"SOAPwn essentially allows attackers to abuse Web Services Description Language (WSDL) imports and HTTP client proxies to execute arbitrary code in products built on the foundations of .NET due to errors in the way they handle Simple Object Access Protocol ( SOAP) messages. "It is usually abusable through SOAP clients, especially if they are dynamically created from the attacker-controlled WSDL," Bazydlo said."
"To make matters worse, it can be used to overwrite existing files since the attacker controls the full write path. In a hypothetical attack scenario, a threat actor could leverage this behavior to supply a Universal Naming Convention ( UNC) path (e.g., "file://attacker.server/poc/poc") and cause the SOAP request to be written to an SMB share under their control. This, in turn, can allow an attacker to capture the NTLM challenge and crack it."
A vulnerability codenamed SOAPwn enables abuse of WSDL imports and HTTP client proxies in .NET-based products by exploiting incorrect handling of SOAP messages. Dynamically created SOAP clients from attacker-controlled WSDL files are especially susceptible. .NET Framework HTTP client proxies can be coerced into using file:// URLs to perform arbitrary file writes and overwrite existing files because the attacker controls the full write path. An attacker can supply UNC paths to write SOAP requests to an SMB share, enabling NTLM challenge capture and cracking. A more powerful vector exists when applications generate HTTP client proxies from WSDL using ServiceDescriptionImporter. Multiple enterprise products are affected and more vendors may be at risk.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]