.NET Deserialization

Theory

Insecure deserialization is a vulnerability that can affect applications built using the .NET framework. They occurs when the deserialization process is not properly secured and validated, allowing attackers to exploit it and execute arbitrary code or perform other malicious activities.

Practice

JSON.NET Deserialization

In .NET application that uses JSON.net (Newtonsoft library), we can inject arbitrary code or read local files by abusing JSON deserialization objects.

To decompile a .NET application you can use dnSpy on windows or AvaloniaILSpy on Linux

If the application have the TypeNameHandling not being set to None and deserialize a parameter without proper validation, it is vulnerable.

json = JsonConvert.DeserializeObject<Example>(json);We can give the Json value to the “JsonConvert.DeserializeObject(json)” with a reserved key ($type).
The format is as follow. The value of $type is a string that contains the assembly-qualified name of the .NET type to be deserialized.

In the previous code, Example is the class to what json data will be converted (deserialized)

We can give the Json value to the “JsonConvert.DeserializeObject(json)” with a reserved key ($type). The format is as follow. The value of $type is a string that contains the assembly-qualified name of the .NET type to be deserialized.

{
	"$type": "<namespace>.<class>, <assembly>",
	"<method_name>": "<attribute>"
}

We can use ysoserial.net (windows) to generate payloads.

#Raw output
ysoserial.exe -g ObjectDataProvider -f Json.Net -c "id"

#Base64 output
ysoserial.exe -g ObjectDataProvider -f Json.Net -c "id" -o base64

References

Last updated 1 year ago