Input validation and representation problems ares caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input. The issues include: "Buffer Overflows," "Cross-Site Scripting" attacks, "SQL Injection," and many others.
...
string name = Request["username"];
string template = "Hello @Model.Name! Welcome " + name + "!";
string result = Razor.Parse(template, new { Name = "World" });
...
operation
parameter is a benign value, such as "John", in which case the result
variable is assigned a value of "Hello World! Welcome John!". However, if an attacker specifies languages operations that are both valid and malicious, those operations would be executed with the full privilege of the parent process. Such attacks are even more dangerous when the underlying language provides access to system resources or allows execution of system commands. For example, Razor allows invocation of C# objects; if an attacker were to specify " @{ System.Diagnostics.Process proc = new System.Diagnostics.Process(); proc.EnableRaisingEvents=false; proc.StartInfo.FileName=\"calc\"; proc.Start(); }" as the value of name
, a system command would be executed on the host system.
...
ScriptEngineManager scriptEngineManager = new ScriptEngineManager();
ScriptEngine scriptEngine = scriptEngineManager.getEngineByExtension("js");
userOps = request.getParameter("operation");
Object result = scriptEngine.eval(userOps);
...
operation
parameter is a benign value, such as "8 + 7 * 2", in which case the result
variable is assigned a value of 22. However, if an attacker specifies languages operations that are both valid and malicious, those operations would be executed with the full privilege of the parent process. Such attacks are even more dangerous when the underlying language provides access to system resources or allows execution of system commands. For example, JavaScript allows invocation of Java objects; if an attacker were to specify " java.lang.Runtime.getRuntime().exec("shutdown -h now")" as the value of operation
, a shutdown command would be executed on the host system.
...
userOp = form.operation.value;
calcResult = eval(userOp);
...
operation
parameter is a benign value, such as "8 + 7 * 2", in which case the calcResult
variable is assigned a value of 22. However, if an attacker specifies languages operations that are both valid and malicious, those operations would be executed with the full privilege of the parent process. Such attacks are even more dangerous when the underlying language provides access to system resources or allows execution of system commands. In the case of JavaScript, the attacker may utilize this vulnerability to perform a cross-site scripting attack.
...
strUserOp = Request.Form('operation')
strResult = Eval(strUserOp)
...
operation
parameter is "8 + 7 * 2". The strResult
variable returns with a value of 22. However, if a user were to specify other valid language operations, those operations would not only be executed but executed with the full privilege of the parent process. Arbitrary code execution becomes more dangerous when the underlying language provides access to system resources or allows execution of system commands. For example, if an attacker were to specify operation
as " Shell('C:\WINDOWS\SYSTEM32\TSSHUTDN.EXE 0 /DELAY:0 /POWERDOWN')" a shutdown command would be executed on the host system.Delegate
field in a given class introduces an arbitrary code execution vulnerability when deserializing the class.Delegate
type is used to hold reference to a method call that can be invoked later in the user code. .NET uses custom serialization while serializing Delegate
types and utilizes the System.DelegateSerializationHolder
class to store the method information that are attached or subscribed to a Delegate
. The serialized stream of Delegate
object is not suitable for persistent storage or passing it to remote application, because if an attacker can replace the method information with one which points to a malicious object graph, the attacker will be able to run arbitrary code.Delegate
field and is getting invoked in the Executor
method:
...
[Serializable]
class DynamicRunnner
{
Delegate _del;
string[] _arg;
public DynamicRunnner(Delegate dval, params string[] arg)
{
_del = dval;
_arg = arg;
}
public bool Executor()
{
return (bool)_del.DynamicInvoke(_arg);
}
}
...
Example 1
, an attacker may replace the method information with one which points to Process.Start
, causing the creation of an arbitrary process when the Executor
method is called.BeanUtilsHashMapper
to deserialize Redis Hashes that might enable attacker in control of such Hashes to run arbitrary code.
HashMapper<Person, String, String> hashMapper = new BeanUtilsHashMapper<Person>(Person.class);
Person p = hashMapper.fromHash(untrusted_map);
EnableViewStateMac
property because it introduces a remote code execution vulnerability in the application. However, the developer can override this function with the aspnet:AllowInsecureDeserialization
setting and therefore make the application vulnerable to remote code execution.aspnet:AllowInsecureDeserialization
is set to true
.
<appSettings>
<add key="aspnet:AllowInsecureDeserialization" value="true" />
</appSettings>
Low
and Full
. Low
, the default value, protects against deserialization attacks by deserializing only the types associated with the most basic remoting functionality, such as automatic deserialization of remoting infrastructure types, a limited set of system-implemented types, and a basic set of custom types. The Full
deserialization level supports automatic deserialization of all types that remoting supports in all situations.typeFilterLevel
is set to Full
.
<system.runtime.remoting>
<application>
<channels>
<channel ref="tcp" port="2000">
<serverProviders>
<formatter ref="soap" typeFilterLevel="Full" />
<formatter ref="binary" typeFilterLevel="Full" />
</serverProviders>
<clientProviders>
<formatter ref="binary"/>
</clientProviders>
</channel>
</channels>
</application>
...
</system.runtime.remoting>
TestService
methods.Example 2: JMSInvokerServiceExporter exposing
<bean id="testService" class="example.TestServiceImpl"/>
<bean class="org.springframework.remoting.rmi.RmiServiceExporter">
<property name="serviceName" value="TestService"/>
<property name="service" ref="testService"/>
<property name="serviceInterface" value="example.TestService"/>
<property name="registryPort" value="1199"/>
</bean>
TestService
methods.Example 3: HTTPInvokerServiceExporter exposing
<bean id="testService" class="example.TestServiceImpl"/>
<bean class="org.springframework.jms.remoting.JmsInvokerServiceExporter">
<property name="serviceInterface" value="example.TestService"/>
<property name="service" ref="testService"/>
</bean>
TestService
methods.
<bean id="testService" class="example.TestServiceImpl"/>
<bean class="org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter">
<property name="serviceInterface" value="example.TestService"/>
<property name="service" ref="testService"/>
</bean>
The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.
__reduce__
method. This method should return a callable
and the arguments for it. Pickle will call the callable with the provided arguments to construct the new object allowing the attacker to execute arbitrary commands.