Alvaro Muñoz

Alvaro Muñoz works as Principal Software Security Researcher with Microfocus, Software Security Research (SSR). His research focuses on different programming languages and web application frameworks searching for vulnerabilities or unsafe uses of APIs. Before joining the research team, he worked as an Application Security Consultant helping enterprises to deploy their application security programs. Muñoz has presented at many Security conferences including BlackHat, Defcon, RSA, AppSecEU, AppSecUSA, Protect, DISCCON, etc and holds several infosec certifications, including OSCP, GWAPT and CISSP, and is a proud member of int3pids CTF team. He blogs at http://www.pwntester.com.

Attacking .NET Serialization

Day 2 - 18th Oct 11:30-12:20 Hall 3 Advanced

2016 was the year of Java deserialization apocalypse. Although Java Deserialization attacks were known for years, the publication of the Apache Commons Collection Remote Code Execution (RCE from now on) gadget finally brought this forgotten vulnerability to the spotlight and motivated the community to start finding and fixing these issues. One of the most suggested solutions for avoiding Java deserialization issues was to move away from Java Deserialization altogether and use safer formats such as JSON.

.NET formatters such as BinaryFormatter and NetDataContractSerializer are known to share similar mechanics which make them potentially vulnerable to similar RCE attacks. However, the lack of RCE gadgets led some software vendors to not take this issue seriously as happened to Java before.

In this talk, we will analyze .NET serializers including third party JSON parsers for potential RCE vectors. We will demonstrate that RCE is also possible in .NET and present details about the serializers that are vulnerable to RCE by default and discuss common configurations that make other libraries vulnerable. We will try to generalize the attack techniques to other serialization formats and conclude with presenting several gadgets from system libraries that may be used to achieve RCE for the analyzed serializers. Finally, we will provide recommendations on how to determine if your code is vulnerable, provide remediation advice, and discuss alternative approaches.

Slides