Are You My Type? Breaking .NET Sandboxes Through Serialization

Explore a comprehensive analysis of .NET serialization vulnerabilities and their exploitation in this Black Hat USA 2012 conference talk. Delve into the process of identifying security issues that led to Microsoft's largest .NET update, and learn how these vulnerabilities can be used to attack .NET applications both locally and remotely. Discover techniques for breaking out of partial trust sandboxes used in technologies like ClickOnce and XAML Browser Applications. Gain insights into various aspects of serialization, including binary serialization, the ISerializable interface, and NET Remoting Architecture. Examine active attack methods, such as path normalization and bypassing type filtering, while understanding protective measures. Investigate partial trust sandboxes, code access security, and XBAP exception handling. Uncover advanced exploitation techniques involving delegate multicasting, type confusion, reflection attacks, and hashtable serialization. Enhance your understanding of .NET security vulnerabilities and their potential impact on application integrity.

Intro
What is Serialization?
Why Serialization?
NET Serialization Support
Binary Serialization
What does it look like?
Badly Written Applications
ISerializable Interface
ISerializable Deserializing
Just Being Malicious
Demonstration
NET Remoting Architecture
Marshal By Reference
Marshal By Value
More Active Attacks
Path Normalization
Bypassing Type Filtering
How to protect against this?
Partial Trust Sandboxes
Code Access Security
XBAP Exception Handling AppDomain Boundary
ISerializable Redux
Type Conversion AppDomain Boundary
EvidenceBase.Clone
Exploiting It!
Delegate Multicasting
Serialized Delegate
Type Confusion
Reflection Attack
Hashtable Serialization
Hashtable Exploit AppDomain Boundary
Review