Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set decryptionKey for legacy AES/3DES encryption #170

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Set decryptionKey for legacy AES/3DES encryption #170

wants to merge 1 commit into from

Conversation

hexcat
Copy link

@hexcat hexcat commented Sep 16, 2024

Ysoserial.net incorrectly skips setting the decryption key for legacy framework versions using TripleDES or AES validation algorithm, failing to generate a proper ViewState without --isencrypted.

If the target's framework version is .NET <= 4.0 and validation algorithm is either TripleDES or AES, ViewState must be encrypted using a legacy algorithm. See this snippet from System.Web.Configuration.MachineKeySection for GetEncodedData() method:

internal static byte[] GetEncodedData(byte[] buf, byte[] modifier, int start, ref int length)
{
        // ...
	if (MachineKeySection.s_config.Validation == MachineKeyValidation.TripleDES || MachineKeySection.s_config.Validation == MachineKeyValidation.AES)
	{
		array2 = MachineKeySection.EncryptOrDecryptData(true, array2, modifier, start, length, true);
		length = array2.Length;
	}
	return array2;
}

As can be seen, the method explicitly checks for TripleDES or AES validation algorithms to encrypt the payload. However, because ysoserial.net does not set the decryption key with --islegacy argument not accompanied by --isencrypted, it will generate ViewState encrypted with AutoGenerate,IsolateApps key failing against the target using a static key.

The target can still be exploited using --islegacy --isencrypted, placing ysoserial.net output into __VIEWSTATE request parameter, and adding an empty __VIEWSTATEENCRYPTED parameter to signify encryption.

After fixing the issue, the target should also be exploitable by using --islegacy without --isencrypted and placing ysoserial.net output into __VIEWSTATE parameter and removing __VIEWSTATEENCRYPTED parameter (ASP.NET assumes __VIEWSTATE is encrypted for the above algorithms.)

To fix this I suggest setting decryption key in all cases and letting .NET Framework do the choice of using it, since the above method seems to check for specific validation algorithms already.

This should resolve #122, #150 and #166.

@hexcat
Copy link
Author

hexcat commented Sep 16, 2024

To clarify, with .NET <= 4.0 and TripleDES or AES validation algorithm, __VIEWSTATE must be encrypted regardless of --isencrypted parameter. Without --isencrypted it should be encrypted with GetEncodedData() and used without __VIEWSTATEENCRYPTED, otherwise it should be encrypted with EncryptOrDecryptData() and used with __VIEWSTATEENCRYPTED.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The problem of deserializing AES\3DES in Viewstate
1 participant
@hexcat