👹 Fixes known BinaryFormatter deserialization vulnerabilities
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
Binaries
SafeDeserializationHelpers.Fx2
SafeDeserializationHelpers.Tests
SafeDeserializationHelpers
.gitignore
LICENSE
README.md
SafeDeserializationHelpers.sln
Zyan.SafeDeserializationHelpers.nuspec
Zyan.SafeDeserializationHelpers.snk
nupkg.bat

README.md

Zyan.SafeDeserializationHelpers

This tiny library tries to fix several known BinaryFormatter vulnerabilities. When a malicious payload is detected, the library throws an UnsafeDeserializationException instead of deserializing the data that is able to produce bad side effects.

GitQ appveyor tests nuget

Deserializing the untrusted data is dangerous

It's proven that deserialing arbitrary payloads under certain conditions can trigger code execution. BinaryFormatter, DataContractSerializer, XmlSerializer, as well as several widely used JSON serializers are known to be vulnerable.

See ysoserial.net project for details.

Code sample

// unsafe: deserialization can trigger arbitrary code execution
var fmt = new BinaryFormatter();
var object = fmt.Deserialize(stream);

// safe: deserialization is guarded against known vulnerabilities
var fmt = new BinaryFormatter().Safe();
var object = fmt.Deserialize(stream);

Usage

  1. Install Zyan.SafeDeserializationHelpers nuget package.
  2. Use new BinaryFormatter().Safe() instead of just new BinaryFormatter().
  3. For .NET Remoting projects, use safe versions of the binary formatter sinks:
    • Replace BinaryClientFormatterSinkProvider with SafeBinaryClientFormatterSinkProvider.
    • Replace BinaryServerFormatterSinkProvider with SafeBinaryServerFormatterSinkProvider.
  4. Make sure to test your project against payloads produced by ysoserial.net gadgets.

Known vulnerabilities supported by the library

  • ActivitySurrogateSelector gadget by James Forshaw (loads an assembly and executes arbitrary code).
  • PSObject gadget by Oleksandr Mirosh and Alvaro Munoz. Target must run a system not patched for CVE-2017-8565.
  • TypeConfuseDelegate gadget by James Forshaw (runs any process using Process.Start delegate).
  • DataSet gadget by James Forshaw (unsafe BinaryFormatter deserialization).
  • WindowsIdentity gadget by Levi Broderick (unsafe BinaryFormatter deserialization).

References

Thanks

License

MIT License.