Second Breakfast: Implicit and Mutation-Based Serialization Vulnerabilities in .NET

Presented at DEF CON 31 (2023), Aug. 11, 2023, 2:30 p.m. (45 minutes)

Exploits of insecure serialization leading to remote code execution have been a common attack against .NET applications for some time. But it's generally assumed that exploiting serialization requires that an application directly uses a serializer and that it unsafely reads data that an attacker can tamper with. This talk demonstrates attacks that violate both of these assumptions. This includes serialization exploits of platforms that don't use well-known .NET serializers and methods to exploit deserialization even when the serialized data cannot be tampered with. Remote code execution vulnerabilities in MongoDB, LiteDB, ServiceStack.Redis, RavenDB, MartenDB, JSON.Net and the .NET JavaScriptSerializer are all demonstrated. Techniques to both scan for and mitigate these vulnerabilities are also discussed. REFERENCES: * "Are You My Type? Breaking .net Sandboxes Through Serialization", James Forshaw, Black Hat 2012 * "Friday the 13th JSON Attacks", Alvaro Muñoz & Oleksandr Mirosh, Black Hat 2017 * See also: https://github.com/pwntester/ysoserial.net for useful payload generators.

Presenters:

• Jonathan Birch - Principal Security Software Engineer at Microsoft
  Jonathan Birch is a Principal Security Software Engineer for Microsoft. He hacks Office. His previous talks include "Host/Split: Exploitable Antipatterns in Unicode Normalization" at Black Hat 2019 and "Dangerous Contents - Securing .NET Deserialization" at BlueHat 2017.

Links:

• https://forum.defcon.org/node/245716

Similar Presentations:

• Black Hat USA 2011 / Hacking .Net Applications: The Black Arts
• Summercon 2014 / The Agony and the Ecstasy of .NET Application Exploitation
• Black Hat USA 2012 / Are You My Type? - Breaking .NET Sandboxes Through Serialization