AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Insecure Serialization - Delegate

The attacker may inject random code and execute on the application server side through insecure serialization resulting in total ownage

Severity

Medium

Fix Cost

Medium

Trust Level

Medium

From early Remote Method Invocation (RMI) or CORBA implementations, Serialization/Deserialization is a key mechanism used for transferring a code state from one end to another. Serialization/Deserialization happens both in-process, inter-process and inter-network communications between same or different frameworks.

Usually only member fields an instance object of a class is serialized on the source with their accompanied data and then deserialized on the target. However, in .NET delegate keyword can be used to serialize/deserialize method implementations, too.

The code below, includes a serializable class that contains a Delegate field, which acts as a function pointer and called in SendAndSave method. The attacker having a serialized version of an instance of RemoteMessage can point del to Process.Start method and execute arbitrary commands on the server side which deserializes the attacker sent serialized object.

                                     
[Serializable]
public class RemoteMessage
{
Delegate del;
String content;
public RemoteMessage(Delegate del, string content)
{
this.del = del;
this.content = content;
}
 
public MessageResult SendAndSave()
{
return del.DynamicInvoke(content);
}
}
                   
            

The same goes with the event handlers, too.


[Serializable]
public class RemoteMessage
{
event EventHandler OnRun;
String content;
public RemoteMessage(string content)
{
this.content = content;
}
 
public MessageResult SendAndSave()
{
return OnRun(content);
}
}


Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!