Tag Archives: ysoserial.net

My MDSec Blog Posts so far in 2020!

Lately I have only published blog posts through the MDSec website. I thought it might be a good idea to link what I have published so far here as well:

Covert Web Shells in .NET with Read-Only Web Paths

Analysis of CVE-2020-0605 – Code Execution using XPS Files in .NET

Introducing YSoSerial.Net April 2020 Improvements

A Security Review of SharePoint Site Pages

CVE-2020-0618: RCE in SQL Server Reporting Services (SSRS)

Code injection in Workflows leading to SharePoint RCE (CVE-2020-0646)

COVID-19 has sadly affected many if not all of us. I hope everyone remains safe and we can all carry on the normal life we had before this crisis. Hopefully I can then publish more blog posts here as well.

Finding and Exploiting .NET Remoting over HTTP using Deserialisation

I have published a blog post in NCC Group’s website to explain how to test deserialisation issues within the SOAP requests that are used by ASP.NET Remoting over a HTTP channel:

This research is accompanied by an open source project that show a sample vulnerable server and a client that can be useful for testing purposes: https://github.com/nccgroup/VulnerableDotNetHTTPRemoting/

The blog link is as follows: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/march/finding-and-exploiting-.net-remoting-over-http-using-deserialisation/

More research on .NET deserialization

I have recently published a whitepaper and a blog post as part of work research in NCC Group’s website. A number of plugins have also been added to the ysoserial.net project.

The whitepaper can aid security researchers as well as developers to find more deserialisation issues in .NET applications by identifying built-in methods or classes that can be abused in this process. The whitepaper can be downloaded from: https://www.nccgroup.trust/globalassets/our-research/uk/images/whitepaper-new.pdf

In the blog post, I have also explained one of the most interesting findings of the research with which code could be executed upon pasting an object from the clipboard: