Justin Taft

Home / Github / LinkedIn / Consulting Services

.NET Deserilization Gadgets

December 25, 2019

The use of BinaryFormatter in .NET applications often leads to Remote Code Execution quite easily. See https://github.com/pwntester/ysoserial.net for example gadgets.

When testing the TypeConfuseDelegate payload in your own project, a couple of exceptions may be thrown:

Often developers try to re-mediate Deserialization bugs by whitelisting which types can be deserialized. In .NET applications, the System assembly gets whitelisted often. However, known remote code execution gadgets exist in System, and can be leveraged to gain remote code execution.

A recommended fix is to use a Deserialization framework that doesn't allow arbitrary types to be deserialized, such as JSON.

Blog Posts: