Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Serious Security issue with broken - Microsoft's .Net XML Serialization API
From: Rohit <rohits79 () gmail com>
Date: Tue, 13 Sep 2005 23:13:11 +0530

Sorry in excitment i made some mistake in the code in case if you
haven't already figured it out :)

using System;
using System.Xml;
using System.IO;
using System.Xml.Serialization;

namespace ConsoleApplication1
{

[Serializable()]
public class tResponseGeneralInfo
{
public long ProfileNumber;

public bool ProfileNumberSpecified;

}

class Class1
{
[STAThread]
static void Main(string[] args)
{
tResponseGeneralInfo obj = new
tResponseGeneralInfo();
obj.ProfileNumber = 23;

XmlDocument oXmlDoc = new XmlDocument();
oXmlDoc.Load(m_Serialize(obj));


//Print OXmlDoc's inner XML;
System.Console.WriteLine(oXmlDoc.InnerXml);

}

private static MemoryStream m_Serialize(object obj)
{
try
{
XmlSerializer serializer = new
XmlSerializer(obj.GetType());
MemoryStream ms = new MemoryStream();
serializer.Serialize(ms, obj);
ms.Position = 0;
return ms;
}
catch(Exception ex)
{
return null;
}


}
}

}



thanks
rohit


On 9/13/05, Rohit <rohits79 () gmail com> wrote:
Operating Systems: All windows platform with .net framework installed

Explanation: This vulnerability could lead to serious security and
other issues depending on the
implementation. To explain this issue I will try to frame up a
possible scenario
(Am basically a programmer and can imagine a number of
scenarios where this issue could be a serious problem). Please let me know
if the following helps.

At the moment the best example in reference to this issue i could give
you is of an online shopping cart which uses .net framework (imagaine
amazon using .net for example).

Example:
After selecting my favorite DVD on the website I choose to checkout.
The checkout screen prompts me for my address and my VISA card number. I
type in my 15 digit VISA card number, card's expiry date and the
shipping address. This and the other information goes back to the server and
code behind reads the information and maps this information to a
programming class such as

class UserInformation
{

string CustomerName;
string Address;

long VISACard;
bool VISACardCorrect; //algorithm that determines if the visa card is
correct

string CustomerIPAddress;
string VISACardExpiry;
}

Now imagine for security reasons Amazon would like to archive this
information to their log-database/repository (as most companies do - which
scares me at times) and The log archiving procedure is implemented as a
web service at Amazon which is over SOAP(XML).

The big problem: To log the customer information the code behind would
need to serialize the UserInformation object to XML format so it could
be passed to the web service. But, because of this vulnerability all
the information would be serialized exception for the VISA Card Number.
We'd be basically logging everything but the VISA Card Number which
might be fake and would be difficult to trace back later.

WORSE: One could be using a Fake National-ID/Passport Number/VisaCard
etc etc which might be "THE" essential information required but because
of this bug the required info is never passed to required agents.



Proof Of Concept - Compile in .net framework and essential attribute
value is missing in the generated xml

---Code---
using System;
using System.Xml;
using System.IO;
using System.Xml.Serialization;

namespace ConsoleApplication1
{

     [Serializable()]
     public class tResponseGeneralInfo
     {
           public long ProfileNumber;

           public bool ProfileNumberSpecified;

     }

     class Class1
     {
           [STAThread]
           static void Main(string[] args)
           {
                 tResponseGeneralInfo obj = new
tResponseGeneralInfo();
                 obj.ProfileNumber = 23;

                 XmlDocument oXmlDoc = new XmlDocument();
                 oXmlDoc.Load(m_Serialize(obj));
               //Print OXmlDoc's inner XML;
           }

           private static MemoryStream m_Serialize(object obj)
           {
                 try
                 {
                       XmlSerializer serializer = new
XmlSerializer(obj.GetType());
                       MemoryStream ms = new MemoryStream();
                       serializer.Serialize(ms, obj);
                       ms.Position = 0;
                       return ms;
                 }
                 catch(Exception ex)
                 {

                 }
           }
     }

}

---

Output: Here ProfileNumber is missing

"<?xml version=\"1.0\"?><tResponseGeneralInfo
xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\";><ProfileNumberSp
ecified>false</ProfileNumberSpecified></tResponseGeneralInfo>

---



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]