Tabit Addresses API Vulnerabilities Before Major Exploit
Tabit Technologies is a leading mobile hospitality…
A recent onslaught of attacks targeting the MoveIT application have affected several US Government agencies including Department of Energy (DOE); the Oak Ridge National Laboratory (ORNL) and several State governments such as Minnesota, Missouri, and Illinois. Media coverage of the vulnerabilities (CVE-2023-34362, CVE-2023-35036, and most recently CVE-2023-35708) involving a SQL injection are front and center. However, let’s take a closer look at the second stage of the attack involving a “deserialization” abuse (Note, not exploit) of the MoveIT API (Application Programmable Interface).
Deserialization abuse refers to a security vulnerability that occurs when an application or system blindly trusts and processes serialized data without proper validation or sanitization. Serialization is the process of converting an [executable] object into a format that can be stored or transmitted, such as JSON or XML (or even binary), to APIs. Deserialization, on the other hand, involves taking this serialized data and reconstructing it into its original object form. An attacker can exploit deserialization vulnerabilities by submitting maliciously crafted serialized data that can lead to unauthorized remote code execution, data tampering, data exfiltration, or other malicious actions.
When deserialization abuse occurs over an API interface, the vulnerability arises from either a bug or the trust placed in the serialized data received from external sources. If an API interface blindly accepts and processes serialized data without proper validation, an attacker can take advantage of this trust by sending serialized data that can be executed on the remote host. The attacker could exploit weaknesses in the deserialization process to execute arbitrary code or gain unauthorized access to sensitive information. By leveraging this vulnerability, an attacker can potentially compromise the entire system or perform actions that were not intended or authorized by the API.
It is crucial for developers to implement strong input validation and sanitization techniques to prevent deserialization abuse over API interfaces and ensure the security of their applications. It is such an important aspect to consider so much so that programming documentation like Python’s highlights that you should be extra careful about who you let send serialized data into your applications.
At Noname, we take great pride in helping our clients understand the issues plaguing APIs and the attack surface that’s being exploited (or in this case, abused) by the adversary. To help bring awareness to the topic of deserialization, we’ve created a simple proof of concept code in python. You can use the code to demonstrate, test, and help with awareness around this type of abuse.
The POC code with instructions can be found here: https://github.com/nonamedaren/api_deserialization_abuse
Have fun, tweak the code, and see what commands you can send other than the default one, which retrieves the host users list in /etc/passwd.
The Noname API security platform can help with discovery of MoveIT APIs, unauthorized API admin access, command injection, and sensitive data exfiltration in these ways:
What is the process for getting started with Noname on this?
Experience the speed, scale, and security that only Noname can provide. You’ll never look at APIs the same way again.