Visualstudio-docs: How can an attacker run malicious code during deserialization?

Created on 9 Jun 2020 · 7Comments · Source: MicrosoftDocs/visualstudio-docs

If an attacker writes a C# class that's meant to run malicious code on your machine and includes the name of that class in the JSON, doesn't your machine only get the class name and not the code? Can't Newtonsoft only use type information for deserialization if the type has been loaded in the .NET runtime? How could malicious code be run if the code hasn't been transferred to the target machine?

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 8f4a09d0-ec95-4c0f-e557-f0941f0d19b8
Version Independent ID: beda0dcd-9235-4278-c869-55ea724a80f5
Content: CA2328: Ensure that JsonSerializerSettings are secure - Visual Studio
Content Source: docs/code-quality/ca2328.md
Product: visual-studio-windows
Technology: vs-ide-code-analysis
GitHub Login: @dotpaul
Microsoft Alias: paulming

Pri2 doc-bug visual-studio-windowprod vs-ide-code-analysitech

Source

v-kydela

All 7 comments

@v-kydela -- Kyle, thank you for your questions. Please consider these resources:

@dotpaul -- Paul, please look into this issue.

WilliamAntonRohm on 9 Jun 2020

👍1

Hi @v-kydela, your understanding of only type names appearing in serialized data is correct; an attack involves types that are already available to the attacked process.

dotpaul on 10 Jun 2020

👍1

@dotpaul - The article says "An attack against an insecure deserializer could, for example, execute commands on the underlying operating system, communicate over the network, or delete files."

Are there any builtin .NET types that could be used to do that just by being constructed during deserialization?

v-kydela on 10 Jun 2020

Yep, there are.

dotpaul on 10 Jun 2020

@dotpaul Is there any doc clarification needed for this? Otherwise, I will close it.