Today, we publish a new advisory for some vulnerabilities, that have been found by our team-mate Nils Ole Timm (@firzen14).
Nils spent some time with .Net deserialization attacks and research. In April 2020 we already published an article about his Deserialization Attacks in .Net Games.
While the gaming industry thankfully fixed all of the reported issues, Microsoft elected to manage rather than fix the reported issues. For this advisory, two of them were not considered vulnerabilities by Microsoft as "by design". The third one was originally planned to be fixed, but a week before the disclosure deadline Microsoft informed us that they would only add a warning to their documentation.
Proof of Concept code is provided for each vulnerability right here:
- https://github.com/modzero/MZ-20-03_PoC_IsolatedStorage
- https://github.com/modzero/MZ-20-03_PoC_NetRemoting
- https://github.com/modzero/MZ-20-03_PoC_MSMQ_BinaryMessageFormatter
The direct link to the advisory is https://modzero.com/en/advisories/mz-20-03-vulnerabilities-in_dotnet/