It's proven that deserialing arbitrary payloads under certain conditions can trigger code execution. BinaryFormatter, DataContractSerializer, XmlSerializer, as well as several widely used JSON serializers are known to be vulnerable.
See ysoserial.net project for details.
This tiny library tries to fix several known BinaryFormatter vulnerabilities. When a malicious payload is detected, the library throws an exception instead of deserializing the data.
// unsafe: deserialization can trigger arbitrary code execution
var fmt = new BinaryFormatter();
var object = fmt.Deserialize(stream);
// safe: deserialization is guarded against known vulnerabilities
var fmt = new BinaryFormatter().Safe();
var object = fmt.Deserialize(stream);TODO: publish a Nuget package
- ActivitySurrogateSelector gadget by James Forshaw (loads an assembly and executes arbitrary code).
- PSObject gadget by Oleksandr Mirosh and Alvaro Munoz. Target must run a system not patched for CVE-2017-8565.
- TypeConfuseDelegate gadget by James Forshaw (runs any process using Process.Start delegate).
- DataSet gadget by James Forshaw (unsafe BinaryFormatter deserialization).
- WindowsIdentity gadget by Levi Broderick (unsafe BinaryFormatter deserialization).
- Exploiting .NET Managed DCOM by James Forshaw
- Are you my Type? by James Forshaw
- Attacking .NET serialization by Alvaro Munoz
- Friday the 13th: JSON Attacks by Alvaro Munoz and Oleksandr Mirosh
- Severe Deserialization Issues Also Affect .NET, Not Just Java by Catalin Cimpanu
- ysoserial.net exploit collection by Alvaro Munoz
- Markus Wulftange — for bringing up the problem to my attention
- James Forshaw — for the great blog posts, papers and talks on the subject
- Alvaro Munoz, Oleksandr Mirosh — for the awesome educational ysoserial.net project
- Chris Frohoff — for the original ysoserial Java project
- Levi Broderick — for more malicious gadgets
MIT License.