CVE-2021-23758
published 2021-12-03CVE-2021-23758: All versions of package ajaxpro.2 are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of arbitrary .NET classes…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
88.77%
99.8th percentile
All versions of package ajaxpro.2 are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of arbitrary .NET classes, which can be abused to gain remote code execution.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ajaxpro.2_project | ajaxpro.2 | < unspecified | unspecified |
| ajaxpro.2_project | ajaxpro.2 | < 21.10.30.1 | 21.10.30.1 |
Detection & IOCsextracted from sources · hover to see the quote
url/ajaxpro/
bytes
|5f 5f|type
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT AjaxPro RCE Attempt (CVE-2021-23758)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajaxpro/"; fast_pattern; http.request_body; content:"|5f 5f|type"; content:"Object"; nocase; reference:url,twitter.com/sirifu4k1/status/1470647490; reference:cve,2021-23758; classtype:attempted-admin; sid:2034729; rev:2; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_23758, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Exploit traffic is an HTTP POST request to a URI containing '/ajaxpro/' with a JSON body containing the '__type' key (bytes 5f 5f followed by 'type') and the string 'Object' (case-insensitive). Monitor for this pattern on inbound web traffic.
- →A vulnerable default method exists in the AjaxPro namespace for versions prior to 21.10.30.1, allowing deserialization without any custom code. Post-patch, exploitation still possible if any custom method accepts a parameter of a type assignable from ObjectDataProvider (e.g., 'object'). ↗
- →The exploit constructs malicious JSON data sent to the target, which is deserialized by the AjaxPro JsonDeserializer. Inspect JSON POST bodies to /ajaxpro/ endpoints for unexpected '__type' fields referencing .NET types such as ObjectDataProvider. ↗
- ·Versions prior to 21.10.30.1 are vulnerable via a built-in default method. Version 21.10.30.1 removed the vulnerable method but remains exploitable if any custom application method accepts a parameter type assignable from ObjectDataProvider. ↗
- ·The Snort/ET rule (sid:2034729) targets perimeter and internal deployment and is classified as high confidence / major severity. Ensure it is deployed on both network perimeters and internal segments.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Duplicate Advisory: Remote Code Execution in AjaxNetProfessional
osv·2021-12-16
CVE-2021-23758 [CRITICAL] Duplicate Advisory: Remote Code Execution in AjaxNetProfessional
Duplicate Advisory: Remote Code Execution in AjaxNetProfessional
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-6r7c-6w96-8pvw. This link is maintained to preserve external references.
## Original Description
All versions of package ajaxpro.2 are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of arbitrary .NET classes, which can be abused to gain remote code execution.
GHSA
Remote Code Execution in AjaxNetProfessional
ghsa·2021-12-07
CVE-2021-23758 [CRITICAL] CWE-502 Remote Code Execution in AjaxNetProfessional
Remote Code Execution in AjaxNetProfessional
### Overview
Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of arbitrary .NET classes, which can be abused to gain remote code execution.
### Description
Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java
OSV
Remote Code Execution in AjaxNetProfessional
osv·2021-12-07
CVE-2021-23758 [CRITICAL] Remote Code Execution in AjaxNetProfessional
Remote Code Execution in AjaxNetProfessional
### Overview
Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of arbitrary .NET classes, which can be abused to gain remote code execution.
### Description
Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java
Suricata
ET EXPLOIT AjaxPro RCE Attempt (CVE-2021-23758)
suricata·2021-12-14·CVSS 8.1
CVE-2021-23758 [HIGH] ET EXPLOIT AjaxPro RCE Attempt (CVE-2021-23758)
ET EXPLOIT AjaxPro RCE Attempt (CVE-2021-23758)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT AjaxPro RCE Attempt (CVE-2021-23758)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajaxpro/"; fast_pattern; http.request_body; content:"|5f 5f|type"; content:"Object"; nocase; reference:url,twitter.com/sirifu4k1/status/1470647490; reference:cve,2021-23758; classtype:attempted-admin; sid:2034729; rev:2; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_23758, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
No writeups or analysis indexed.
http://packetstormsecurity.com/files/175677/AjaxPro-Deserialization-Remote-Code-Execution.htmlhttps://github.com/michaelschwarz/Ajax.NET-Professional/commit/b0e63be5f0bb20dfce507cb8a1a9568f6e73de57https://snyk.io/vuln/SNYK-DOTNET-AJAXPRO2-1925971http://packetstormsecurity.com/files/175677/AjaxPro-Deserialization-Remote-Code-Execution.htmlhttps://github.com/michaelschwarz/Ajax.NET-Professional/commit/b0e63be5f0bb20dfce507cb8a1a9568f6e73de57https://snyk.io/vuln/SNYK-DOTNET-AJAXPRO2-1925971
2021-12-03
Published