-
Notifications
You must be signed in to change notification settings - Fork 469
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Post hexacon #156
Post hexacon #156
Conversation
This is amazing, well done! I haven't done any professional reviews in GitHub so please excuse the way I have written everything here as a blob. I can do better in the future! I realised this very late when I was almost finished writing them. To Be AddressedA few minor things here to be addressed: 2- Running 2.1- Could you also please do the same thing with the comment in 3- In
3.1- The same thing should be done in 4- (suggestion) add 5- I think the 6- Please add both https://github.com/thezdi/presentations/blob/main/2023_Hexacon/whitepaper-net-deser.pdf and https://www.youtube.com/watch?v=ZcOZNAmKR0c&feature=youtu.be to the readme. Questions:
|
Thanks for all the feedback, I find it really good! Fixes1fixed, although my Visual Studio has updated some of the packages. It should not have any effect on the tool, but you may want to double check. 2It's a little complex here, but I have managed to modify it in a following way: a) BaseActivationFactory BaseActivationFactory should receive a path with no extension. During the deserialization, the .NET code will append the ".dll" string to the path. I've done following:
b) GetterCompilerResults We are able to load files not only with the ".dll" extension. I've already exploited something once, where I could upload ".txt" file and chained the file-write primitive with this gadget to load the DLL, where file had the ".txt" extension. Still, I've implemented a check if the given path ends with ".dll" (case insensitive). I've also provided all the explanation and said that if you want to have a different extension in the gadget - just modify it manually. 2.1Done, appended info message when the test is enabled. 3 and 3.1Done for XamlImageInfo, GetterCompilerResults and BaseActivationFactory 4I've implemented 5So, it's quite complex. My idea was following: a) If we are aware of an available gadget chain (like b) This gadget was intended to chain custom "insecure serialization" gadgets that you may find in e.g. targeted product codebase, with any known Arbitrary Getter Call gadget (like This is way I didn't implement chains with e.g. I know that the entire idea may be kind of confusing without reading the white paper or hearing my presentation, so I have extended the feedback provided by the plugin. To see it, run it with
So in general, I treat this plugin as something for the "hardcore" exploitation, when nothing else is available and we are desperate to bypass some e.g. blacklist. Please let me know if this idea is OK with you. If not, I am open to contribute more and we can work on something different here. 6Done, white paper was not public when I made this PR. I've also added one of my recent blog posts (which is also included in the beginning of the white paper). I'll try to extend this list in the future. QuestionsBaseActivationFactory testsYes, in order to test this gadget, we need to build with .NET 5, 6 or 7. Also, we need to enable WPF (I've added this info to the message). To enable WPF, add follwoing to the
Double execution with --var 2Oh yes, I'm aware of that but I forgot to mention that. BTW - sometimes it does not behave this way and calls the getter once only. I have never found time to debug this behavior more. XamlInfoGenerator variant switchI've used the file-based variant as a main one, because it exists in GAC and you should be able to use it against any target. The second variant works only if you have a non-GAC dll available: Regarding the tests - you can easily test variant 1 too. You just have to create a XAML gadget, put it on your local file system or remote SMB server and generate a gadget that loads this file. Example:
This should pop calc :) Please note that you have to escape the FileLogTraceListener for JavaScriptSerializerOk, this is weird, as it works flawlessly on any Windows VM that I have.
My guess is: this is non-GAC assembly, but my base Windows build has it for some reasone (maybe I've installed something along with Visual Studio, where Visual Studio adds this installer to GAC). However, I was pretty sure that |
Thanks for the quick update. We are getting there :) Here are some further comments: A)
Please make sure the payloads can still run with B) We are now getting an error from GitHub build complaining about the MessagePack assembly.
Although it builds ok locally, I think we need to modify the project file at least for:
One thing I see there is that you have used netstandard. I am not sure whether we can have this for .NET Framework but please check that as well. Could you please also add the C) I have noticed some unused libraries in the project file. Please remove any unused libraries from the CSProj file and |
Ok, updates made :) A) Nice feature! I've added it to the BaseActivationFactory, GetterCompilerResults and XamlImageInfo. B and C) The entire mess happened, because I was adding new packages to test 3rd party gadgets. NuGet needed to update and add some additional packages during the process. I have retrieved an old .csproj file and just added D) Testing and additional thing I have tested all the stuff again on 2 different machines. Everything works on both machines except for On one machine, Anyway, I have added an additional info to the I think that rest of the stuff should be good now :) |
I am happy with all this now and as you have confirmed that all is working, I am going to approve this given we also have a successful build :) |
Thanks for a quick review! If there are any issues regarding the added gadgets or plugins - let me know. I'll try to resolve issues as fast as possible. :) |
Hi,
This PR implements a lot of stuff. This is an outcome of my Hexacon 2023 talk. White paper that describes all the implemented gadgets/plugin will be made public in a day or two - I will add a comment to this PR. Presentation video should be available soon.
Changes:
Please note that some of the listed gadgets can be also implemented for some different formatters, but I didn't manage to test them against all of the possible serializers.
GetterSecurityException
- RCE gadget for .NET Framework. This gadget chains Arbitrary Getter Call gadget and SecurityException serialization gadget (getter leads to BinaryFormatter). It has 4 variants. Every variant implements a different Arbitrary Getter Call gadget - PropertyGrid, ListBox, ComboBox, CheckedListBox.GetterSettingsPropertyValue
- RCE gadget for .NET Framework. This gadget chains Arbitrary Getter Call gadget and SecurityException serialization gadget (getter leads to BinaryFormatter). It has 4 variants. Every variant implements a different Arbitrary Getter Call gadget - PropertyGrid, ListBox, ComboBox, CheckedListBox.XamlImageInfo
- RCE gadget for .NET Framework, leads to XAML loading. Currently implemented for Json.NET in 2 variants: variant 1 (GAC) - loads XAML from file (UNC path can be provided for remote file loading); variant 2 (non-GAC) - directly delivers the XAML payload, but Microsoft.Web.Deployment.dll is requiredBaseActivationFactory
- Remote DLL loading for .NET 5, 6 and 7. Requires WPF to be enabled or PresentationFramework.dll to be available. C/C++ dll can be provided. UNC path can be given to load remote DLL.GetterCompilerResults
- Remote DLL loading for .NET 5, 6 and 7, local DLL loading for .NET Framework. For .NET 5/6/7, WPF needs to be enabled or PresentationFramework.dll available. Mixed assembly can be delivered. For .NET 5/6/7 remote loading, UNC path can be given. No requirements for local DLL loading in .NET Framework.As I have introduced gadgets that chain arbitrary getter call with something that I've called serialization gadget, I have added two new labels:
TextFormattingRunProperties
I have implemented Json.NET for
TextFormattingRunProperties
I have created 3 new plugins:
a) GetterCallGadgets
It allows you to chain your serialization gadget (gadget where getter call leads to something malicious) with one of the implemented arbitrary getter call gadgets:
I have only implemented those gadgets for Json.NET, but some of them are also applicable for different serializers. It's a thing for a future implementation, or somebody may want to contribute.
b) NetNonRceGadget
It implements Non-RCE gadgets for .NET Framework. I've implemented 3 gadgets:
They are also applicable for different serializers. It's a thing for a future implementation, or somebody may want to contribute.
c) ThirdPartyGadgets
This plugin implements gadgets for 3rd party libraries, like MongoDB or Grpc.Core. Right now, there are 10 gadgets implemented and you can list them with this command:
Gadgets are fully described. Also, all the details about them can be found in the white paper.
I have only implemented those gadgets for Json.NET, but some of them are also applicable for different serializers. It's a thing for a future implementation, or somebody may want to contribute.