Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Serious Security issue with broken - Microsoft's .Net XML Serialization API
From: Rohit (rohits79gmail.com)
Date: Tue Sep 13 2005 - 10:48:25 CDT
Operating Systems: All windows platform with .net framework installed
Explanation: This vulnerability could lead to serious security and
other issues depending on the
implementation. To explain this issue I will try to frame up a
(Am basically a programmer and can imagine a number of
scenarios where this issue could be a serious problem). Please let me know
if the following helps.
At the moment the best example in reference to this issue i could give
you is of an online shopping cart which uses .net framework (imagaine
amazon using .net for example).
After selecting my favorite DVD on the website I choose to checkout.
The checkout screen prompts me for my address and my VISA card number. I
type in my 15 digit VISA card number, card's expiry date and the
shipping address. This and the other information goes back to the server and
code behind reads the information and maps this information to a
programming class such as
bool VISACardCorrect; //algorithm that determines if the visa card is
Now imagine for security reasons Amazon would like to archive this
information to their log-database/repository (as most companies do - which
scares me at times) and The log archiving procedure is implemented as a
web service at Amazon which is over SOAP(XML).
The big problem: To log the customer information the code behind would
need to serialize the UserInformation object to XML format so it could
be passed to the web service. But, because of this vulnerability all
the information would be serialized exception for the VISA Card Number.
We'd be basically logging everything but the VISA Card Number which
might be fake and would be difficult to trace back later.
WORSE: One could be using a Fake National-ID/Passport Number/VisaCard
etc etc which might be "THE" essential information required but because
of this bug the required info is never passed to required agents.
Proof Of Concept - Compile in .net framework and essential attribute
value is missing in the generated xml
public class tResponseGeneralInfo
public long ProfileNumber;
public bool ProfileNumberSpecified;
static void Main(string args)
tResponseGeneralInfo obj = new
obj.ProfileNumber = 23;
XmlDocument oXmlDoc = new XmlDocument();
//Print OXmlDoc's inner XML;
private static MemoryStream m_Serialize(object obj)
XmlSerializer serializer = new
MemoryStream ms = new MemoryStream();
ms.Position = 0;
Output: Here ProfileNumber is missing