JustDecompile Resources Security Vulnerability

Problem

It is possible to execute code by decompiling a compiled .NЕТ object (such as DLL or EXE) with an embedded resource file by clicking on the resource.

Description

  • JustDecompile 2018.2.605.0 and older
  • JustAssembly 2018.1.323.2 and older

Root Cause

This report includes .NET deserialization issues within the ‘System.Resources’ namespace in ‘System.Windows.Forms’..

Microsoft resource files (.resx) and their compiled version (.resources) can contain serialized objects. However, there is no protection against code execution via deserialization as object types cannot be determined in advance. As a result, all applications that use .NET libraries to read, compile, or decompile resource files are vulnerable. This includes but is not limited to Visual Studio (opening or compiling the resource files), Blend for Visual Studio (opening or compiling the resource files), Dynamic 365, ASP.NET applications on IIS (which allows resource file upload in arbitrary folders), Resgen.exe (Resource File Generator), and Winres.exe (Windows Forms Resource Editor).

Resource files (.resx) are based on XML. It should be noted that some parsers could also be vulnerable to XXE attacks when reading the resource files using normal XML libraries. By default, the ResXResourceReader class uses XmlTextReader that does not process the DTD part.

Solution

The user is now notified to only decompile resource files by sources they trust. You have to update to latest version.

Notes

We would like to thank Soroush Dalili from NCC Group, for responsibly disclosing this vulnerability to us and helping in its resolution.

External References

CVE-2018-15122

In this article
Not finding the help you need? Improve this article