.NET Serialization: Detecting and defending vulnerable endpoints

Presented at LocoMocoSec 2018, April 6, 2018, 3 p.m. (40 minutes).

2016 was the year of Java deserialization apocalypse. Although Java Deserialization attacks were known for years, the publication of the Apache Commons Collection Remote Code Execution gadget (RCE from now on) finally brought this forgotten vulnerability to the spotlight and motivated the community to start finding and fixing these issues. .NET is next in line; formatters such as BinaryFormatter and NetDataContractSerializer are known to share similar mechanics which make them potentially vulnerable to similar RCE attacks. However, as we saw with Java before, the lack of RCE gadgets led some software vendors to not take this issue seriously. In this talk, we will analyze .NET serializers including third party JSON parsers for potential RCE vectors. We will provide real-world examples of vulnerable code and more importantly, we will review how these vulnerabilities were detected and fixed in each case.


Presenters:

  • Alvaro Muñoz - Microfocus Fortify
    Alvaro Muñoz (@pwntester) works as Principal Software Security Researcher with Microfocus Fortify. In this role, Muñoz can apply his passion for understanding software architecture and how security dependencies permeate systems. Before joining the research team, he worked as an Application Security Consultant helping enterprises to deploy their application security programs. Muñoz has been a speaker at Security conferences such as Defcon, BlackHat, RSA, OWASP AppSecEU, HPE Protect and many others and holds several infosec certifications, including OSCP, GWAPT and CISSP. He is a proud member of int3pids CTF team and blogs at http://www.pwntester.com.

Links:

Similar Presentations: