Re: Serious Security issue with broken - Microsoft's .Net XML Serialization API

From: Rohit (rohits79_at_gmail.com)
Date: 09/13/05

  • Next message: iDEFENSE Labs: "iDEFENSE Security Advisory 09.13.05: Linksys WRT54G Router Remote Administration Fixed Encryption Key Vulnerability" 
    Date: Tue, 13 Sep 2005 23:13:11 +0530
To: bugtraq@securityfocus.com, rohits79@gmail.com

    Sorry in excitment i made some mistake in the code in case if you
    haven't already figured it out :)

    using System;
    using System.Xml;
    using System.IO;
    using System.Xml.Serialization;

    namespace ConsoleApplication1
    {

    [Serializable()]
    public class tResponseGeneralInfo
    {
    public long ProfileNumber;

    public bool ProfileNumberSpecified;

    }

    class Class1
    {
    [STAThread]
    static void Main(string[] args)
    {
    tResponseGeneralInfo obj = new
    tResponseGeneralInfo();
    obj.ProfileNumber = 23;

    XmlDocument oXmlDoc = new XmlDocument();
    oXmlDoc.Load(m_Serialize(obj));

    //Print OXmlDoc's inner XML;
    System.Console.WriteLine(oXmlDoc.InnerXml);

    }

    private static MemoryStream m_Serialize(object obj)
    {
    try
    {
    XmlSerializer serializer = new
    XmlSerializer(obj.GetType());
    MemoryStream ms = new MemoryStream();
    serializer.Serialize(ms, obj);
    ms.Position = 0;
    return ms;
    }
    catch(Exception ex)
    {
    return null;
    }

    }
    }

    }

    thanks
    rohit

    On 9/13/05, Rohit <rohits79@gmail.com> wrote:
    > Operating Systems: All windows platform with .net framework installed
    >
    > Explanation: This vulnerability could lead to serious security and
    > other issues depending on the
    > implementation. To explain this issue I will try to frame up a
    > possible scenario
    > (Am basically a programmer and can imagine a number of
    > scenarios where this issue could be a serious problem). Please let me know
    > if the following helps.
    >
    > At the moment the best example in reference to this issue i could give
    > you is of an online shopping cart which uses .net framework (imagaine
    > amazon using .net for example).
    >
    > Example:
    > After selecting my favorite DVD on the website I choose to checkout.
    > The checkout screen prompts me for my address and my VISA card number. I
    > type in my 15 digit VISA card number, card's expiry date and the
    > shipping address. This and the other information goes back to the server and
    > code behind reads the information and maps this information to a
    > programming class such as
    >
    > class UserInformation
    > {
    >
    > string CustomerName;
    > string Address;
    >
    > long VISACard;
    > bool VISACardCorrect; //algorithm that determines if the visa card is
    > correct
    >
    > string CustomerIPAddress;
    > string VISACardExpiry;
    > }
    >
    > Now imagine for security reasons Amazon would like to archive this
    > information to their log-database/repository (as most companies do - which
    > scares me at times) and The log archiving procedure is implemented as a
    > web service at Amazon which is over SOAP(XML).
    >
    > The big problem: To log the customer information the code behind would
    > need to serialize the UserInformation object to XML format so it could
    > be passed to the web service. But, because of this vulnerability all
    > the information would be serialized exception for the VISA Card Number.
    > We'd be basically logging everything but the VISA Card Number which
    > might be fake and would be difficult to trace back later.
    >
    > WORSE: One could be using a Fake National-ID/Passport Number/VisaCard
    > etc etc which might be "THE" essential information required but because
    > of this bug the required info is never passed to required agents.
    >
    >
    >
    > Proof Of Concept - Compile in .net framework and essential attribute
    > value is missing in the generated xml
    >
    > ---Code---
    > using System;
    > using System.Xml;
    > using System.IO;
    > using System.Xml.Serialization;
    >
    > namespace ConsoleApplication1
    > {
    >
    > [Serializable()]
    > public class tResponseGeneralInfo
    > {
    > public long ProfileNumber;
    >
    > public bool ProfileNumberSpecified;
    >
    > }
    >
    > class Class1
    > {
    > [STAThread]
    > static void Main(string[] args)
    > {
    > tResponseGeneralInfo obj = new
    > tResponseGeneralInfo();
    > obj.ProfileNumber = 23;
    >
    > XmlDocument oXmlDoc = new XmlDocument();
    > oXmlDoc.Load(m_Serialize(obj));
    > //Print OXmlDoc's inner XML;
    > }
    >
    > private static MemoryStream m_Serialize(object obj)
    > {
    > try
    > {
    > XmlSerializer serializer = new
    > XmlSerializer(obj.GetType());
    > MemoryStream ms = new MemoryStream();
    > serializer.Serialize(ms, obj);
    > ms.Position = 0;
    > return ms;
    > }
    > catch(Exception ex)
    > {
    >
    > }
    > }
    > }
    >
    > }
    >
    > ---
    >
    > Output: Here ProfileNumber is missing
    >
    > "<?xml version=\"1.0\"?><tResponseGeneralInfo
    > xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"><ProfileNumberSp
    > ecified>false</ProfileNumberSpecified></tResponseGeneralInfo>
    >
    > ---
    >

  • Next message: iDEFENSE Labs: "iDEFENSE Security Advisory 09.13.05: Linksys WRT54G Router Remote Administration Fixed Encryption Key Vulnerability"
    • Quantcast