Shulou(Shulou.com)05/31 Report--

SoapFormatter deserialization vulnerability example analysis, in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and easy way.

I. Preface

NetDataContractSerializer is used like DataContractSerializer to serialize and deserialize data sent in Windows Communication Foundation (WCF) messages. There is an important difference between the two: NetDataContractSerializer contains CLR, which supports type precision by adding additional information and saving references to the CLR type, while DataContractSerializer does not. Therefore, NetDataContractSerializer can be used only if the serialization and deserialization sides use the same CLR type. WriteObject or Serialize methods are used to serialize objects, and ReadObject or Deserialize methods are used to deserialize XML streams. In some scenarios, reading malicious XML streams will cause deserialization vulnerabilities, thus realizing remote RCE attacks. In this paper, the author introduces and repeats them from the perspective of principle and code audit.

II. SoapFormatter serialization

The core Serialize method defined in the IFormatter interface of the SoapFormatter class can easily realize the conversion between .NET objects and SOAP streams, and the data can be saved as XML files. Officially, two construction methods are provided.

Let's use the old case to illustrate the problem, first define the TestClass object

Three members are defined and a static method ClassMethod is implemented to start the process. Serialization assigns values to members by creating object instances

Normally, use Serialize to get the serialized SOAP stream, and persist the original assembly by using the XML namespace. For example, the starting element of the TestClass class in the following figure is qualified by the generated xmlns, focusing on the A1 namespace.

360Ivan1ee18 III. SoapFormatter deserialization 3.1 principle and usage of deserialization

The SoapFormatter class deserialization process converts the SOAP message flow into an object and calls several overloaded methods of Deserialize by creating a new object. Looking at the definition, we can see that the IRemotingFormatter and IFormatter interfaces are implemented.

Looking at the IRemotingFormatter interface definition, we can see that it also inherits IFormatter.

The specific implementation code of the author who calls the Deserialize method by creating a new object can refer to the following

After deserialization, you get the value of Name, a member of the TestClass class.

3.2attack vector-ActivitySurrogateSelector

In addition to the constructor, there is also a SurrogateSelector property in the definition of the SoapFormatter class, SurrogateSelector is the proxy selector, and the advantage of serializing the proxy is that once the formatter wants to deserialize an instance of an existing type, it calls a method customized by the proxy object. Check to see that the ISurrogateSelector interface is implemented, which is defined as follows

Because the serialization proxy type must implement the System.Runtime.Serialization.ISerializationSurrogate interface, ISerializationSurrogate is defined in Framework ClassLibrary as follows:

Determine whether the IsSerializable attribute of the type parser is available in the code. If a direct base class is available, get the type of derived class System.Workflow.ComponentModel.Serialization.ActivitySurrogateSelector, then send it to Activator to create an instance, and then return to the body of the GetObjectData method. In addition, in order to fully control the serialized data, you need to implement the Serialization.ISeralizable interface, defined as follows:

For more information, please refer to the second lesson of .NET Advanced Code Audit Json.Net deserialization vulnerability, which reads the PocClass class provided by the attacker through the construction method when implementing the custom deserialization class.

The following figure defines the PayloadClass class that implements the ISerializable interface, and then declares in the GetObjectData method that the generic List collection receives data of type byte.

Add the PocClass object to the List collection, declare that the generic uses the IEnumerable collection map_type to receive the reflected Type from the assembly and return the IEnumerable type, and finally create an instance with Activator.CreateInstance to save to E3, which is an iterator for the enumerated collection.

The above figure populates the variable e3 to the paging control data source. It is clear at a glance to see the PageDataSource class definition.

In addition, the type returned by System.Runtime.Remoting.Channels.AggregateDictionary supports IDictionary, and then instantiates the object DesignerVerb and assigns values at will, mainly to fill in the value of the properties property of the MenuCommand class, and finally to assign values to the qualified buckets in the hash table.

Next, add data sources with collections: the DataSet,DataSet and DataTable objects inherit from the System.ComponentModel.MarshalByValueComponent class, serialize the data and support the remoting ISerializable interface, which is the only remoting-enabled object in the ADO.NET object and persisted in binary format.

Change the property DataSet.RemotingFormat to SerializationFormat.Binary, change the property DataSet.CaseSensitive to false, and so on, and then call BinaryFormatter to serialize the List collection, as shown in the following figure.

Because the RemotingFormat property is specified as Binary, the BinaryFormatter formatter is introduced and the property SurrogateSelector agent is specified as a custom MySurrogateSelector class. SOAP-XML is obtained after serialization, and then the stream data reading the contents of the file is parsed by the Deserialize method of the SoapFormatter object, and the calculator is popped up successfully.

3.3attack vector-PSObject

As the author's Windows host has patched CVE-2017-8565 (Windows PowerShell remote code execution vulnerability), the use is not successful, so there is no in-depth discussion here, interested friends can study on their own. For more information about patches, please see: https://support.microsoft.com/zh-cn/help/4025872/windows-powershell-remote-code-execution-vulnerability

Code audit 4.1 XML load

It is also common to find the vulnerable EntryPoint from the point of view of code audit and pass in XML, which is also very common. Note that LoadXml loads xml data directly, which can also cause XXE vulnerabilities. For example, this code:

The cost of this contamination vulnerability is very low, and the attacker only needs to control the incoming string parameter source to easily realize the deserialization vulnerability attack and pop up the calculator.

4.2 File read

This is a code snippet from an application. During the audit, you only need to pay attention to whether the path variable passed in the DeserializeSOAP method is controllable.

So much for the answer to the sample analysis of SoapFormatter deserialization vulnerabilities. I hope the above content can be of some help to you. If you still have a lot of doubts to solve, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.