. NET advanced code audit of the seven classes NetDataContractSerializer deserializing vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201993611
Type myhack58
Reporter 佚名
Modified 2019-04-11T00:00:00


NetDataContractSerializer and DataContractSerializer for serialization and de-serialization in Windows Communication Foundation (WCF) message to send the data. Between the two there is an important difference: the NetDataContractSerializer includes CLR through the CLR type to add additional information and save the reference to the type of support precisely, whereas the DataContractSerializer does not contain. Therefore, only the serialization and deserialization of end use the same CLR type, you can use the NetDataContractSerializer for. If you want to serialize an object using the WriteObject or the Serialize method, to deserialize the XML stream using ReadObject or Deserialize method. In some scenarios read the malicious XML stream it will cause a deserialization vulnerability, enabling remote RCE attack, the article author from the principles and the code of audit perspective to do the relevant description and reproduction.

0x01 NetDataContractSerializer serialized Use the WriteObject or Serialize can be very easy to achieve. NET objects and XML data conversion, note that the NetDataContractSerializer includes the Assembly name and is a sequence of type type. These extra information can be used to convert the XML to deserialize into a specific type, allowing the same type can be in the client and server at the same time. Additional information is z:Id attributes on different elements on the meaning is different. This is used to handle reference types as well as when the XML is deserialized when whether the reference can be retained, the final conclusion is that this output is compared to the DataContractSerializer the output contains more information. Following through an example to illustrate the problem, first define the TestClass object ! Defines three members, and implements a static method ClassMethod start the process. Serialization by creating an object instance, respectively, to assign values to members ! I use Serialize to obtain the serialization TestClass the class after the xml data "1" z:Type="WpfApp1. TestClass" z:Assembly="WpfApp1, Version=, Culture=neutral, PublicKeyToken=null" xmlns="http://schemas.datacontract.org/2004/07/WpfApp1" xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/">age>18age>classname z:Id="2">360classname>name z:Id="3">Ivan1eename>TestClass>

0x02 NetDataContractSerializer deserializing 2.1, deserialization usage NetDataContractSerializer class de-serialization process is the XML stream into an object by creating a new object ReadObject is called multiple overloads of a method or a Serialize method implementation, the view definition that inherits from the XmlObjectSerializer abstract class, IFormatter interface, ! NetDataContractSerializer class implements XmlObjectSerializer abstract class WriteObject, the ReadObject method, also implements the IFormatter defined in the method. The author by creating a new object call the Deserialize method to achieve the specific implementation code can refer to the following ! In fact, in the Deserialize method is also calling the ReadObject method deserializes the ! Deserialized to obtain the properties of the object, the printing output current members of the Name of the value. ! 2.2, the attack vector—MulticastDelegate Multicast delegate MulticastDelegate inherit from Delegate, whose invocation list can have multiple elements of the delegate, in fact, all delegate types are derived from MulticastDelegate with. MulticastDelegate class _invocationList field in the construction of delegate chains will reference the delegate array, but in order to obtain the delegation chain the more control you have to use the GetInvocationList method, which is having a link to the delegate list in the delegate instance to the time of the call, the press the list of the commissioned order for a synchronous call, then how will the calc. exe added to the GetInvocationList list method? First look at the Comparison class, it is used to located in the command space of the System. Collections. Generic, is defined as follows ! Comparison class returns a delegate, then the Delegate or the MulticastDelegate class of public static methods Combine will be commissioned is added to the chain as a Comparison type comparator ! Using the Comparer of the static method create to create a comparator, the Comparator object in the. NET collection class to use frequency more, and also have a custom deserialization function, here select the SortedSet class in the deserialization of the internal Comparer object reconstructed a collection of the sort. ! The multicast delegate's invocation list of the GetInvocationList method of the inner portion is configured and initialized an array, and let each of its elements are referenced in the chain of a delegate, and then return the array reference, the following code modifies the private field _InvocationList and use the generic delegate Func returns a Process class. !

[1] [2] next