More than DoS Progress Telerik UI for ASP.NET AJAX Unsafe Re...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://labs.watchtowr.com/more-than-dos-progress-telerik-ui-for-asp-net-ajax-unsafe-reflection-cve-2025-3600/
• Blog Title: More than DoS: Progress Telerik UI for ASP.NET AJAX Unsafe Reflection (CVE-2025-3600)
• Suggested Section: Pentesting Web -> ASP.NET/.NET -> Telerik UI for ASP.NET AJAX (Unsafe Reflection: WebResource.axd type=iec) or a new page: 'ASP.NET Unsafe Reflection & AssemblyResolve Abuse (Telerik CVE-2025-3600)'

🎯 Content Summary

What: CVE-2025-3600 is an Unsafe Reflection bug (CWE-470) in Progress Telerik UI for ASP.NET AJAX that allows pre-auth instantiation of arbitrary public parameterless .NET types. It was initially labeled DoS, but in many real apps it can be escalated to RCE by abusing target-specific gadgets (e.g., insecure AppDomain assembly resolvers).

Where/Surface: The unauthenticated handler Telerik.Web.UI.WebResource.axd with type=iec (Image Editor cache han...

🔧 Technical Details

Unsafe Reflection via parameterless ctor: Abuse Telerik.Web.UI.WebResource.axd?type=iec with dkey=1 (blog examples sometimes show dtype=1) and attacker-controlled prtype so Type.GetType() + Activator.CreateInstance() construct any public no‑arg type before type checks. Example: /Telerik.Web.UI.WebResource.axd?type=iec&dkey=1&prtype=Your.Type, Your.Assembly.

🎁 DoS via PowerShell WSMan finalizer: Instantiate System.Management.Automation.Remoting.WSManPluginManagedEntryInstanceWrapper; the GC finalizer frees an uninitialized handle and crashes the app. PoC: ...&prtype=System.Management.Automation.Remoting.WSManPluginManagedEntryInstanceWrapper,+System.Management.Automation,+Version%3d3.0.0.0,+Culture%3dneutral,+PublicKeyToken%3d31bf3856ad364e35.

Constructor chains that read attacker input: Target parameterless ctors whose init...

🤖 Agent Actions

I analyzed the blog and the current HackTricks repository, searched for any pre-existing Telerik UI or ASP.NET unsafe reflection/AssemblyResolve abuse content, and did not find any relevant page. I read more than five related files (IIS, DNN, SharePoint, ViewState, SSTI, XSLT) to understand structure and decide the best location.

What I added/changed:

1. Created a new page dedicated to the Telerik UI for ASP.NET AJAX unsafe reflection in WebResource.axd (CVE-2025-3600)

• Path: src/network-services-pentesting/pentesting-web/telerik-ui-aspnet-ajax-unsafe-reflection-webresource-axd.md
• Content includes:
  • Overview and affected surface
  • Affected versions and fixed version (2011.2.712–2025.1.218; fixed in 2025.1.416)
  • Root cause with decompiled flow and an expandable code block
  • Universal DoS via WSManPluginManagedEntryInstanceWrapper gadget PoC
  • Escalation vectors beyond DoS (e.g., constructors that read attacker input, file-backed init, AppDomain.AssemblyResolve abuse)
  • Example Sitecore XP RCE chain utilizing this bug to trigger an insecure resolver
  • Detection/validation and mitigation
  • Related techniques with internal refs to IIS and ViewState pages
  • References to the watchTowr blog, Black Hat 2019 paper, and ZDI blog

2. Linked the new page from the IIS page

• File modified: src/network-services-pentesting/pentesting-web/iis-internet-information-services.md
• Added a concise section “Telerik UI WebResource.axd unsafe reflection (CVE-2025-3600)” with a summary and an internal link to the new page using the correct {{#ref}} syntax.

Tool actions performed:

• Created file:
  • src/network-services-pentesting/pentesting-web/telerik-ui-aspnet-ajax-unsafe-reflection-webresource-axd.md
• Modified file:
  • src/network-services-pentesting/pentesting-web/iis-internet-information-services.md
• Verified and corrected internal references:
  • Ensured the link from the Telerik page to IIS is a same-directory {{#ref}}.
  • Kept ViewState link as a proper relative path (../../pentesting-web/deserialization/...).
• Fetched the blog for verification and details.

No conflicting existing content was found. All changes follow HackTricks style (headings, code blocks, expandable sections, references at end, training banner at top/bottom, internal refs).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://labs.watchtowr.com/more-than-dos-progress-telerik-ui-for-asp-net-ajax-unsafe-reflection-cve-2025-3600/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> ASP.NET/.NET -> Telerik UI for ASP.NET AJAX (Unsafe Reflection: WebResource.axd type=iec) or a new page: 'ASP.NET Unsafe Reflection & AssemblyResolve Abuse (Telerik CVE-2025-3600)'".

Repository Maintenance:

• MD Files Formatting: 902 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge