Security issue with .NET code execution on server

Stimulsoft Reports.NET discussion
Post Reply
olegtr
Posts: 16
Joined: Mon Mar 07, 2011 10:14 am

Security issue with .NET code execution on server

Post by olegtr »

Hi,
We're using Reports.NET. We compile and render reports within our backend server running as Windows Service.
Our security engineers managed to embed malicious code within the code of a report and get access to the server from outside.

Here is the simplest example of a malicious code that can access the local file system on the server.

Code: Select all

namespace Reports
{
    public class Report : Stimulsoft.Report.StiReport
    {
        public Report()        {
            	this.InitializeComponent();
			
		string filePath = "c:/report.txt";
		string fileContent = "This is sample content.";
		File.WriteAllText(filePath, fileContent); 
        }

        #region StiReport Designer generated code - do not modify
	#endregion StiReport Designer generated code - do not modify
    }
}
The above code is executed when we're compiling the report using StiReport.Compile();
Basically, you can run any code that can do very bad stuff on the server, including starting a reverse shell.

Is there anything that could be done to limit the report's code so that it would not be able to access any local computer resources?

I tried setting "Stimulsoft.Report.StiOptions.Engine.FullTrust = false;" before the report's compilation but the "StiReport.Compile();" just stopped compiling any report, even w/o any malicious code, no errors, just no compiled report prepared.

Any help would be appreciated.
Lech Kulikowski
Posts: 6081
Joined: Tue Mar 20, 2018 5:34 am

Re: Security issue with .NET code execution on server

Post by Lech Kulikowski »

Hello,

You can set the CalculationMode property of the report to Interpretation to avoid using any code in the report.

Thank you.
olegtr
Posts: 16
Joined: Mon Mar 07, 2011 10:14 am

Re: Security issue with .NET code execution on server

Post by olegtr »

Thanks, Lech.

Using the Interpretation calculation mode indeed does not run the C# code anymore. That's great but there are issues now with groupings and conditions.
For example, a simple use of {Count()} expression in a Group Header Band stopped working.

We're using Reports.NET 2014.2 version.

Appreciate your help.
Lech Kulikowski
Posts: 6081
Joined: Tue Mar 20, 2018 5:34 am

Re: Security issue with .NET code execution on server

Post by Lech Kulikowski »

Hello,

Please check the last release build. In the 2014.x.x version, the Interpretation mode was relatively new.

Thank you.
Post Reply