ASP.NET Serialization - Windows Timeout command (Binarry Formatter and Xaml Serializer)
Description
Asp.Net Serialization problems are a subset of injection problem, in which the process is tricked into calling external processes of the attacker's choice through the injection of control-plane data into the data plane.
Asp.Net Serialization attacks take two forms:
- An attacker can change the command that the program executes: the attacker explicitly controls what the command is.
- An attacker can change the environment in which the command executes: the attacker implicitly controls what the command means.
In this case we are primarily concerned with the first scenario, in which an attacker explicitly controls the command that is executed. Asp.Net Serialization vulnerabilities of this type occur when:
- Data enters the application from an untrusted source.
- The data is part of a string that is executed as a command by the application.
- By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have.
Solution(s)
- aspnetserialization-aspnetserialization-r02
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center