuse of data transfer
functionality by attackers. Developing a new format would be useful such that
attackers won’t easily know which location in the serialized data to insert their
code for successful attacks.
Follow a secure development lifecycle alongside your software development
lifecycle.

Recommendations for securing against Apache Commons

Collections deserialization exploits:
Search for jar files that contain the class InvokerTransformer.class and remove
that class from the jar file or delete the jar file after backup to make sure your
programs work properly after deletion of the file or class. If you don't have that
class in your system, then you aren't vulnerable to the Apache Commons
Collections attack.
Search network traffic for hex data "AC ED 00 05" to identify hosts that are doing
serialization and block that traffic if needed. This would block remote Commons
Collections deserialization attacks to your host.
For developing applications that require serialization, the readObject() method
can be overloaded to support safety-checking during deserialization.

References
[1] https://en.wikipedia.org/wiki/Xerox_Network_Systems
(https://en.wikipedia.org/wiki/Xerox_Network_Systems)

https://www.cisecurity.org/blog/data-deserialization/ 4/5
2/14/2020 Data Deserialization

[2] https://bugzilla.mozilla.org/show_bug.cgi?id=221526
(https://bugzilla.mozilla.org/show_bug.cgi?id=221526)
[3] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=deserialization
(https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=deserialization)
[4] http://sensorstechforum.com/serious-java-deserialization-vulnerability-uncovered-
in-70-libraries/ (http://sensorstechforum.com/serious-java-deserialization-
vulnerability-uncovered-in-70-libraries/)
[5] http://www.pcworld.com/article/3004633/business-security/thousands-of-java-
applications-vulnerable-to-nine-month-old-remote-code-execution-exploit.html
(http://www.pcworld.com/article/3004633/business-security/thousands-of-java-
applications-vulnerable-to-nine-month-old-remote-code-execution-exploit.html)
[6] http://www.contextis.com/documents/1/are_you_my_type.pdf
[7] https://msdn.microsoft.com/en-us/library/ms733135(v=vs.110).aspx
(https://msdn.microsoft.com/en-us/library/ms733135(v=vs.110).aspx)
[8] http://www.aspectsecurity.com/blog/deserialization-attacks-via-apache-commons-
collections (https://www.aspectsecurity.com/blog/deserialization-attacks-via-apache-
commons-collections)
[9] https://msdn.microsoft.com/en-us/library/ms995349.aspx
(https://msdn.microsoft.com/en-us/library/ms995349.aspx)
[10]https://developers.google.com/protocol-buffers/docs/overview?csw=1
(https://developers.google.com/protocol-buffers/docs/overview?csw=1)

https://www.cisecurity.org/blog/data-deserialization/ 5/5