Are You My Type? - Breaking .NET Sandboxes Through Serialization

Presented at Black Hat USA 2012, Unknown date/time (Unknown duration)

In May, Microsoft issued a security update for .NET due to a number of serious issues I found. This release was the biggest update in the product's history, it aimed to correct a number of specific issues due to unsafe serialization usage as well as changing some of the core functionality to mitigate anything which could not be easily fixed without significant compatibility issues. This presentation will cover the process through which I identified these vulnerabilities and provide information on how they can be used to attack .NET applications, both locally and remotely, as well as demonstrating breaking out of the partial trust sandboxes used in technologies such as ClickOnce and XAML Browser Applications.