From baec5a4316d598f38184492ea20baf27baae6ed1 Mon Sep 17 00:00:00 2001 From: yallie Date: Thu, 26 Apr 2018 17:36:04 +0300 Subject: [PATCH] MIT license. --- LICENSE | 21 +++++++++++++++++++++ README.md | 42 ++++++++++++++++++++++++++++++++++++++---- 2 files changed, 59 insertions(+), 4 deletions(-) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..e5500b0 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2018 Alexey Yakovlev + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md index 946f94e..f49e062 100644 --- a/README.md +++ b/README.md @@ -1,23 +1,57 @@ # Deserializing the untrusted data is dangerous -This tiny library tries to fix several known BinaryFormatter vulnerabilities. +It's proven that deserialing arbitrary payloads under certain conditions can +trigger code execution. BinaryFormatter, DataContractSerializer, XmlSerializer, +as well as several widely used JSON serializers are known to be vulnerable. + See [ysoserial.net](https://github.com/pwntester/ysoserial.net) project for details. +This tiny library tries to fix several known BinaryFormatter vulnerabilities. +When a malicious payload is detected, the library throws an exception instead of +deserializing the data. + [![appveyor](https://ci.appveyor.com/api/projects/status/github/zyanfx/safedeserializationhelpers?svg=true)](https://ci.appveyor.com/project/yallie/safedeserializationhelpers) [![tests](https://img.shields.io/appveyor/tests/yallie/safedeserializationhelpers.svg)](https://ci.appveyor.com/project/yallie/safedeserializationhelpers/build/tests) # Code sample ```csharp -// bad: deserialization can trigger arbitrary code execution +// unsafe: deserialization can trigger arbitrary code execution var fmt = new BinaryFormatter(); var object = fmt.Deserialize(stream); -// better: deserialization is checked against known vulnerabilities +// safe: deserialization is guarded against known vulnerabilities var fmt = new BinaryFormatter().Safe(); var object = fmt.Deserialize(stream); ``` # Usage -TODO: publish a Nuget package \ No newline at end of file +TODO: publish a Nuget package + +# Known vulnerabilities supported by the library + +* **ActivitySurrogateSelector** gadget by James Forshaw (loads an assembly and executes arbitrary code). +* **PSObject** gadget by Oleksandr Mirosh and Alvaro Munoz. Target must run a system not patched for CVE-2017-8565. +* **TypeConfuseDelegate** gadget by James Forshaw (runs any process using Process.Start delegate). +* **DataSet** gadget by James Forshaw (unsafe BinaryFormatter deserialization). +* **WindowsIdentity** gadget by Levi Broderick (unsafe BinaryFormatter deserialization). + +# References + +* [Exploiting .NET Managed DCOM](https://googleprojectzero.blogspot.com/2017/04/exploiting-net-managed-dcom.html) by James Forshaw +* [Are you my Type?](https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf) by James Forshaw +* [Attacking .NET serialization](https://speakerdeck.com/pwntester/attacking-net-serialization) by Alvaro Munoz +* [ysoserial.net](https://github.com/pwntester/ysoserial.net) exploit collection by Alvaro Munoz + +# Thanks + +* [Markus Wulftange](https://github.com/mwulftange) — for bringing up the problem to my attention +* [James Forshaw](https://github.com/tyranid) — for the great blog posts, papers and talks on the subject +* [Alvaro Munoz](https://github.com/pwntester) — for the awesome educational ysoserial.net project +* [Chris Frohoff](https://github.com/frohoff) — for the original ysoserial Java project +* [Levi Broderick](https://github.com/GrabYourPitchforks), Oleksandr Mirosh — for more malicious gadgets + +# License + +MIT License.