Skip to content

More than DoS Progress Telerik UI for ASP.NET AJAX Unsafe Re... #1504

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 25, 2025
Merged

More than DoS Progress Telerik UI for ASP.NET AJAX Unsafe Re... #1504

merged 1 commit into from
Oct 25, 2025
+223 −0

Conversation

@carlospolop
Copy link
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

What: CVE-2025-3600 is an Unsafe Reflection bug (CWE-470) in Progress Telerik UI for ASP.NET AJAX that allows pre-auth instantiation of arbitrary public parameterless .NET types. It was initially labeled DoS, but in many real apps it can be escalated to RCE by abusing target-specific gadgets (e.g., insecure AppDomain assembly resolvers).

Where/Surface: The unauthenticated handler Telerik.Web.UI.WebResource.axd with type=iec (Image Editor cache han...

🔧 Technical Details

Unsafe Reflection via parameterless ctor: Abuse Telerik.Web.UI.WebResource.axd?type=iec with dkey=1 (blog examples sometimes show dtype=1) and attacker-controlled prtype so Type.GetType() + Activator.CreateInstance() construct any public no‑arg type before type checks. Example: /Telerik.Web.UI.WebResource.axd?type=iec&dkey=1&prtype=Your.Type, Your.Assembly.

🎁 DoS via PowerShell WSMan finalizer: Instantiate System.Management.Automation.Remoting.WSManPluginManagedEntryInstanceWrapper; the GC finalizer frees an uninitialized handle and crashes the app. PoC: ...&prtype=System.Management.Automation.Remoting.WSManPluginManagedEntryInstanceWrapper,+System.Management.Automation,+Version%3d3.0.0.0,+Culture%3dneutral,+PublicKeyToken%3d31bf3856ad364e35.

Constructor chains that read attacker input: Target parameterless ctors whose init...

🤖 Agent Actions

I analyzed the blog and the current HackTricks repository, searched for any pre-existing Telerik UI or ASP.NET unsafe reflection/AssemblyResolve abuse content, and did not find any relevant page. I read more than five related files (IIS, DNN, SharePoint, ViewState, SSTI, XSLT) to understand structure and decide the best location.

What I added/changed:

  1. Created a new page dedicated to the Telerik UI for ASP.NET AJAX unsafe reflection in WebResource.axd (CVE-2025-3600)
  • Path: src/network-services-pentesting/pentesting-web/telerik-ui-aspnet-ajax-unsafe-reflection-webresource-axd.md
  • Content includes:
    • Overview and affected surface
    • Affected versions and fixed version (2011.2.712–2025.1.218; fixed in 2025.1.416)
    • Root cause with decompiled flow and an expandable code block
    • Universal DoS via WSManPluginManagedEntryInstanceWrapper gadget PoC
    • Escalation vectors beyond DoS (e.g., constructors that read attacker input, file-backed init, AppDomain.AssemblyResolve abuse)
    • Example Sitecore XP RCE chain utilizing this bug to trigger an insecure resolver
    • Detection/validation and mitigation
    • Related techniques with internal refs to IIS and ViewState pages
    • References to the watchTowr blog, Black Hat 2019 paper, and ZDI blog
  1. Linked the new page from the IIS page
  • File modified: src/network-services-pentesting/pentesting-web/iis-internet-information-services.md
  • Added a concise section “Telerik UI WebResource.axd unsafe reflection (CVE-2025-3600)” with a summary and an internal link to the new page using the correct {{#ref}} syntax.

Tool actions performed:

  • Created file:
    • src/network-services-pentesting/pentesting-web/telerik-ui-aspnet-ajax-unsafe-reflection-webresource-axd.md
  • Modified file:
    • src/network-services-pentesting/pentesting-web/iis-internet-information-services.md
  • Verified and corrected internal references:
    • Ensured the link from the Telerik page to IIS is a same-directory {{#ref}}.
    • Kept ViewState link as a proper relative path (../../pentesting-web/deserialization/...).
  • Fetched the blog for verification and details.

No conflicting existing content was found. All changes follow HackTricks style (headings, code blocks, expandable sections, references at end, training banner at top/bottom, internal refs).

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop
Copy link
Collaborator Author

🔗 Additional Context

Original Blog Post: https://labs.watchtowr.com/more-than-dos-progress-telerik-ui-for-asp-net-ajax-unsafe-reflection-cve-2025-3600/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> ASP.NET/.NET -> Telerik UI for ASP.NET AJAX (Unsafe Reflection: WebResource.axd type=iec) or a new page: 'ASP.NET Unsafe Reflection & AssemblyResolve Abuse (Telerik CVE-2025-3600)'".

Repository Maintenance:

  • MD Files Formatting: 902 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

@carlospolop
Copy link
Collaborator Author

merge

@carlospolop carlospolop merged commit 618bb3b into master Oct 25, 2025
@carlospolop carlospolop deleted the update_More_than_DoS__Progress_Telerik_UI_for_ASP_NET_AJA_20251017_182837 branch October 25, 2025 22:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@carlospolop