Resource Deserialization Security Vulnerability

[dgrunwald]

Affected Versions: ILSpy 1.x, 2.x, 3.0.x, 3.1.x
Fixed in: 3.2.0

ILSpy was deserializing arbitrary objects within ".resources" embedded resources.
Using well-known .NET BinaryFormatter deserialization exploits, a malicious assembly could gain code execution when viewing its resources in ILSpy. (for example when clicking the "Resources" node in the ILSpy tree view)
Resources were also loaded when decompiling an assembly into a Visual Studio project.

If you are using ICSharpCode.Decompiler, you are only affected by this vulnerability if you are using the WholeProjectDecompiler class.
The CSharpDecompiler class does not attempt resource deserialization.
This means the experimental ILSpy integration in Visual Studio is not affected.

Warning: the fix only avoids deserializing such resources in ILSpy.
If you save such an assembly as a Visual Studio project, we will copy the serialized bytes as-is into the .resx file. The .resx file may then gain code execution when you re-compile the project in Visual Studio!

[dgrunwald]

The fix is in commit c17c3c7.
If you are using an ILSpy preview version, the first one with the fix is:

• 3.2.0.3855 (the the 3.2.x branch) -- 3.2.0-beta and 3.2.0-rc were both affected!
• 3.3.0.3863-alpha (for the master branch)
• 4.0.0.4045-srm (for the 'srm' branch)

[siegfriedpammer]

As of 42591a0 the fix is merged to the 'srm' branch.