Java deserialization crisis has passed, this time to the is. Net deserialization vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201788508
Type myhack58
Reporter 佚名
Modified 2017-08-10T00:00:00


2016 Java applications and developers by deserialization vulnerability to the devastating effects, and now . NET ecosystem also are suffering from the same crisis. A new problem exists in . NET code library to handle deserialization of operation, the attacker can also by this vulnerability in the server or associated computer devices on the line of code injection. We know that serialization refers to the object is converted to a sequence of bytes to save in memory, file, or database. And this serialization process is mainly to the state of the object saved in there time of need you can re-create the object. And the opposite process is called deserialization. And in this process, if there is no data security inspection, directly on the untrusted data to the deserialization process, then the attacker can construct malicious data input, allowing deserialization to construct the object brings unexpected results. ! 2015 – 2016 the Java deserialization revelation Since the beginning of 2011, the attacker began to use the deserialization problem attack. The first half of 2015, the two researchers, Chris Frohoff and Gabriel Lawrence found the Apache Commons Collection in the deserialization vulnerability, this issue only really started to make each developer a headache. At the end of 2015, the Foxglove security researcher to uncover the attacker how to use the Java program in the deserialization vulnerability to attack. Studies show that common Java apps are there to this problem such as WebLogic, WebSphere, JBoss, Jenkins and OpenNMS in. An attacker can exploit the vulnerability for malicious data upload, and upload up data will be serialized and then stored in the database or in memory, when the app deserializes the data content, it will trigger malicious code, affect the entire system. ! This loophole in 2016 to shake the entire Java ecosystem, also affected more than 70 other Java library, and even let PayPal's server suffered impact. While large organizations and institutions, such as Apache, Oracle, Cisco, Red Hat, Jenkins, VMWare, IBM, Intel, Adobe, HP, and SolarWinds and the like, all of their systems and products to conduct a thorough investigation and bug fixes. Java deserialization vulnerability caused serious influence, also caused Google engineers “in his spare time repair open source Java library” activities, they total repair the more than 2600 projects in order to mitigate this vulnerability. Although in the Google inside, this vulnerability of the alias called “crazy gadget”the Mad Gadget, but for the whole world deserialization vulnerability the problem is the Java world of a Holocaust. Deserialization problem the same impact . NET applications Currently, HP Software two of the fellows Alvaro Muñoz and Oleksandr Mirosh found, the one with the earlier Java deserialization vulnerability similar problems also in the . NET reproduce. ! And Java applications the same vulnerability exists in the . NET Library in the deserialization process, the processing sequence of the data of the method, and when the target computer is running these malicious injected code will be executed. And Java world, these . NET vulnerability in the entire ecosystem, not all there. Some . NET Library is not affected, the development can be normal the use of these libraries. There are some applications even use the affected library, but also is safe, because programmers in the application to disable access to the serialized data to the function and method. In their study, Muñoz and Mirosh the study focused on the analysis of the use of JSON to store data . NET / the Java deserialization vulnerability. They pointed out which apps are safe and reliable, the developers should be how to use JSON data, to avoid suffering the deserialization attacks. Many of the common . NET project in the presence of deserialization vulnerability These vulnerabilities are not just theoretical it has been found, in practical applications it has also been demonstrated to cause effects, the researchers found in . NET data management back-end framework of the Breeze in the presence of JSON deserialization Vulnerability CVE-2017-9424; and CVE-2017-9785, which is present in a NancyFX in the deserialization vulnerability-based on Ruby and lightweight . NET web framework. And in addition to the JSON deserialization, there are some . NET Library there is also a XML data object deserialization problem. Researchers have found that DotNetNuke this popular . NET CMS system, there are also XML deserialization vulnerability. ! As described above, these problems are caused by a variety . NET Library a vulnerability in the combination, but also because the developer's bad coding practice lead, they don't realize the serialized data is not necessarily safe. Thus to avoid such security issues in addition to repair . NET Library, but also the need for developers programming practice to be regulated. The serialization process can affect the safety of the product, the development time need to pay attention not to use not verify the data. Deserialization problem does not only appear in the Java serialization, or as JSON, XML or the like a specific . NET data format. All sequence of operation will re-create the object, to attack the injected code can be can be other method calls that trigger arbitrary code execution. This year 8 month, the research team also in the United States Las Vegas at the Black Hat and DEF CON Security Conference published their findings.