DataContractSerializer class is used for serialization and de-serialization in Windows Communication Foundation (WCF) message to send the data for the CLR data type is serialized into an XML stream, which is located in the namespace System. Runtime. Serialization, and inherits from the System. Runtime. Serialization. XmlObjectSerializer, in some scenarios developers use the DataContractSerializer. ReadObject reads the malicious XML data will cause the deserialization vulnerability, enabling remote RCE attack, the article author from the principles and the code of audit perspective to do the relevant description and reproduction.
0X01 DataContractSerializer serialization Class name DataContractAttribute markers, class members use the DataMemberAttribute tag, you can specify the serialization of properties and fields, the following first look at the series of courses in classic code ! TestClass object defines three members, and implements a static method ClassMethod start the process. Serialization by creating an object instance, respectively, to assign values to members ! Use the DataContractSerializer. WriteObject is very easy to achieve. NET objects and XML data conversion between, the author defined TestClass object, the conventional case of using WriteObject get the serialized XML data "http://schemas.datacontract.org/2004/07/WpfApp1" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">Age>18Age>Classname>360Classname>Name>Ivan1eeName>TestClass>
0x02 DataContractSerializer deserialization 2.1, the inverse sequence of principles and usage The reverse sequence of the process is the XML stream or the data conversion for the object, the DataContractSerializer class to create the object and then call the ReadObject method implementation ! First look at the DataContractSerializer class definition, create an instance of the time will be brought into the type of parser ! Then in the initialize method to Initialize the Type the type of the parser assigned to the members of the rootType ! Deserialization using ReadObject method call. ReadObjectHandleExceptions method, omitting some of the non-core code into the InternalReadObject method body ! ReadDataContractValue method body returns with ReadXmlValue the processed data, ! From the figure it can be seen this is a C#virtual method, in use of the System. Runtime. Serialization. DiagnosticUtility class handling the data through the DataContract. GetClrTypeFullName get the CLR data type the fully qualified name. ! The following diagram Demo shows serialization and deserialization before and after the effect ! Deserialized to obtain the object's properties, the print output member Name of the value. ! 2.2, the attack vector—ObjectDataProvider Vulnerability trigger point is that the initialization of the DataContractSerializer class instance, the parameter type of the parser type, whether or not controllable, that is to say the attacker needs to control the reconstruction of the object type, if the controllable case and deserialize a malicious Xml data can trigger a deserialization exploit. The author continues to select the ObjectDataProvider class to easily call any referenced methods in the class, specifically related to such usage can look at the. NET advanced code audit（the first lesson） XmlSerializer deserialization vulnerability of, because of the Process. Start before you need to configure the ProcessStartInfo class-related attributes, such as the specified file name, specify the startup parameters, so first consider the sequence of the ProcessStartInfo and then to serialize the Process class to call StartInfo start the program, then it needs to do subtraction, to remove the Independent System. RuntimeType, System. IntPtr the window handle data, the following is the foreign researchers of the deserialized Payload xml version=""1.0""?& gt; root xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema" a" type=""System. Data. Services. Internal. ExpandedWrapper`2[[System. Diagnostics. Process, System, Version=220.127.116.11, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System. Windows. Data. ObjectDataProvider, Contains, Version=18.104.22.168, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System. Data. Services, Version=22.214.171.124, Culture=neutral, PublicKeyToken=b77a5c561934e089""> ExpandedWrapperOfProcessObjectDataproviderpao_soqjl xmlns=""http://schemas.datacontract.org/2004/07/System.Data.Services.Internal"" xmlns:i=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:z=""http://schemas.microsoft.com/2003/10/Serialization/"">