Advanced Deserialization Attacks  

  1. Page 1
  2. Introduction

Introduction

Introduction to .NET Deserialization Attacks

Note: To fully grasp the concepts taught throughout this module, it is expected that you have some basic understanding of deserialization vulnerabilities, as well as basic programming skills, preferably in C#/.NET. Despite the module offering a pre-customized Windows VM for exploit development in some of the sections, having a local one will be beneficial.

Serialization is the process of converting an object from memory into a series of bytes. This data is then stored or transmitted over a network. Subsequently, it can be reconstructed later by a different program or in a different machine environment. Conversely, deserialization is the reverse action, wherein serialized data is reconstructed back into the original object. However, when an application deserializes user-controlled data, there is a risk of deserialization vulnerabilities occurring, which may be exploited to achieve objectives such as remote code execution, object injection, arbitrary file read, and denial of service.

Many programming languages, including Java, Ruby, Python, and PHP, offer serialization and deserialization runtime libraries. The Introduction to Deserialization Attacks module covered fundamental deserialization attacks targeting web applications that use PHP and Python for the backend.

C#, Microsoft's flagship programming language, which utilizes the .NET framework, also provides multiple serialization technologies; moreover, it is the primary language developers use while building Internet-connected apps with ASP.NET Core, a widely used web development framework employed by numerous websites worldwide.

Understanding how to identify and exploit .NET deserialization vulnerabilities not only strengthens our offensive security toolkit significantly but also provides insights into how threat actors achieved RCE after exploiting CVE-2023-34362 - the MOVEit vulnerability that wreaked havoc globally.

There are three main serialization technologies in .NET: JSON serialization, XML and SOAP serialization, and Binary serialization:

  • JSON serialization: Serialize .NET objects to and from JavaScript Object Notation (JSON).
  • XML and SOAP serialization: Serialize only the public properties and fields of objects, not preserving type fidelity.
  • Binary serialization: Records the complete state of the object and preserves type fidelity; when deserializing an object, an exact copy is created.

This module will cover deserialization attacks from a white-box approach, exploiting vulnerabilities caused by JSON, XML, and Binary serializers available to .NET developers.

We will start with the decompilation of a binary file to retrieve the source code, identify potentially vulnerable code sections, and set up debugging to aid in exploit development. Later, we will look into recreating two well-known gadget chains and using them to exploit three unique deserialization vulnerabilities in a custom application. Following this, we will look at the target application from a developer's point of view, and how the vulnerabilities we discover could be patched as well as how vulnerabilities could be avoided in the future. To finish off the module, you will be tasked with identifying and exploiting a custom deserialization vulnerability on your own.

Although deserialization vulnerabilities affect applications developed in many languages, for this module we will focus on C#/.NET. The techniques learned can be repurposed to work with other languages, such as Java.

A Brief History of Deserialization Vulnerabilities

Deserialization vulnerabilities have been public knowledge for a long time, but interest exploded in 2015 when the Apache Commons Collections gadget was discovered. A brief timeline of milestones in deserialization vulnerabilities and attacks is listed below:

  • 2007: First registered deserialization vulnerability (CVE-2007-1701) allows attackers to execute arbitrary code via PHP's session_decode.
  • 2011: First "gadget-based" deserialization vulnerability (CVE-2011-2894) uses Proxy and InvocationHandler to achieve arbitrary code execution upon deserialization against the Spring Framework.
  • 2012: The White paper "Are you my Type?" is published, discussing .NET serialization and CVE-2012-0160 which was a deserialization vulnerability in the .NET Framework leading to arbitrary code execution.
  • 2015: The Apache Commons Collections gadget is discovered (CVE-2015-4852, CVE-2015-7501) which allows attackers to achieve arbitrary code execution against many more Java applications. ysoserial is released at AppSecCali 2015 which allows attackers to automatically generate deserialization payloads using the Apache Commons Collections gadget.
  • 2017: The white paper 'Friday the 13th JSON Attacks' was released, addressing deserialization vulnerabilities in .NET. It also introduced 'YSoSerial.NET,' a tool enabling attackers to generate deserialization payloads for .NET using a handful of gadgets.

Target WebApp: TeeTrove

Throughout this module, we will analyze and attack a website named TeeTrove, an e-commerce marketplace specializing in selling custom-designed attire. We were commissioned by the company behind TeeTrove to conduct a white-box penetration test on the application with the goal being remote code execution. To conduct the assessment, the company provided us with the compiled deployment files and the necessary credentials.

+10 Streak pts

Next
My Workstation

OFFLINE

/ 1 spawns left