XML Serializer (.NET)

XmlSerializer

Pass the known object in application which leads to vulnerability on deserialization.

only able to serialize public properties and fields of an object
cannot serialize abstract classes
type of the object being serialized always has to be known to the XmlSerializer instance at runtime

Sample object which XML Serializer is able to deserialize:

You have to swap:
namespace
class
properties of the class

<customRootNode>
    <item objectType="Namespace.Class, Namespace, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null">
        <Class xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
            <property>Value goes here...</property>
        </Class>
    </item>
</customRootNode>

There is a trick

As it is mentioned in the chapter above we cannot serialize functions - only public properties and fields.

Sometimes there is a possibility to bypass this restriction with usage of ObjectDataProvider class.

ObjectDataProvider

If you get Type Error while providing the object wrapped in ObjectDataProvider it is probably caused by the application expecting ObjectDataProvider while creating a class -> not the type of class inside.

That usually means you have to find another way of delivering the payload (another wrapper / useful class).

Namespace: System.Windows.Data
Location: PresentationFramework.dll

Is perfecttly compatibile with XML serializer. It server as a wrapper for objects but without limitations. It takes in the public parameter information about class that you want to run using it and instruction which specific method do user want to run.

Sample usage:

ObjectDataProvider myODP = new ObjectDataProvider();
myODP.ObjectInstance = new ClassWeWantToRun();
myODP.MethodName = "MethodToRun";
myODP.MethodParameters.Add("ParameterValue1");
myODP.MethodParameters.Add("ParameterValue2");
// after these lines of code the wrapped object should be created
// and the function, executed

Combo with:

File Upload
CMD Execution
Access Granting

Potential problems with ObjectDataProvider usage

If the inner object type object is not provided to XML Serializer, it serializes the wrapper but cannot invoke the object inside.

In order to bypass that we have to use some kind of wrapper which declares objects used inside within object creation for example.

BigWrapper <ODP, MaliciousClass> = new BigWrapper<ODP, MaliciousClass>;

Automating the object wrapping process

We can use several tools that will our life easier when it comes to .NET deserialiation.

YSOSERIAL.NET

One of the best tools for that is ysoserial.net which is similar to regular ysoserial tool.

It contains ObjectDataProvider gadget and many more which can be used in exploitation of the Insecure Deseiralization vulnerability in .NET.

PreviousObjectInputStream NextJSF ViewState

Last updated 4 months ago