One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 4041505 |
| Date de publication | 2022-01-27 16:00:33 (vue: 2022-01-27 15:07:43) |
| Titre | .NET Remoting Revisited |
| Texte | .NET Remoting is the built-in architecture for remote method invocation in .NET. It is also the origin of the (in-)famous BinaryFormatter and SoapFormatter serializers and not just for that reason a promising target to watch for. This blog post attempts to give insights into its features, security measures, and especially its weaknesses/vulnerabilities that often result in remote code execution. We're also introducing major additions to the ExploitRemotingService tool, a new ObjRef gadget for YSoSerial.Net, and finally a RogueRemotingServer as counterpart to the ObjRef gadget. If you already understand the internal of .NET Remoting, you may skip the introduction and proceed right with Security Features, Pitfalls, and Bypasses. Introduction .NET Remoting is deeply integrated into the .NET Framework and allows invocation of methods across so called remoting boundaries. These can be different app domains within a single process, different processes on the same computer, or different processes on different computers. Supported transports between the client and server are HTTP, IPC (named pipes), and TCP. Here is a simple example for illustration: the server creates and registers a transport server channel and then registers the class as a service with a well-known name at the server's registry: var channel = new TcpServerChannel(12345);ChannelServices.RegisterChannel(channel);RemotingConfiguration.RegisterWellKnownServiceType( typeof(MyRemotingClass), "MyRemotingClass"); Then a client just needs the URL of the registered service to do remoting with the server: var remote = (MyRemotingClass)RemotingServices.Connect( typeof(MyRemotingClass), "tcp://remoting-server:12345/MyRemotingClass"); With this, every invocation of a method or property accessor on remote gets forwarded to the remoting server, executed there, and the result gets returned to the client. This all happens transparently to the developer. And although .NET Remoting has already been deprecated with the release of .NET Framework 3.0 in 2009 and is no longer available on .NET Core and .NET 5+, it is still around, even in contemporary enterprise level software products. Remoting Internals If you are interested in how .NET Remoting works under the hood, here are some insights. In simple terms: when the client connects to the remoting object provided by the server, it creates a RemotingProxy that implements the specified type MyRemotingClass. All method invocations on remote at the client (except for GetType() and GetHashCode()) will get sent to the server as remoting calls. When a method gets invoked on remote, the proxy creates a MethodCall object that holds the information of the method and passed parameters. It is then passed to a chain of sinks that prepare the MethodCall and handle the remoting communication with the server over the given transport. On the server side, the received request is also passed to a chain of sinks that reverses the process, which also includes deserialization of the MethodCall object. It ends in a dispatcher sink, which invokes the actual implementation of the method with the passed parameters. The result of the method invocation is then put in a MethodResponse object and gets returned to the client where the client s |
| Envoyé | Oui |
| Condensat | 0/index 12345 2009 2012 2014 2019 390633 ;channelservices ;remotingconfiguration able accepting access accessible accessor account across actual add added additions address adjusted advantage again ago all allowed allows allowtransparentproxymessage already also although and/or anonymous any app appropriate appsettings arbitrary architecture are around aspects assemblies assembly attack attacker attacking attempt attempts aug auth authentication authority authorization authorizationgroup authorizationgroups=windows/ad authorizationmodule autodir automatically available avoids back basically beauty been being below between binary binaryformatter binaryformatter/soapformatter binaryserverformattersink binding bindto=address blog bool both boundaries breaking built but bypass bypasses bypassing byte call called calls can cas case cause chain chains channel channels class client code comes commands commonsecuritydescriptor communication community computer computers conclusion conf configurable configured connect connecting connection connects constructor contains contemporary contributions core corechannel counterpart craftsmanship createbinaryformatter created creates createsoapformatter creation custom customize dalili deeply default default: deliver delivers denied deprecated described deserialisation deserialization deserialized deserializes deserializing detailed detected developer different disallow discoveries dispatch dispatchchannelsink dispatchchannelsinkipcserverchannel:ipcservertransportsink dispatchchannelsinktcpserverchannel:tcpservertransportsink dispatcher dll does doesn domains don down during each easier effects: either enabled encourage encryptandsign ending endpoint ends enhancements ensures enterprise equivalent error errors especially even eventually every example exampleremotingservice excellent except exe executed execution existing explain explained explicit explicitly exploit exploitation exploiting exploitremotingservice exposed extending extends extracts fails fairly fakeasm fakemessage false famous features features: file fileinfo/directoryinfo filter finally find finding first flaw follow followed following follows: forged fork format formats formatter forshaw forshaw: forwarded forwards found foundation framework from further gadget generalized generate get gethashcode getobjectdata getobjref getrealobject gets getsurrogate gettype give given group handle happen happens has hashtable have help here highly his holds hood how however html htmlysoserial http http/ipc/tcp http://0 http://attacker/index httpclientchannel:soapclientformattersink httpclienttransportsinkipcclientchannel:binaryclientformattersink httpserverchannel:httpservertransportsink iauthorizeremotingconnection iclientchannelsinkprovider iconvertible identified identify iequalitycomparer iformatprovider iis ilease illustration: imessage impersonate=bool impersonation implementation implemented implements implicitly important includes including incoming info information initializelifetimeservice insights installdir=… instance instead int integrated interested interface interfacesrogueremotingserver internal internals introducing introduction invocation invocations invoke invoked invokes iobjectreference ipc ipc/tcp ipcclienttransportsink ipcclienttransportsinktcpclientchannel:binaryclientformattersink ipcserver ipcserverchannel isecurablechannel iserverchannelsinkprovider ismarshalbyref isponsor issecured isserializable issues isurrogateselector iterate its james java java: jrmpclient jrmplistener just key knowledge known known; latter led level limited link load loaded loading location logon long longer look looks loopback low machine made magnificent main major make marshal marshalbyrefobject marshaled marshaling marshalinternal may means measures message method methodbase methodcall methodresponse methods might migrate mind modes: modified most mspaint mspaintysoserial multiple must myremotingclass n/a name named naming need needs negotiatestream; net network new newly none not note notes notsupportedexception nov now null null |
| Tags | Tool |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.