csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf

Run Locally

Run in CI

Defintion

rules:
  - id: insecure-typefilterlevel-full
    severity: WARNING
    languages:
      - C#
    metadata:
      cwe:
        - "CWE-502: Deserialization of Untrusted Data"
      owasp:
        - A08:2017 - Insecure Deserialization
        - A08:2021 - Software and Data Integrity Failures
      references:
        - https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0
        - https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html
      category: security
      technology:
        - .net
      confidence: LOW
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: Using a .NET remoting service can lead to RCE, even if you try to
      configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF
      https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf
    pattern-either:
      - patterns:
          - pattern-either:
              - pattern: new BinaryServerFormatterSinkProvider { TypeFilterLevel = $LEVEL }
              - patterns:
                  - pattern-inside: |
                      $TYPE $SP = new BinaryServerFormatterSinkProvider(...);
                      ...
                  - pattern: |
                      $SP.TypeFilterLevel = $LEVEL
          - metavariable-regex:
              metavariable: $LEVEL
              regex: (.*)TypeFilterLevel\.(Full|Low)
      - patterns:
          - pattern-inside: |
              $DICT["typeFilterLevel"] = $VAL;
              ...
          - pattern: new BinaryServerFormatterSinkProvider(..., $DICT, ...)
          - metavariable-regex:
              metavariable: $VAL
              regex: (\"Full\"|\"Low\")

Examples

insecure-typefilterlevel-full.cs

namespace InsecureDeserialization
{
    public class InsecureTypeFilterLevel
    {
        public void SetTFL(string json)
        {
            BinaryServerFormatterSinkProvider serverProvider = new BinaryServerFormatterSinkProvider(formatterProps, null);

            // ruleid: insecure-typefilterlevel-full
            serverProvider.TypeFilterLevel = System.Runtime.Serialization.Formatters.TypeFilterLevel.Full;

            // ruleid: insecure-typefilterlevel-full
            var provider = new BinaryServerFormatterSinkProvider { TypeFilterLevel = TypeFilterLevel.Full };

            var dict = new Hashtable();
            dict["typeFilterLevel"] = "Full";
            // ruleid: insecure-typefilterlevel-full
            BinaryServerFormatterSinkProvider serverProvider2 = new BinaryServerFormatterSinkProvider(dict, null)
        }
    }
}