Vulnerability Report： BinaryFormatter security vulnerability

[ykytutou]

Risk Class：SinGooCMSUtility/SinGooCMS.Utility/Net/SocketClient.cs

Set up socket communication

server :

client :

Constructing the payload

The ReceiveVarData() method internally first calls the ReceiveFixData() method to read the packet header (8 bytes) of the socket object information, and then calls the GetPacketLength() method to read the length of the bytes in the packet header (int type)
The ReceiveFixData() method will first intercept 8 bytes of information, so 8 bytes must be added before the original payload when constructing the POC.
The GetPacketLength() method reads the packet header information, i.e. the 8 bytes of information needs to contain the byte length (int type) of the original payload, while intercepting the int data type before the ' * ' ending.
Also the Payload source code is converted to a byte array length of 3110 bytes.
A local test of the GetPacketLength() method shows that the 8 bytes of information could be "3110 ****". Int(3110) is the byte length of the original payload.

Simulating the transmission of messages to a socket client

POC implementation using a controlled data transfer from the server to the socket client, i.e. a set payload.

[ykytutou]

The payload here：https://github.com/ykytutou/Payload