Re: Serious Security issue with broken - Microsoft's .Net XML Serialization API
Sorry in excitment i made some mistake in the code in case if you
haven't already figured it out :)
using System;
using System.Xml;
using System.IO;
using System.Xml.Serialization;
namespace ConsoleApplication1
{
[Serializable()]
public class tResponseGeneralInfo
{
public long ProfileNumber;
public bool ProfileNumberSpecified;
}
class Class1
{
[STAThread]
static void Main(string[] args)
{
tResponseGeneralInfo obj = new
tResponseGeneralInfo();
obj.ProfileNumber = 23;
XmlDocument oXmlDoc = new XmlDocument();
oXmlDoc.Load(m_Serialize(obj));
//Print OXmlDoc's inner XML;
System.Console.WriteLine(oXmlDoc.InnerXml);
}
private static MemoryStream m_Serialize(object obj)
{
try
{
XmlSerializer serializer = new
XmlSerializer(obj.GetType());
MemoryStream ms = new MemoryStream();
serializer.Serialize(ms, obj);
ms.Position = 0;
return ms;
}
catch(Exception ex)
{
return null;
}
}
}
}
thanks
rohit
On 9/13/05, Rohit <rohits79@xxxxxxxxx> wrote:
> Operating Systems: All windows platform with .net framework installed
>
> Explanation: This vulnerability could lead to serious security and
> other issues depending on the
> implementation. To explain this issue I will try to frame up a
> possible scenario
> (Am basically a programmer and can imagine a number of
> scenarios where this issue could be a serious problem). Please let me know
> if the following helps.
>
> At the moment the best example in reference to this issue i could give
> you is of an online shopping cart which uses .net framework (imagaine
> amazon using .net for example).
>
> Example:
> After selecting my favorite DVD on the website I choose to checkout.
> The checkout screen prompts me for my address and my VISA card number. I
> type in my 15 digit VISA card number, card's expiry date and the
> shipping address. This and the other information goes back to the server and
> code behind reads the information and maps this information to a
> programming class such as
>
> class UserInformation
> {
>
> string CustomerName;
> string Address;
>
> long VISACard;
> bool VISACardCorrect; //algorithm that determines if the visa card is
> correct
>
> string CustomerIPAddress;
> string VISACardExpiry;
> }
>
> Now imagine for security reasons Amazon would like to archive this
> information to their log-database/repository (as most companies do - which
> scares me at times) and The log archiving procedure is implemented as a
> web service at Amazon which is over SOAP(XML).
>
> The big problem: To log the customer information the code behind would
> need to serialize the UserInformation object to XML format so it could
> be passed to the web service. But, because of this vulnerability all
> the information would be serialized exception for the VISA Card Number.
> We'd be basically logging everything but the VISA Card Number which
> might be fake and would be difficult to trace back later.
>
> WORSE: One could be using a Fake National-ID/Passport Number/VisaCard
> etc etc which might be "THE" essential information required but because
> of this bug the required info is never passed to required agents.
>
>
>
> Proof Of Concept - Compile in .net framework and essential attribute
> value is missing in the generated xml
>
> ---Code---
> using System;
> using System.Xml;
> using System.IO;
> using System.Xml.Serialization;
>
> namespace ConsoleApplication1
> {
>
> [Serializable()]
> public class tResponseGeneralInfo
> {
> public long ProfileNumber;
>
> public bool ProfileNumberSpecified;
>
> }
>
> class Class1
> {
> [STAThread]
> static void Main(string[] args)
> {
> tResponseGeneralInfo obj = new
> tResponseGeneralInfo();
> obj.ProfileNumber = 23;
>
> XmlDocument oXmlDoc = new XmlDocument();
> oXmlDoc.Load(m_Serialize(obj));
> //Print OXmlDoc's inner XML;
> }
>
> private static MemoryStream m_Serialize(object obj)
> {
> try
> {
> XmlSerializer serializer = new
> XmlSerializer(obj.GetType());
> MemoryStream ms = new MemoryStream();
> serializer.Serialize(ms, obj);
> ms.Position = 0;
> return ms;
> }
> catch(Exception ex)
> {
>
> }
> }
> }
>
> }
>
> ---
>
> Output: Here ProfileNumber is missing
>
> "<?xml version=\"1.0\"?><tResponseGeneralInfo
> xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"><ProfileNumberSp
> ecified>false</ProfileNumberSpecified></tResponseGeneralInfo>
>
> ---
>