Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resource Deserialization Security Vulnerability #1196

Closed
dgrunwald opened this issue Jul 1, 2018 · 2 comments
Closed

Resource Deserialization Security Vulnerability #1196

dgrunwald opened this issue Jul 1, 2018 · 2 comments
Assignees
Labels
Bug

Comments

@dgrunwald
Copy link
Member

@dgrunwald dgrunwald commented Jul 1, 2018

Affected Versions: ILSpy 1.x, 2.x, 3.0.x, 3.1.x
Fixed in: 3.2.0

ILSpy was deserializing arbitrary objects within ".resources" embedded resources.
Using well-known .NET BinaryFormatter deserialization exploits, a malicious assembly could gain code execution when viewing its resources in ILSpy. (for example when clicking the "Resources" node in the ILSpy tree view)
Resources were also loaded when decompiling an assembly into a Visual Studio project.

If you are using ICSharpCode.Decompiler, you are only affected by this vulnerability if you are using the WholeProjectDecompiler class.
The CSharpDecompiler class does not attempt resource deserialization.
This means the experimental ILSpy integration in Visual Studio is not affected.

Warning: the fix only avoids deserializing such resources in ILSpy.
If you save such an assembly as a Visual Studio project, we will copy the serialized bytes as-is into the .resx file. The .resx file may then gain code execution when you re-compile the project in Visual Studio!

@dgrunwald dgrunwald added the Bug label Jul 1, 2018
@dgrunwald dgrunwald self-assigned this Jul 1, 2018
@dgrunwald

This comment has been minimized.

Copy link
Member Author

@dgrunwald dgrunwald commented Jul 1, 2018

The fix is in commit c17c3c7.
If you are using an ILSpy preview version, the first one with the fix is:

  • 3.2.0.3855 (the the 3.2.x branch) -- 3.2.0-beta and 3.2.0-rc were both affected!
  • 3.3.0.3863-alpha (for the master branch)
  • 4.0.0.4045-srm (for the 'srm' branch)
@siegfriedpammer

This comment has been minimized.

Copy link
Member

@siegfriedpammer siegfriedpammer commented Jul 1, 2018

As of 42591a0 the fix is merged to the 'srm' branch.

@dgrunwald dgrunwald closed this Jul 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.