vulnerability
ASP.NET Serialization - Delayed Powershell Execution (Binarry Formatter and Xaml)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | 01/01/2017 | 06/27/2018 | 06/27/2018 |
Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
01/01/2017
Added
06/27/2018
Modified
06/27/2018
Description
Asp.Net Serialization problems are a subset of injection problem, in which the process is tricked into calling external processes of the attacker's choice through the injection of control-plane data into the data plane.
Asp.Net Serialization attacks take two forms:
- An attacker can change the command that the program executes: the attacker explicitly controls what the command is.
- An attacker can change the environment in which the command executes: the attacker implicitly controls what the command means.
In this case we are primarily concerned with the first scenario, in which an attacker explicitly controls the command that is executed. Asp.Net Serialization vulnerabilities of this type occur when:
- Data enters the application from an untrusted source.
- The data is part of a string that is executed as a command by the application.
- By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have.
Solution
aspnetserialization-aspnetserialization-r02
References
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.