LINQPad Unsafe Deserialization Vulnerability Leading to Code Execution
Vulnerability
A vulnerability allowing unsafe deserialization has been identified in LINQPad Pro edition versions prior to 5.52.01. This issue arises in the LINQPad.AutoRefManager::PopulateFromCache() method, where deserialization of user-controlled data can lead to arbitrary code execution. The vulnerability is present in a widely used application, with over 5 million downloads and a significant corporate user base, including Microsoft.
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the user's machine.
Reproduction
The vulnerability can be reproduced by creating a serialized payload using ysoserial.net, targeting the BinaryFormatter deserialization. This payload should be saved to a specific cache file location within the user's local app data folder. When LINQPad is launched, the application will deserialize the payload, leading to the execution of the specified command, such as opening the calculator application.
Remediation
Users can upgrade to LINQPad version 5.52.01 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.