ASP.NET resource files (.RESX) and deserialization issues

I have recently published a blog post via NCC Group’s website about the deserialization issue by abusing the ASP.NET resource files (.resx and .resources extensions). A number of products were exploited and some file uploaders can also be vulnerable to this type of attack.

The full article can be viewed in NCC Group’s website: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/

PDF version of the blog post published by NCC Group can be downloaded from:

https://soroush.secproject.com/downloadable/aspnet_resource_files_resx_deserialization_issues.pdf

In addition to this, the advisories can be seen via:

Code Execution by Unsafe Resource Handling in Multiple Microsoft Products: https://www.nccgroup.trust/uk/our-research/technical-advisory-code-execution-by-unsafe-resource-handling-in-multiple-microsoft-products/

Code Execution by Viewing Resource Files in .NET Reflector: https://www.nccgroup.trust/uk/our-research/technical-advisory-code-execution-by-viewing-resource-files-in-net-reflector/

I had also reported the same vulnerability in Telerik justDecompile and JetBrains dotPeek:

https://blog.jetbrains.com/dotnet/2018/08/02/resharper-ultimate-2018-1-4-rider-2018-1-4-released/

https://www.telerik.com/support/whats-new/justdecompile/release-history/justdecompile-r2-2018-sp1

Relevant tweets about this:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.