Category Archives: My Advisories

Soroush Dalili’s Security Advisories

ASP.NET resource files (.RESX) and deserialization issues

I have recently published a blog post via NCC Group’s website about the deserialization issue by abusing the ASP.NET resource files (.resx and .resources extensions). A number of products were exploited and some file uploaders can also be vulnerable to this type of attack.

The full article can be viewed in NCC Group’s website: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/

PDF version of the blog post published by NCC Group can be downloaded from:

https://soroush.secproject.com/downloadable/aspnet_resource_files_resx_deserialization_issues.pdf

In addition to this, the advisories can be seen via:

Code Execution by Unsafe Resource Handling in Multiple Microsoft Products: https://www.nccgroup.trust/uk/our-research/technical-advisory-code-execution-by-unsafe-resource-handling-in-multiple-microsoft-products/

Code Execution by Viewing Resource Files in .NET Reflector: https://www.nccgroup.trust/uk/our-research/technical-advisory-code-execution-by-viewing-resource-files-in-net-reflector/

I had also reported the same vulnerability in Telerik justDecompile and JetBrains dotPeek:

https://blog.jetbrains.com/dotnet/2018/08/02/resharper-ultimate-2018-1-4-rider-2018-1-4-released/

https://www.telerik.com/support/whats-new/justdecompile/release-history/justdecompile-r2-2018-sp1

Relevant tweets about this:

MS 2018 Q4 – Top 5 Bounty Hunter for 2 RCEs in SharePoint Online

I was amongst top 5 bounty hunters in MS Q4 2018: https://blogs.technet.microsoft.com/msrc/2018/07/26/recognizing-q4-top-5-bounty-hunters/

Although I am not doing active bug bounty hunting at the moment, this was a great experience. I got this prize because of reporting two RCEs in SharePoint Online.

One of the RCEs was patched in MS July 2018 patch (CVE-2018-8284) and this was an interesting screenshot:

I did not get any prize for CVE-2018-8300 which was another RCE in SharePoint using the resource files (the issue was similar to a bug reported in another MS project that I was part of its paid engagement).

SMB hash hijacking & user tracking in MS Outlook

Microsoft (MS) Outlook could be abused to send SMB handshakes externally after a victim opened or simply viewed an email. A WebDAV request was sent even when the SMB port was blocked. This could be used to crack a victim’s password when the SMB hash was sent externally, or to receive a notification when an email had been viewed by a victim.

This issue was partially patched in July 2017 (CVE-2017-8572). According to the Microsoft Security Response Center (MSRC), CVE-2017-11927 that was released in December 2017 had also patched a number of payloads. This patch was updated in May 2018 to address the remaining issues that were mentioned in this report.

The full article can be viewed in NCC Group’s website: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/smb-hash-hijacking-and-user-tracking-in-ms-outlook/

The GitHub project is accessible at https://github.com/nccgroup/OutlookLeakTest.

PDF version of the blog post published by NCC Group can be downloaded from:

https://soroush.secproject.com/downloadable/outlook_smb_hash_hijacking.pdf

Rare ASP.NET request validation bypass using request encoding

I had blogged about this in NCC Group’s website. I thought it is the best to add a link to it here as well.

It is possible to bypass the ASP.NET request validation capability when errors are ignored using request encoding techniques. This can be abused to perform stored cross-site scripting (XSS) attacks.

The full article can be read here: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/rare-aspnet-request-validation-bypass-using-request-encoding/

PDF version can be downloaded from: https://soroush.secproject.com/downloadable/Rare_ASP.NET_Request_Validation_Bypass_Using_Request_Encoding.pdf

Request encoding to bypass web application firewalls

I “think” I have discovered a “new” technique in bypassing external web application firewalls using request encoding. The idea is very simple but I had not seen this before to be used to bypass any protection mechanisms. Details of this technique has been published via NCC Group’s blog:

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/request-encoding-to-bypass-web-application-firewalls/

This technique was presented as one the methods to mutate the HTTP requests in:

There are loads of other anomalies that can be used to bypass WAFs using webservers behaviour in accepting HTTP requests; my plan is to complete this research and put all the results via the https://http.ninja/ website. Please feel free to contact me via my Twitter (@irsdl) if you have some ideas regarding this.

The unofficial PDF version of this blog post can be downloaded from here:
https://soroush.secproject.com/downloadable/request-encoding-to-bypass-web-application-firewalls.pdf

Almost all the cloud-based WAFs that I had tested could be bypassed using this technique at the time of discovery.