By taking advantage of this unexpected .NET behavior, the researcher found RCE issues in Barracuda Service Center, Ivanti Endpoint Manager, Umbraco 8 CMS, Microsoft PowerShell, and Microsoft SQL Server Integration Services. However, he believes many more products and private enterprise apps are likely vulnerable.
“The most powerful exploitation path arises when applications generate HTTP client proxies from attacker-supplied WSDL files using the ServiceDescriptionImporter class,” he said. “That mechanism alone enabled successful exploitation in products from Barracuda, Ivanti, Microsoft and Umbraco, and it took only a few days of review to find working cases.”
HTTP client proxies can handle non-HTTP protocols
The .NET Framework and ASP.NET are among the most popular programming languages for enterprise applications. When a developer wants their application to communicate with an XML Web Service over HTTP they must create a proxy class that is derived from the built-in HttpWebClientProtocol class.
