Security Advisory
Unauthenticated Remote Code Execution in Ajax.NET Professional
By exploiting weaknesses in the custom deserializer, adversaries can gain remote code execution.
Advisory ID: MLSA-2021-004
CVE: CVE-2021-23758
CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Severity: critical
Affected versions: < 21.12.21.1
Fixed versions: 21.11.29.1
Discovered by: Hans-Martin Münch
CVE: CVE-2021-23758
CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Severity: critical
Affected versions: < 21.12.21.1
Fixed versions: 21.11.29.1
Discovered by: Hans-Martin Münch
Product description
Ajax.NET Professional (AjaxPro) is one of the first AJAX frameworks available for Microsoft ASP.NET.
The framework will create proxy JavaScript classes that are used on client-side to invoke methods on the web server with full data type support working on all common web browsers including mobile devices. Return your own classes, structures, DataSets, enums,… as you are doing directly in .NET.
Details
A detailed description of the vulnerability can be found on our blog post “Vulnerability Spotlight: RCE in Ajax.NET Professional” (see references).
Coordinated Disclosure Timeline
- 25/10/2021 Issue reported to the Ajax.NET Professional project.
- 26/10/2021 Confirmation by the Ajax.NET Professional developers.
- 27/10/2021 Questions the Ajax.NET Professional developers, first suggested fixes.
- 27/10/2021 Additional details from MOGWAI LABS, feedback for the provided fixes.
- 29/11/2021 Reporting of additional issues, provided by Markus Wulftange (Code White GmbH).
- 26/10/2021 Acknowledgement the Ajax.NET Professional developers.
- 05/12/2021 Public disclosure through the Ajax.NET Professional developers.
- 18/01/2022 MOGWAI LABS blog post with vulnerability details.