<<< Date Index >>>     <<< Thread Index >>>

Re: Serious Security issue with broken - Microsoft's .Net XML Serialization API



Sorry in excitment i made some mistake in the code in case if you
haven't already figured it out :)

using System;
using System.Xml;
using System.IO;
using System.Xml.Serialization;

namespace ConsoleApplication1
{

[Serializable()]
public class tResponseGeneralInfo
{
public long ProfileNumber;

public bool ProfileNumberSpecified;

}

class Class1
{
[STAThread]
static void Main(string[] args)
{
tResponseGeneralInfo obj = new
tResponseGeneralInfo();
obj.ProfileNumber = 23;

XmlDocument oXmlDoc = new XmlDocument();
oXmlDoc.Load(m_Serialize(obj));


//Print OXmlDoc's inner XML;
System.Console.WriteLine(oXmlDoc.InnerXml);

}

private static MemoryStream m_Serialize(object obj)
{
try
{
XmlSerializer serializer = new
XmlSerializer(obj.GetType());
MemoryStream ms = new MemoryStream();
serializer.Serialize(ms, obj);
ms.Position = 0;
return ms;
}
catch(Exception ex)
{
return null;
}


}
}

}



thanks
rohit


On 9/13/05, Rohit <rohits79@xxxxxxxxx> wrote:
> Operating Systems: All windows platform with .net framework installed
> 
> Explanation: This vulnerability could lead to serious security and
> other issues depending on the
> implementation. To explain this issue I will try to frame up a
> possible scenario
> (Am basically a programmer and can imagine a number of
> scenarios where this issue could be a serious problem). Please let me know
> if the following helps.
> 
> At the moment the best example in reference to this issue i could give
> you is of an online shopping cart which uses .net framework (imagaine
> amazon using .net for example).
> 
> Example:
> After selecting my favorite DVD on the website I choose to checkout.
> The checkout screen prompts me for my address and my VISA card number. I
> type in my 15 digit VISA card number, card's expiry date and the
> shipping address. This and the other information goes back to the server and
> code behind reads the information and maps this information to a
> programming class such as
> 
> class UserInformation
> {
> 
> string CustomerName;
> string Address;
> 
> long VISACard;
> bool VISACardCorrect; //algorithm that determines if the visa card is
> correct
> 
> string CustomerIPAddress;
> string VISACardExpiry;
> }
> 
> Now imagine for security reasons Amazon would like to archive this
> information to their log-database/repository (as most companies do - which
> scares me at times) and The log archiving procedure is implemented as a
> web service at Amazon which is over SOAP(XML).
> 
> The big problem: To log the customer information the code behind would
> need to serialize the UserInformation object to XML format so it could
> be passed to the web service. But, because of this vulnerability all
> the information would be serialized exception for the VISA Card Number.
> We'd be basically logging everything but the VISA Card Number which
> might be fake and would be difficult to trace back later.
> 
> WORSE: One could be using a Fake National-ID/Passport Number/VisaCard
> etc etc which might be "THE" essential information required but because
> of this bug the required info is never passed to required agents.
> 
> 
> 
> Proof Of Concept - Compile in .net framework and essential attribute
> value is missing in the generated xml
> 
> ---Code---
> using System;
> using System.Xml;
> using System.IO;
> using System.Xml.Serialization;
> 
> namespace ConsoleApplication1
> {
> 
>      [Serializable()]
>      public class tResponseGeneralInfo
>      {
>            public long ProfileNumber;
> 
>            public bool ProfileNumberSpecified;
> 
>      }
> 
>      class Class1
>      {
>            [STAThread]
>            static void Main(string[] args)
>            {
>                  tResponseGeneralInfo obj = new
> tResponseGeneralInfo();
>                  obj.ProfileNumber = 23;
> 
>                  XmlDocument oXmlDoc = new XmlDocument();
>                  oXmlDoc.Load(m_Serialize(obj));
>                //Print OXmlDoc's inner XML;
>            }
> 
>            private static MemoryStream m_Serialize(object obj)
>            {
>                  try
>                  {
>                        XmlSerializer serializer = new
> XmlSerializer(obj.GetType());
>                        MemoryStream ms = new MemoryStream();
>                        serializer.Serialize(ms, obj);
>                        ms.Position = 0;
>                        return ms;
>                  }
>                  catch(Exception ex)
>                  {
> 
>                  }
>            }
>      }
> 
> }
> 
> ---
> 
> Output: Here ProfileNumber is missing
> 
> "<?xml version=\"1.0\"?><tResponseGeneralInfo
> xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\";><ProfileNumberSp
> ecified>false</ProfileNumberSpecified></tResponseGeneralInfo>
> 
> ---
>