I have recently published a blog post via NCC Group’s website about the deserialization issue by abusing the ASP.NET resource files (.resx and .resources extensions). A number of products were exploited and some file uploaders can also be vulnerable to this type of attack.
The full article can be viewed in NCC Group’s website: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/
PDF version of the blog post published by NCC Group can be downloaded from:
https://soroush.secproject.com/downloadable/aspnet_resource_files_resx_deserialization_issues.pdf
In addition to this, the advisories can be seen via:
Code Execution by Unsafe Resource Handling in Multiple Microsoft Products: https://www.nccgroup.trust/uk/our-research/technical-advisory-code-execution-by-unsafe-resource-handling-in-multiple-microsoft-products/
Code Execution by Viewing Resource Files in .NET Reflector: https://www.nccgroup.trust/uk/our-research/technical-advisory-code-execution-by-viewing-resource-files-in-net-reflector/
I had also reported the same vulnerability in Telerik justDecompile and JetBrains dotPeek:
https://blog.jetbrains.com/dotnet/2018/08/02/resharper-ultimate-2018-1-4-rider-2018-1-4-released/
https://www.telerik.com/support/whats-new/justdecompile/release-history/justdecompile-r2-2018-sp1
Relevant tweets about this:
A new @NCCGroupInfosec blog post: RCE using ASPNET resource files and deserialization + Attacking insecure file uploaders on IIS using .RESX or .RESOURCES files: https://t.co/nD0l0bqEbN #Deserialization #AppSec #BugHunting #BugBounty #ASPNET pic.twitter.com/S7qsbkAxMX
— Soroush Dalili (@irsdl) August 2, 2018
+ Code Execution by Unsafe Resource Handling in Multiple Microsoft Products https://t.co/hWXTukNxTd
— Soroush Dalili (@irsdl) August 2, 2018
+ Code Execution by Viewing Resource Files in .NET Reflector https://t.co/mSKcnrWsdr pic.twitter.com/qh9ijai5jp
— Soroush Dalili (@irsdl) August 2, 2018