Performing a MITM attack on the .NETGuard desktop application
Code obfuscation is a method of preventing third parties from reverse engineering the inner workings of software. One cloud-based service that provides this kind of protection for .NET applications is .NETGuard. .NETGuard distributes a desktop application that interacts with .NETGuard’s API. In this paper, we show that the protocol used by the desktop application has several security flaws. The most serious flaws include the possibility of leaking account credentials and/or the original binary being restored from the generated network traffic. Additionally, the protocol performs no verification on the network traffic, which allows a Man In the Middle (MITM) attack to modify packets and send malicious content back to the client.
A video showcase of the attack can be found here.
We expect the reader to have a basic understanding in networking and network analysis with Wireshark.
The intent of this article is not to determine or conclude whether .NETGuard is a good or a bad obfuscator, nor as a means of attacking the developer personally. Rather, the content of this paper focuses on critical security issues found within the .NETGuard desktop client, and the communication between the desktop client and the .NETGuard servers. The main purpose of this paper is to raise awareness about the security concerns identified and inform .NETGuard’s
users that their data may be at risk.
We have communicated these security issues to the .NETGuard team, but they have fallen on deaf ears. Other than changing the plain-text passwords to a double MD5 hash, no further action was taken. A month in, the vulnerabilities are still un-patched, so we took it upon ourselves to
communicate our findings to the community. Now it is for the public to decide whether or not to continue using this software.
The paper is located here: GitLab. It is structured in the following sections:
5.1 Credential Leakage
5.2 Intellectual property theft
5.3 Absence of verification
5.4 Proof of Concept
.NETGuard is a cloud code obfuscation tool that distributes a desktop application for commu-
nicating with the remote server. We have shown that, at the time of writing this report, the
communication between the application and the server is highly vulnerable to MITM attacks. We
demonstrated that with some very rudimentary traffic analysis, an attacker is able to steal account
credentials, as well as the intellectual property of the programmer. We also provided a proof of
concept that shows that the protocols used lack any form of authentication and/or verification of
the traffic to prevent tampering, allowing an adversary to modify the packets in such a way that
the final obfuscated file is replaced with malicious content.
The attacking script and more information can be found at the papers GitLab repository.