Upgrade to Pro — share decks privately, control downloads, hide ads and more …

.NET Serialization: Detecting and defending vulnerable endpoints

Alvaro
April 06, 2018
Technology
0
4.1k

.NET Serialization: Detecting and defending vulnerable endpoints

2016 was the year of Java deserialization apocalypse. Although Java Deserialization attacks were known for years, the publication of the Apache Commons Collection Remote Code Execution gadget (RCE from now on) finally brought this forgotten vulnerability to the spotlight and motivated the community to start finding and fixing these issues. .NET is next in line; formatters such as BinaryFormatter and NetDataContractSerializer are known to share similar mechanics which make them potentially vulnerable to similar RCE attacks. However, as we saw with Java before, the lack of RCE gadgets led some software vendors to not take this issue seriously. In this talk, we will analyze .NET serializers including third party JSON parsers for potential RCE vectors. We will provide real-world examples of vulnerable code and more importantly, we will review how these vulnerabilities were detected and fixed in each case.

Alvaro

April 06, 2018
Tweet

More Decks by Alvaro

See All by Alvaro
JVM Deserialization Attacks: Separating the Truth from the Hype
pwntester
0
560
Attacking .NET Serialization
pwntester
6
29k
Friday the 13th: JSON Attacks
pwntester
0
7.6k
Friday the 13th: JSON Attacks
pwntester
0
240
Friday the 13th: JSON Attacks
pwntester
0
120
Surviving the Java Deserialization Apocalypse
pwntester
0
5.9k
A Journey From JNDI/LDAP Manipulation to Remote Code Execution Dream Land
pwntester
0
520
Seguridad en las aplicaciones Android
pwntester
0
62
Serial Killer: Silently Pwning Your Java Endpoints
pwntester
0
850

Other Decks in Technology

See All in Technology
変化する組織の中で運用するフロントエンドエコシステム / Frontend Ecosystem in Organizational Changes
i524
1
470
動画配信サービスの 人気番組配信のスパイクアクセスに、 サーバレスキャッシュで立ち向かう
miu_crescent
1
280
LLM×Cloud Runでオンライン薬局の既存オペレーションを自動化した話
pharma_x_tech
0
240
Designing an Incident Response Process at Scale
opeonikute
0
150
DroidKaigi 2023
keiji
0
360
土壌と植物で奏でるアート~農業における新たなパラダイム~
shinrinakamura
0
160
コドモンSREにおける オブザーバビリティ改善の道のり
codmoninc
0
120
Product Ops: Conectando Estratégia e Execução de Produto
rigolon
1
130
データベーススペシャリストというキャリアと生存戦略 ~10年後も変わらないこと、変わること / career-spiral
soudai
16
4.4k
著作権とは何か?〜初歩的概念から権利利用法、侵害要件まで
line_developers
PRO
5
840
四国クラウドお遍路_AWSアップデート2023
tsujiba
0
250
War for talent 時代の、古くて新しい仲間集めの形_~weak ties と strong tiesの力~
sadonosake
0
270

Featured

See All Featured
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
6
7.1k
VelocityConf: Rendering Performance Case Studies
addyosmani
318
23k
A Tale of Four Properties
chriscoyier
150
21k
Rails Girls Zürich Keynote
gr2m
90
12k
Automating Front-end Workflow
addyosmani
1354
200k
[Brighton Ruby 2023] The Magic of Rails
eileencodes
3
270
KATA
mclloyd
13
11k
Imperfection Machines: The Place of Print at Facebook
scottboms
257
12k
Robots, Beer and Maslow
schacon
154
7.6k
What's new in Ruby 2.0
geeforr
336
30k
A better future with KSS
kneath
230
16k
Embracing the Ebb and Flow
colly
77
3.8k

Transcript

  1. .NET SERIALIZATION
    Alvaro Muñoz
    pwntester

    View Slide

  2. > whoami
    § Alvaro Muñoz a.k.a. @pwntester
    - Principal security researcher with Micro Focus Fortify
    - Presented my research at different conferences such as:
    - BlackHat, Defcon, RSA, OWASP AppSecEU, AppSecUSA, JavaOne, etc.
    - Responsibly reported critical vulnerabilities to companies/frameworks such as:
    - Microsoft, Oracle, Workday, Salesforce, HPE, Pivotal, Apache, Atlassian, Lightbend,
    etc.

    View Slide

  3. Some serialization experience
    http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
    http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/
    http://www.pwntester.com/blog/2013/12/16/cve-2011-2894-deserialization-spring-rce/
    https://gist.github.com/pwntester/ab70e88821b4a6633c06
    https://github.com/pwntester/SerialKillerBypassGadgetCollection
    3
    XM
    LDecoder
    XStream
    Spring
    RCE
    Gafget
    Apache Commons
    Collections
    RCE Gadget
    Look-Ahead
    Bypass
    M
    ultiple
    RCE
    Gadgets
    JRE
    8u20 RCE
    Gadget
    JSON
    Deserialization
    2013 2014 2015 2016 2017 2018

    2012

    View Slide

  4. 4
    1001010
    0101001
    0101010

    View Slide

  5. 5

    View Slide

  6. 6
    Tic
    Tic
    Tic
    Tic
    Tic
    Tic
    Tic
    Tac
    Tac
    Tac
    Tac
    Tac
    Tac
    Tac
    Tac
    10101011001010110
    1010101011011
    1000
    1000
    1010101011010
    101010110010101001

    View Slide

  7. Agenda
    1. Serialization 101
    2. .NET serializers
    1. Native
    2. 3rd Party
    3. Detecting vulnerable endpoints
    4. Fixing vulnerable endpoints
    Inside

    View Slide

  8. Serialization 101

    View Slide

  9. Marshalling Pickles

    View Slide

  10. Marshalling Pickles
    10

    View Slide

  11. Marshalling Pickles
    11

    View Slide

  12. Marshalling Pickles
    12
    Pickle Rick

    View Slide

  13. Marshalling Pickles
    13
    Pickle Rick

    View Slide

  14. Marshalling Pickles
    14
    Type Discriminator
    Pickle Rick

    View Slide

  15. Marshalling Pickles
    15
    Pickle Rick

    View Slide

  16. Marshalling Pickles
    16
    Pickle Rick

    View Slide

  17. Marshalling Pickles
    17
    Morty
    Pickle Rick

    View Slide

  18. Marshalling Pickles
    18
    Pickle Rick
    Morty

    View Slide

  19. Methods Invoked to Fully Reconstruct Objects
    § Deserialization callbacks:
    - Java:
    - readObject/readResolve
    - .NET:
    - Deserialization constructor overload
    • (SerializationInfo, StreamingContext)
    - IDeserializationCallback.OnDeserialization(Object)
    - [OnDeserializing]/[OnDeserialized] annotated methods
    § Setters
    19

    View Slide

  20. Gadgets
    § Attacker controls:
    § Gadget:
    - Type which contains one or more methods invoked during the
    deserialization process that under controlled circumstances may do bad
    things
    20
    Type
    Type Property
    Values

    View Slide

  21. System.Windows.Data.ObjectDataProvider
    set_MethodName()
    BeginQuery()
    QueryWorker()
    InvokeMethodOnInstance()
    Refresh()
    set_ObjectType()
    set_ObjectInstance()

    View Slide

  22. Gadgets
    22

    View Slide

  23. ysoserial.net
    23

    View Slide

  24. 24

    View Slide

  25. .NET Formatters

    View Slide

  26. Introduction
    § Attacks on .NET formatters are not new
    § James Forshaw already introduced them at BlackHat 2012 for
    - BinaryFormatter (Binary)
    - NetDataContractSerializer (XML)
    § Lack of Remote Code Execution gadgets until 2017

    View Slide

  27. Vulnerable in default configuration
    § BinaryFormatter (Binary)
    - BinaryMessageFormatter (Binary) [MSMQ]
    - ObjectStateFormatter (Binary) [ViewState]
    - LosFormatter (Binary)
    § NetDataContractSerializer (XML)
    § SoapFormatter (XML)
    § FastJSON (JSON)
    § Sweet.Jayson (JSON)
    27

    View Slide

  28. BinaryFormatter
    28

    View Slide

  29. Eg: AppHarbor
    29

    View Slide

  30. Eg: AppHarbor
    30

    View Slide

  31. Super-Cookie AntiPattern
    31 https://blog.appharbor.com/2012/04/04/cookietempdataprovider-for-asp-net (now deleted)

    View Slide

  32. Actually that advice is everywhere :(
    32

    View Slide

  33. Silently removed from ASP.NET MVC
    33

    View Slide

  34. Demo
    34

    View Slide

  35. Azure Active Directory Application Proxy

    View Slide

  36. 36

    View Slide

  37. Vulnerable if developers mess it up (1/2)
    §Attacker can control Expected Type:
    -DataContractSerializer (XML)
    -DataContractJsonSerializer (JSON)
    -XmlSerializer (XML)
    - XmlMessageSerializer (XML) [MSMQ]
    37

    View Slide

  38. XmlSerializer
    38
    DotNetNuke CMS (CVE-2017-9822 )
    Do not let users control Expected Type

    View Slide

  39. Vulnerable if developers mess it up (2/2)
    § Insecure Configuration:
    - JavaScriptSerializer (JSON)
    - JSON.NET (JSON)
    - FSPickler (JSON)
    39

    View Slide

  40. JavaScriptSerializer
    40
    Do not use Type Resolver

    View Slide

  41. JSON.NET
    41
    Do not use TypeNameHandling != None

    View Slide

  42. Detecting Vulnerable
    Endpoints

    View Slide

  43. Passive
    §Magic numbers:
    §Burp plugin
    - pwntester/dotnet-deserialization-scanner
    -False Positives
    - Some Images may contain similar bytes
    - May appear in signed ViewState
    AAEAAAD/////…

    View Slide

  44. Active
    §Send payload and watch execute (DAST)
    -Use ysoserial.net to generate:
    - DoS gadget (sleep)
    - URL gadget (DNS Lookup)
    §Instrument deserialize methods (IAST)
    -Monitor running application
    44

    View Slide

  45. Static
    § Single dataflow+controlflow
    - Track data to be deserialized
    - eg: BinaryFormatter
    § Dual dataflow+controlflow
    - Track data to be deserialized and expected type
    - eg: XmlSerializer
    45

    View Slide

  46. Fixing vulnerable endpoints
    46

    View Slide

  47. 1 - Stop using it

    View Slide

  48. 1 - Stop using it
    § Do you really need it?
    - eg: Nancy (CVE-2017-9785)
    - NCSRF cookie (CSRF token)
    § Do you really need Type discriminators in JSON/XML?
    - eg: Breeze (CVE-2017-9424 )
    - Type information not needed since it works with JS clients
    48

    View Slide

  49. JSON.NET
    49
    Use TypeNameHandling == None

    View Slide

  50. 2 - Sign and verify it
    § Use HMAC, never MD5(secret + data) | SHA1(secret + data)
    § Examples:
    - AppHarbor
    - Azure Active Directory
    § ASP.NET MVC Futures -> ASP.NET MVC
    - Uses the DataProtection API which offers both Integrity and Confidentiality
    § ASP.NET ViewState
    50

    View Slide

  51. Signed Cookie
    51
    DataProtector.Protect(bytes) == Sign it (and optionally encrypt it)

    View Slide

  52. ViewState
    § ViewState contains the page state serialized using
    ObjectStateFormatter.
    § Since 4.5.2 ASP.NET ignores `EnableViewStateMac` and will always
    sign and encrypt the ViewState
    - Patch was applied retroactively back to 1.1
    § Still found hundreds (200+) of servers using old versions without
    signing/encryption!
    52

    View Slide

  53. ViewState
    § In 4.5 Microsoft added Purpose to derive unique keys for each request
    53
    KDF
    Encryption Key
    Validation Key
    Encryption Key
    Validation Key
    (per-request) Purposes Strings
    MachineKey (per-request) keys

    View Slide

  54. ViewState
    § PrimaryPurpose and some specific purposes are easily predictable,
    but what about ViewStateUserKey …
    54
    URL: /Account/Register

    View Slide

  55. ViewState
    55

    View Slide

  56. Careful with leaking the keys
    § Leak web.config through XXE vulnerabilities
    - eg: AfterLogic WebMail Pro ASP.NET 6.2.6 - Administrator Account
    Disclosure via XXE
    § Leak web.config through Padding Oracle
    - (MS10-070) (CVE-2010-3332)
    § Vulnerability in .NET Framework Could Allow Information Disclosure
    - (MS15-041) (CVE-2015-1648)
    56

    View Slide

  57. Yellow Screen of Death
    57 https://www.troyhunt.com/owasp-top-10-for-net-developers-part-6/

    View Slide

  58. Don’t make it public
    58

    View Slide

  59. Careful with One-Click Installers
    59

    View Slide

  60. Careful with leaking the key
    60
    https://msdn.microsoft.com/en-us/library/ms178199(v=vs.85).aspx
    You can help prevent modification to your application configuration by
    encrypting sections of configuration files.
    For more information, see “Encrypting Configuration Information Using
    Protected Configuration” (https://msdn.microsoft.com/en-
    us/library/53tyfkaw(v=vs.85).aspx)

    View Slide

  61. 3 - Bind it
    § Constrain allowed types
    § Serialization binders
    - Allows users to control class loading and mandate what class to
    load.
    § Also Known As “look-ahead deserialization” in Java
    61

    View Slide

  62. Strict White List
    62
    Credit: Jonathan Birch - Microsoft Corporation

    View Slide

  63. Strict White List
    63

    View Slide

  64. Never use BlackLists or Broad WhiteLists
    64

    View Slide

  65. Bypass Gadgets
    65
    System.Data.DataSet

    View Slide

  66. Also …
    66
    •Don’t use IsAssignableFrom
    • Attackers can find a generic Object type in the Object graph to place
    the payload.
    •Don’t return null for unexpected types
    • Some serializers fall back to a default binder, allowing exploits.
    •Don’t use reflection to look up types:
    Assembly.Load(assemblyName).GetType(typeName);
    • Reflection is slow, and a malicious user can DoS your application by
    forcing it to spend memory and time loading irrelevant assemblies.
    Credit: Jonathan Birch - Microsoft Corporation

    View Slide

  67. 4 - Replace It
    § Structured Data Approaches:
    - You define how you want your data to be structured once, then
    you can use special generated source code to easily write and read
    your structured data to and from a variety of data streams and
    using a variety of languages.
    - Eg: Google Protocol Buffers
    § Untyped JSON/XML
    - Eg: Json.NET with TypeNameHandling.None
    67

    View Slide

  68. Mahalo!
    [email protected]
    @pwntester

    View Slide

  69. 69

    View Slide