vulnerability
ASP.NET Serialization - Delayed Powershell Execution (Binarry Formatter and Xaml)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | Jan 1, 2017 | Jun 27, 2018 | Jun 27, 2018 |
Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
Jan 1, 2017
Added
Jun 27, 2018
Modified
Jun 27, 2018
Description
Asp.Net Serialization problems are a subset of injection problem, in which the process is tricked into calling external processes of the attacker's choice through the injection of control-plane data into the data plane.
Asp.Net Serialization attacks take two forms:
- An attacker can change the command that the program executes: the attacker explicitly controls what the command is.
- An attacker can change the environment in which the command executes: the attacker implicitly controls what the command means.
In this case we are primarily concerned with the first scenario, in which an attacker explicitly controls the command that is executed. Asp.Net Serialization vulnerabilities of this type occur when:
- Data enters the application from an untrusted source.
- The data is part of a string that is executed as a command by the application.
- By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have.
Solution
aspnetserialization-aspnetserialization-r02
References
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.