<<< Date Index >>>     <<< Thread Index >>>

Serious Security issue with broken - Microsoft's .Net XML Serialization API



Operating Systems: All windows platform with .net framework installed

Explanation: This vulnerability could lead to serious security and
other issues depending on the
implementation. To explain this issue I will try to frame up a
possible scenario
(Am basically a programmer and can imagine a number of 
scenarios where this issue could be a serious problem). Please let me know 
if the following helps.

At the moment the best example in reference to this issue i could give 
you is of an online shopping cart which uses .net framework (imagaine 
amazon using .net for example).

Example:
After selecting my favorite DVD on the website I choose to checkout. 
The checkout screen prompts me for my address and my VISA card number. I 
type in my 15 digit VISA card number, card's expiry date and the 
shipping address. This and the other information goes back to the server and 
code behind reads the information and maps this information to a 
programming class such as

class UserInformation
{

string CustomerName;
string Address; 

long VISACard;
bool VISACardCorrect; //algorithm that determines if the visa card is 
correct

string CustomerIPAddress;
string VISACardExpiry;
}

Now imagine for security reasons Amazon would like to archive this 
information to their log-database/repository (as most companies do - which 
scares me at times) and The log archiving procedure is implemented as a 
web service at Amazon which is over SOAP(XML). 

The big problem: To log the customer information the code behind would 
need to serialize the UserInformation object to XML format so it could 
be passed to the web service. But, because of this vulnerability all 
the information would be serialized exception for the VISA Card Number. 
We'd be basically logging everything but the VISA Card Number which 
might be fake and would be difficult to trace back later.

WORSE: One could be using a Fake National-ID/Passport Number/VisaCard 
etc etc which might be "THE" essential information required but because 
of this bug the required info is never passed to required agents.



Proof Of Concept - Compile in .net framework and essential attribute 
value is missing in the generated xml

---Code---
using System;
using System.Xml;
using System.IO;
using System.Xml.Serialization;

namespace ConsoleApplication1
{

      [Serializable()]
      public class tResponseGeneralInfo
      {
            public long ProfileNumber;

            public bool ProfileNumberSpecified;

      }

      class Class1
      {
            [STAThread]
            static void Main(string[] args)
            {
                  tResponseGeneralInfo obj = new
tResponseGeneralInfo();
                  obj.ProfileNumber = 23;

                  XmlDocument oXmlDoc = new XmlDocument();
                  oXmlDoc.Load(m_Serialize(obj));
                //Print OXmlDoc's inner XML;
            }

            private static MemoryStream m_Serialize(object obj)
            {
                  try
                  {
                        XmlSerializer serializer = new
XmlSerializer(obj.GetType());
                        MemoryStream ms = new MemoryStream();
                        serializer.Serialize(ms, obj);
                        ms.Position = 0;
                        return ms;
                  }
                  catch(Exception ex)
                  {

                  }
            }
      }

} 

---

Output: Here ProfileNumber is missing

"<?xml version=\"1.0\"?><tResponseGeneralInfo
xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\";><ProfileNumberSp
ecified>false</ProfileNumberSpecified></tResponseGeneralInfo>

---