Serious Security issue with broken - Microsoft's .Net XML Serialization API
Operating Systems: All windows platform with .net framework installed
Explanation: This vulnerability could lead to serious security and
other issues depending on the
implementation. To explain this issue I will try to frame up a
possible scenario
(Am basically a programmer and can imagine a number of
scenarios where this issue could be a serious problem). Please let me know
if the following helps.
At the moment the best example in reference to this issue i could give
you is of an online shopping cart which uses .net framework (imagaine
amazon using .net for example).
Example:
After selecting my favorite DVD on the website I choose to checkout.
The checkout screen prompts me for my address and my VISA card number. I
type in my 15 digit VISA card number, card's expiry date and the
shipping address. This and the other information goes back to the server and
code behind reads the information and maps this information to a
programming class such as
class UserInformation
{
string CustomerName;
string Address;
long VISACard;
bool VISACardCorrect; //algorithm that determines if the visa card is
correct
string CustomerIPAddress;
string VISACardExpiry;
}
Now imagine for security reasons Amazon would like to archive this
information to their log-database/repository (as most companies do - which
scares me at times) and The log archiving procedure is implemented as a
web service at Amazon which is over SOAP(XML).
The big problem: To log the customer information the code behind would
need to serialize the UserInformation object to XML format so it could
be passed to the web service. But, because of this vulnerability all
the information would be serialized exception for the VISA Card Number.
We'd be basically logging everything but the VISA Card Number which
might be fake and would be difficult to trace back later.
WORSE: One could be using a Fake National-ID/Passport Number/VisaCard
etc etc which might be "THE" essential information required but because
of this bug the required info is never passed to required agents.
Proof Of Concept - Compile in .net framework and essential attribute
value is missing in the generated xml
---Code---
using System;
using System.Xml;
using System.IO;
using System.Xml.Serialization;
namespace ConsoleApplication1
{
[Serializable()]
public class tResponseGeneralInfo
{
public long ProfileNumber;
public bool ProfileNumberSpecified;
}
class Class1
{
[STAThread]
static void Main(string[] args)
{
tResponseGeneralInfo obj = new
tResponseGeneralInfo();
obj.ProfileNumber = 23;
XmlDocument oXmlDoc = new XmlDocument();
oXmlDoc.Load(m_Serialize(obj));
//Print OXmlDoc's inner XML;
}
private static MemoryStream m_Serialize(object obj)
{
try
{
XmlSerializer serializer = new
XmlSerializer(obj.GetType());
MemoryStream ms = new MemoryStream();
serializer.Serialize(ms, obj);
ms.Position = 0;
return ms;
}
catch(Exception ex)
{
}
}
}
}
---
Output: Here ProfileNumber is missing
"<?xml version=\"1.0\"?><tResponseGeneralInfo
xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"><ProfileNumberSp
ecified>false</ProfileNumberSpecified></tResponseGeneralInfo>
---