The BinaryFormatter and SoapFormatter two classes the difference between the data streams of different formats, other features on both about the same, the BinaryFormatter is located in the namespace System. Runtime. Serialization. Formatters. Binary it is the direct use of binary the way the object is serialized, the advantage is speed faster, in a different version of the. NET platform can be compatible. But the use of deserializing untrusted binary file causes deserialization vulnerability enabling remote RCE attack, the article author from the principles and the code of audit perspective to do the relevant description and reproduction.
0x01 BinaryFormatter serialization Use the BinaryFormatter class to serialize the process, with the[Serializable]Declaration of this class can be serialized, of course some don't want to be the sequence of elements can be used[NoSerialized]attribute to circumvent. Following through an example to illustrate the problem, first define the TestClass object ! Defines three members, and implements a static method ClassMethod start the process. Serialization by creating an object instance, respectively, to assign values to members ! Conventional case of using the Serialize to obtain the serialization after the binary contents of the file after opening the data displayed in the following format !
0x02 BinaryFormatter deserialization 2.1, deserialization usage The reverse sequence of the process is converting binary data to the object, by creating a new object way of calling the Deserialize multiple overloads of the method implementation, the view definition can be seen and the SoapFormatter formatter as implements IRemotingFormatter, IFormatter interface ! We obtain the system provides four different anti-sequence method, respectively, is Deserialize, the DeserializeMethodResponse, the UnsafeDeserialize, the UnsafeDeserializeMethodResponse it. The author by creating a new object call the Deserialize method to achieve the specific implementation code can refer to the following ! Deserialize obtained after the TestClass class of members the Name of the value. ! 2.2, the attack vector—ActivitySurrogateSelector Since the previous article has introduced the vulnerability principle, so this article is no longer redundant to the narrative, not to see friends, please refer to the. NET advanced code audit, the eighth classes SoapFormatter deserialization vulnerability of both the only difference between using the BinaryFormatter class to serialize data, is also by rewriting the ISerializationSurrogate calls the custom code, the author here still using a calculator to do the demo, to generate a binary file is opened after the following figure ! In accordance with the practice of using the BinaryFormatter class the Deserialize method to deserialize ! Calculator the pop-up, but at the same time also throws an exception, this in the WEB Service case will return a 500 error. ! 2.3, the attack vector—WindowsIdentity About WindowsIdentity principle of no-see friends, see the. NET advanced code audit（second class） Json. Net deserialization vulnerability, as WindowsIdentity end is to parse the Base64 encoded data, so here is the Serializer after the binary file is deserialized after the pop-up calculator ! !
0x03 code audit perspective 3.1, the UnsafeDeserialize From the code audit of the angle to find the vulnerability of the EntryPoint, compared to Deserialize, the UnsafeDeserialize provides better performance, this method need to pass two mandatory parameters, the second parameter can be null, this way is not very common, you need to understand about it, the following is unsafe code: ! The attacker only needs to control the incoming string parameter to path you can easily achieve the deserialization vulnerabilities. 3.2, the UnsafeDeserializeMethodResponse Compared DeserializeMethodResponse, the UnsafeDeserializeMethodResponse performance is more outstanding, this method need to pass three mandatory parameters, the second and third parameters are null, this approach is also not very common, you'll need to know about, the following is unsafe code: ! 3.3, the Deserialize The Deserialize method is very common, the developers usually use this method of deserialization, this method has two overloads, the following is unsafe code