Black Hat | Second Breakfast: Implicit and Mutation-Based Serialization Vulnerabilities in .NET @BlackHatOfficialYT | Uploaded 8 months ago | Updated 34 minutes ago
This talk describes novel attacks against .NET serialization that bypass current state-of-the-art mitigations.
These attacks include serialization exploits of platforms that don't use well-known .NET serializers, "mutation" attacks that can exploit deserialization even when the serialized data cannot be tampered with, and techniques for bypassing serialization binders. New remote code execution vulnerabilities in MongoDB, LiteDB, ServiceStack.Redis, RavenDB, MartenDB, JSON.Net and the .NET JavaScriptSerializer are all demonstrated....
By: Will Pearce
Full Abstract and Presentation Materials:
blackhat.com/us-23/briefings/schedule/#second-breakfast--implicit-and-mutation-based-serialization-vulnerabilities-in-net-32128
This talk describes novel attacks against .NET serialization that bypass current state-of-the-art mitigations.
These attacks include serialization exploits of platforms that don't use well-known .NET serializers, "mutation" attacks that can exploit deserialization even when the serialized data cannot be tampered with, and techniques for bypassing serialization binders. New remote code execution vulnerabilities in MongoDB, LiteDB, ServiceStack.Redis, RavenDB, MartenDB, JSON.Net and the .NET JavaScriptSerializer are all demonstrated....
By: Will Pearce
Full Abstract and Presentation Materials:
blackhat.com/us-23/briefings/schedule/#second-breakfast--implicit-and-mutation-based-serialization-vulnerabilities-in-net-32128
