Skip to content

Latest commit

 

History

History
68 lines (50 loc) · 3.96 KB

README.md

File metadata and controls

68 lines (50 loc) · 3.96 KB

Zyan.SafeDeserializationHelpers

This tiny library tries to fix several known BinaryFormatter vulnerabilities. When a malicious payload is detected, the library throws an UnsafeDeserializationException instead of deserializing the data that is able to produce bad side effects.

GitQ appveyor tests nuget

Deserializing the untrusted data is dangerous

It's proven that deserialing arbitrary payloads under certain conditions can trigger code execution. BinaryFormatter, DataContractSerializer, XmlSerializer, as well as several widely used JSON serializers are known to be vulnerable.

See ysoserial.net project for details.

Code sample

// unsafe: deserialization can trigger arbitrary code execution
var fmt = new BinaryFormatter();
var object = fmt.Deserialize(stream);

// safe: deserialization is guarded against known vulnerabilities
var fmt = new BinaryFormatter().Safe();
var object = fmt.Deserialize(stream);

Usage

  1. Install Zyan.SafeDeserializationHelpers nuget package.
  2. Use new BinaryFormatter().Safe() instead of just new BinaryFormatter().
  3. For .NET Remoting projects, use safe versions of the binary formatter sinks:
    • Replace BinaryClientFormatterSinkProvider with SafeBinaryClientFormatterSinkProvider.
    • Replace BinaryServerFormatterSinkProvider with SafeBinaryServerFormatterSinkProvider.
  4. Make sure to test your project against payloads produced by ysoserial.net gadgets.

Known vulnerabilities supported by the library

  • ActivitySurrogateSelector gadget by James Forshaw (loads an assembly and executes arbitrary code).
  • PSObject gadget by Oleksandr Mirosh and Alvaro Munoz. Target must run a system not patched for CVE-2017-8565.
  • TypeConfuseDelegate gadget by James Forshaw (runs any process using Process.Start delegate).
  • DataSet gadget by James Forshaw (unsafe BinaryFormatter deserialization).
  • WindowsIdentity gadget by Levi Broderick (unsafe BinaryFormatter deserialization).

References

Thanks

License

MIT License.