This module is for students looking to refine their knowledge of deserialization vulnerabilities specifically in regards to custom exploit development and whitebox testing; it aims to teach students enough about .NET deserialization and exploit development that they become comfortable exploiting such vulnerabilities on their own.
This module is divided up as follows:
Introduction: A brief refresher on Deserialization Attacks and an introduction to the module.
Identifying Deserialization Vulnerabilities: We discuss how to decompile a .NET application so that we may identify vulnerabilities as well as how to debug without source code.
Exploiting Deserialization Vulnerabilities: We tackle 3 unique deserialization vulnerabilities using custom exploits.
Defending against Deserialization Vulnerabilities: We discuss how to develop .NET applications securely to prevent deserialization attacks from happening.
Skills Assessment: Put your skills to the test against a custom target vulnerable to deserialization attacks.
This module is broken into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.
You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the PwnBox provided in the interactive sections or your virtual machine.
Introduction to .NET Deserialization Attacks
Note: To fully grasp the concepts taught throughout this module, it is
expected that you have some
basic understanding of deserialization vulnerabilities, as well as
basic programming skills, preferably in
C#/.NET. Despite the module offering a pre-customized Windows VM for exploit development in some of the sections, having a local one will be beneficial.
Serialization is the process of converting an object from memory into a series of bytes. This data is then stored or transmitted over a network. Subsequently, it can be reconstructed later by a different program or in a different machine environment. Conversely, deserialization is the reverse action, wherein serialized data is reconstructed back into the original object. However, when an application deserializes user-controlled data, there is a risk of deserialization vulnerabilities occurring, which may be exploited to achieve objectives such as
remote code execution,
arbitrary file read, and
denial of service.
Many programming languages, including Java, Ruby, Python, and PHP, offer serialization and deserialization runtime libraries. The Introduction to Deserialization Attacks module covered fundamental deserialization attacks targeting web applications that use PHP and Python for the backend.
C#, Microsoft's flagship programming language, which utilizes the .NET framework, also provides multiple serialization technologies; moreover, it is the primary language developers use while building Internet-connected apps with ASP.NET Core, a widely used web development framework employed by numerous websites worldwide.
Understanding how to identify and exploit .NET deserialization vulnerabilities not only strengthens our offensive security toolkit significantly but also provides insights into how threat actors achieved RCE after exploiting CVE-2023-34362 - the MOVEit vulnerability that wreaked havoc globally.
- XML and SOAP serialization: Serialize only the public properties and fields of objects, not preserving type fidelity.
- Binary serialization: Records the complete state of the object and preserves type fidelity; when deserializing an object, an exact copy is created.
This module will cover deserialization attacks from a white-box approach, exploiting vulnerabilities caused by JSON, XML, and Binary serializers available to .NET developers.
We will start with the
decompilation of a binary file to retrieve the source code, identify potentially vulnerable code sections, and set up
debugging to aid in exploit development. Later, we will look into recreating two well-known
gadget chains and using them to exploit three unique deserialization vulnerabilities in a custom application. Following this, we will look at the target application from a developer's point of view, and how the vulnerabilities we discover could be patched as well as how vulnerabilities could be avoided in the future. To finish off the module, you will be tasked with identifying and exploiting a custom deserialization vulnerability on your own.
Although deserialization vulnerabilities affect applications developed in many languages, for this module we will focus on
C#/.NET. The techniques learned can be repurposed to work with other languages, such as
A Brief History of Deserialization Vulnerabilities
Deserialization vulnerabilities have been public knowledge for a long time, but interest exploded in 2015 when the
Apache Commons Collections gadget was discovered. A brief timeline of milestones in deserialization vulnerabilities and attacks is listed below:
2007: First registered deserialization vulnerability (CVE-2007-1701) allows attackers to execute arbitrary code via PHP's
2011: First "gadget-based" deserialization vulnerability (CVE-2011-2894) uses
InvocationHandlerto achieve arbitrary code execution upon deserialization against the Spring Framework.
2012: The White paper "Are you my Type?" is published, discussing .NET serialization and CVE-2012-0160 which was a deserialization vulnerability in the .NET Framework leading to arbitrary code execution.
2015: The Apache Commons Collections gadget is discovered (CVE-2015-4852, CVE-2015-7501) which allows attackers to achieve arbitrary code execution against many more Java applications. ysoserial is released at AppSecCali 2015 which allows attackers to automatically generate deserialization payloads using the Apache Commons Collections gadget.
2017: The white paper 'Friday the 13th JSON Attacks' was released, addressing deserialization vulnerabilities in .NET. It also introduced 'YSoSerial.NET,' a tool enabling attackers to generate deserialization payloads for
.NETusing a handful of gadgets.
Target WebApp: TeeTrove
Throughout this module, we will analyze and attack a website named
TeeTrove, an e-commerce marketplace specializing in selling custom-designed attire. We were commissioned by the company behind
TeeTrove to conduct a
white-box penetration test on the application with the goal being
remote code execution. To conduct the assessment, the company provided us with the
compiled deployment files and the necessary