Article’s PDF version: https://soroush.secproject.com/downloadable/aspnet_resource_files_resx_deserialization_issues.pdf
I have recently published a blog post via NCC Group’s website about the deserialization issue by abusing the ASP.NET resource files (.resx and .resources extensions). A number of products were exploited and some file uploaders can also be vulnerable to this type of attack.
The full article can be viewed in NCC Group’s website: https://web.archive.org/web/20180701000000*/https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/
In addition to this, the advisories can be seen via:
Code Execution by Unsafe Resource Handling in Multiple Microsoft Products: https://research.nccgroup.com/2018/02/08/technical-advisory-code-execution-by-unsafe-resource-handling-in-multiple-microsoft-products/
Code Execution by Viewing Resource Files in .NET Reflector: https://research.nccgroup.com/2018/02/08/technical-advisory-code-execution-by-viewing-resource-files-in-net-reflector/
I had also reported the same vulnerability in Telerik justDecompile and JetBrains dotPeek:
https://blog.jetbrains.com/dotnet/2018/08/02/resharper-ultimate-2018-1-4-rider-2018-1-4-released/
https://www.telerik.com/support/whats-new/justdecompile/release-history/justdecompile-r2-2018-sp1
Relevant tweets about this: