oliverbooth.dev/OliverBooth/Pages/PublicServiceAnnouncement/BinaryFormatter.cshtml

48 lines
1.9 KiB
Plaintext

@page "/psa/binaryformatter"
<div class="callout" data-callout="danger">
<div class="callout-title"><h2>⚠️ Stop! This application is unsafe!</h2></div>
<p>
This application is using an insecure method to read and write data, and needs to be updated
<em>immediately</em>.
</p>
</div>
<div class="callout" data-callout="warning">
<div class="callout-title">I'm a user, what does this mean?</div>
<p>
If you are seeing this message, it means you loaded a payload that I crafted to exploit this vulnerability. Be
fortunate, because I could have done much worse including stealing your data or installing malware on your
computer.
</p>
<p>
If you're seeing this because you loaded my data from a game, this means it's possible for an attacker to craft
a save file that can, for example, steal your Steam credentials and send them to a remote server. Just because
you loaded - what seemed to be - a save file!
</p>
<hr/>
<p>
<strong>Do not</strong> load any more data into this application until the developer has addressed this issue.
</p>
</div>
<div class="callout" data-callout="info">
<div class="callout-title">I'm a developer, can you explain more?</div>
<p>
<code>BinaryFormatter</code> is a .NET class that is used to serialize and deserialize data such as game saves
or configuration files. However, it was discovered that this class is vulnerable to remote code execution when
deserializing untrusted data.
</p>
<p>
<strong>Please update your application to use a different serialization method.</strong>
</p>
<hr/>
<p>
For more information, please read the
<a href="https://learn.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide">
official security notice
</a>
from Microsoft.
</p>
</div>