Freddy - Automatically Pose Deserialisation Issues Inwards Coffee Together With .Net Applications Past Times Using Active Together With Passive Scans
H5N1 Burp Suite extension to help inward detecting as well as exploiting serialisation libraries/APIs.
This useful extension was originally developed yesteryear Nick Bloor (@nickstadb) for NCC Group as well as is mainly based on the piece of job of Alvaro Muñoz as well as Oleksandr Mirosh, Friday the 13th: JSON Attacks, which they presented at Black Hat USA 2017 as well as DEF CON 25. In their piece of job they reviewed a attain of JSON as well as XML serialisation libraries for Java as well as .NET as well as constitute that many of them back upwards serialisation of arbitrary runtime objects as well as equally a lawsuit are vulnerable inward the same agency equally many serialisation technologies are - snippets of code (POP gadgets) that execute during or presently later deserialisation tin hold out controlled using the properties of the serialized objects, oft opening upwards the potential for arbitrary code or command execution.
Further modules supporting to a greater extent than formats including YAML as well as AMF are also included, based on the newspaper Java Unmarshaller Security - Turning your information into code execution as well as tool marshalsec yesteryear Moritz Bechler.
This Burp Suite extension implements both passive as well as active scanning to position as well as exploit vulnerable libraries.
Freddy Features
Passive Scanning
Freddy tin passively uncovering the utilization of potentially unsafe serialisation libraries as well as APIs yesteryear watching for type specifiers or other signatures inward HTTP requests as well as yesteryear monitoring HTTP responses for exceptions issued yesteryear the target libraries. For instance the library
FastJson uses a JSON champaign $types to specify the type of the serialized object.Active Scanning
Freddy includes active scanning functionality which attempts to both uncovering and, where possible, exploit affected libraries.
Active scanning attempts to uncovering the utilization of vulnerable libraries using iii methods: exception-based, time-based, as well as Collaborator-based.
Exception Based
In exception-based active scanning, Freddy inserts information into the HTTP asking that should trigger a known target-specific exception or fault message. If this fault message is observed inward the application's reply as well as hence an number is raised.
Time Based
In or hence cases time-based payloads tin hold out used for detection because operating organisation command execution is triggered during deserialisation as well as this activity blocks execution until the OS command has finished executing. Freddy uses payloads containing
ping [-n|-c] 21 127.0.0.1 inward companionship to get a fourth dimension delay inward these cases.Collaborator Based
Collaborator-based payloads piece of job either yesteryear issuing a
nslookup command to resolve the Burp Suite Collaborator-generated domain name, or yesteryear attempting to charge remote classes from the domain bring upwards into a Java application. Freddy checks for novel Collaborator issues every threescore seconds as well as marks them inward the issues listing amongst RCE (Collaborator).Supported Targets
The next targets are currently supported (italics are novel inward v2.0):
Java
- BlazeDS AMF 0 (detection, RCE)
- BlazeDS AMF 3 (detection, RCE)
- BlazeDS AMF X (detection, RCE)
- Burlap (detection, RCE)
- Castor (detection, RCE)
- FlexJson (detection)
- Genson (detection)
- Hessian (detection, RCE)
- Jackson (detection, RCE)
- JSON-IO (detection, RCE)
- JYAML (detection, RCE)
- Kryo (detection, RCE)
- Kryo using StdInstantiatorStrategy (detection, RCE)
- ObjectInputStream (detection, RCE)
- Red5 AMF 0 (detection, RCE)
- Red5 AMF 3 (detection, RCE)
- SnakeYAML (detection, RCE)
- XStream (detection, RCE)
- XmlDecoder (detection, RCE)
- YAMLBeans (detection, RCE)
- BinaryFormatter (detection, RCE)
- DataContractSerializer (detection, RCE)
- DataContractJsonSerializer (detection, RCE)
- FastJson (detection, RCE)
- FsPickler JSON back upwards (detection)
- FsPickler XML back upwards (detection)
- JavascriptSerializer (detection, RCE)
- Json.Net (detection, RCE)
- LosFormatter (detection, RCE) - Note non a module itself, supported through ObjectStateFormatter
- NetDataContractSerializer (detection, RCE)
- ObjectStateFormatter (detection, RCE)
- SoapFormatter (detection, RCE)
- Sweet.Jayson (detection)
- XmlSerializer (detection, RCE)
