csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full
semgrep
Author
unknown
Download Count*
License
Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf
Run Locally
Run in CI
Defintion
rules:
- id: insecure-typefilterlevel-full
severity: WARNING
languages:
- C#
metadata:
cwe:
- "CWE-502: Deserialization of Untrusted Data"
owasp:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
references:
- https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0
- https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html
category: security
technology:
- .net
confidence: LOW
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- "Insecure Deserialization "
message: Using a .NET remoting service can lead to RCE, even if you try to
configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF
https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf
pattern-either:
- patterns:
- pattern-either:
- pattern: new BinaryServerFormatterSinkProvider { TypeFilterLevel = $LEVEL }
- patterns:
- pattern-inside: |
$TYPE $SP = new BinaryServerFormatterSinkProvider(...);
...
- pattern: |
$SP.TypeFilterLevel = $LEVEL
- metavariable-regex:
metavariable: $LEVEL
regex: (.*)TypeFilterLevel\.(Full|Low)
- patterns:
- pattern-inside: |
$DICT["typeFilterLevel"] = $VAL;
...
- pattern: new BinaryServerFormatterSinkProvider(..., $DICT, ...)
- metavariable-regex:
metavariable: $VAL
regex: (\"Full\"|\"Low\")
Examples
insecure-typefilterlevel-full.cs
namespace InsecureDeserialization
{
public class InsecureTypeFilterLevel
{
public void SetTFL(string json)
{
BinaryServerFormatterSinkProvider serverProvider = new BinaryServerFormatterSinkProvider(formatterProps, null);
// ruleid: insecure-typefilterlevel-full
serverProvider.TypeFilterLevel = System.Runtime.Serialization.Formatters.TypeFilterLevel.Full;
// ruleid: insecure-typefilterlevel-full
var provider = new BinaryServerFormatterSinkProvider { TypeFilterLevel = TypeFilterLevel.Full };
var dict = new Hashtable();
dict["typeFilterLevel"] = "Full";
// ruleid: insecure-typefilterlevel-full
BinaryServerFormatterSinkProvider serverProvider2 = new BinaryServerFormatterSinkProvider(dict, null);
}
}
}
Short Link: https://sg.run/rere