. NET advanced code audit the fourth classes JavaScriptSerializer deserialization vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201993247
Type myhack58
Reporter 佚名
Modified 2019-03-20T00:00:00


In the. NET processing Ajax applications, usually when the sequence of functions performed by the JavaScriptSerializer class provides, it is. NET2. 0 after the internal implementation of the sequence of functions of class located in the namespace System. Web. Script. Serialization through the System. Web. Extensions reference for developers to easily implement. Net of all type and Json data conversion between, but in some scenarios developers use the Deserialize or DeserializeObject method for processing insecure Json data will cause deserialization to attack in order to achieve the remote RCE vulnerability, the article author from the principles and the code of audit perspective to do the relevant description and reproduction. !

0X01 JavaScriptSerializer serialize Following the first look at the series of courses in classic code: ! TestClass the class defines three members, and implements a static method ClassMethod start the process. Serialization by creating an object instance, respectively, to assign values to members ! Use the JavaScriptSerializer class in the Serialize method is very easy to achieve. NET objects and Json data conversion between, the author defined TestClass object, the conventional case of using Serialize to get the serialized Json {"Classname":"360","Name":"Ivan1ee","Age":18} From before the introduction through the other components of the deserialization vulnerability the principles that need to __type the Key value to get this Value it is necessary to give the Assembly full identification, including the Assembly name, version, language and culture, and public key, then the JavaScriptSerializer can be instantiated SimpleTypeResolver class, the role is for a managed type to provide the type of the parser can be in the serialized string in a custom type metadata an Assembly-qualified name. The author of the code will be rewritten to add the type of the parser JavaScriptSerializer jss = new JavaScriptSerializer(new SimpleTypeResolver()); The order of the columns of the output Assembly of the complete identification, as follows {"__type":"WpfApp1. TestClass, WpfApp1, Version=, Culture=neutral, PublicKeyToken=null","Classname":"360","Name":"Ivan1ee","Age":18}

0x02 JavaScriptSerializer deserialize 2.1, deserialization usage The deserialization process is to will Json data convert to object in the JavaScriptSerializer class to create the object and then call DeserializeObject, or the Deserialize method to achieve ! DeserializeObject method just Deserialize method on one functional package, the focus look at the Deserialize method in the code by JavaScriptObjectDeserializer. BasicDeserialize method returns object Object ! In BasicDeserialize inside and call a DeserializeInternal method, when you need to convert the object will determine the dictionary whether the collection contains a ServerTypeFieldName constant, the Key, ! ServerTypeFieldName constant in the JavaScriptSerializer class in the definition of value is“__type”, ! Stripping cocoon spinning, ignoring non-core method block ConvertObjectToType, the ConvertObjectToTypeMain, the ConvertObjectToTypeInternal, finally locating to the ConvertDictionaryToObject method within the ! This code first determines ServerTypeFieldName there is a value then the output is assigned the value of the object s, the second step of the object s is coerced to a string variable serverTypeName, the third step to obtain the parser of the actual type, and through the System. Activator. CreateInstance constructor examples of the type of ! The Activator class provides the static CreateInstance method of the several overloaded versions of that method call when you can either pass a Type object reference, you can also transfer the identification of the type String, the method returns the new object reference. The following diagram Demo shows serialization and deserialization before and after effect: ! Deserialized to obtain the properties of the object, the printing output current members the value of Name 2.2, to build the Poc By default JavaScriptSerializer will not use the type of parser, so it is a secure serialized class, the vulnerability of the trigger point is also that initialize the JavaScriptSerializer instance of the class is created SimpleTypeResolver class, if created, and the deserialization of Json data in the controlled cases can trigger deserialization vulnerability, the borrowed figure to illustrate the call chain process ! Author or choose the ObjectDataProvider class to easily call any referenced methods in the class, specifically related to such usage can look at the. NET advanced code audit(the first lesson) XmlSerializer deserialization vulnerability of, because of the Process. The Start method start a thread you need to configure the ProcessStartInfo class-related attributes, such as the specified file name, specify the startup parameters, so first have to consider the sequence of the ProcessStartInfo, which block may refer to

[1] [2] next