CVE-2021-23758
📋 TL;DR
CVE-2021-23758 is a deserialization vulnerability in AjaxPro.2 that allows attackers to execute arbitrary .NET code by sending malicious serialized objects. This affects all versions of AjaxPro.2 package, enabling remote code execution on vulnerable systems. Any application using AjaxPro.2 for AJAX functionality is potentially vulnerable.
💻 Affected Systems
- Ajax.NET Professional (AjaxPro.2)
📦 What is this software?
Ajaxpro.2 by Ajaxpro.2 Project
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution with SYSTEM/administrator privileges leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
Remote code execution with application pool privileges, allowing file system access, data exfiltration, and further exploitation of the server.
If Mitigated
Attack blocked at network perimeter or application firewall; no impact if proper input validation and deserialization controls are implemented.
🎯 Exploit Status
Public exploit code available; exploitation requires sending specially crafted serialized objects to AjaxPro.2 endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit b0e63be5f0bb20dfce507cb8a1a9568f6e73de57 and later versions
Vendor Advisory: https://github.com/michaelschwarz/Ajax.NET-Professional/commit/b0e63be5f0bb20dfce507cb8a1a9568f6e73de57
Restart Required: Yes
Instructions:
1. Update AjaxPro.2 package to latest version. 2. Replace vulnerable AjaxPro.2.dll with patched version. 3. Restart IIS/application pool. 4. Verify no custom serialization handlers remain vulnerable.
🔧 Temporary Workarounds
Disable AjaxPro.2 handlers
windowsRemove or disable AjaxPro.2 HTTP handlers in web.config to prevent exploitation.
Edit web.config: remove <add verb="*" path="ajaxpro/*.ashx" type="AjaxPro.AjaxHandlerFactory, AjaxPro.2" /> from <httpHandlers> section
Implement input validation filter
windowsAdd request filtering to block malicious serialized payloads before reaching AjaxPro.2 handlers.
Implement custom HTTP module or global.asax to inspect and reject requests containing suspicious serialization patterns
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable applications from critical systems
- Deploy web application firewall (WAF) with rules to detect and block deserialization attacks
🔍 How to Verify
Check if Vulnerable:
Check web.config for AjaxPro.2 handler registration and verify installed AjaxPro.2.dll version is vulnerable (all versions before fix).Check Version:
Check DLL properties or use: [System.Reflection.Assembly]::LoadFrom("AjaxPro.2.dll").GetName().Version in PowerShellVerify Fix Applied:
Verify AjaxPro.2.dll file version is updated post-patch and test with known exploit payloads that should be rejected.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /ajaxpro/*.ashx with unusual payloads
- IIS logs showing serialized .NET objects in request bodies
- Application errors related to deserialization failures
Network Indicators:
- HTTP POST requests containing serialized .NET types to AjaxPro endpoints
- Unusual outbound connections from web server post-exploitation
SIEM Query:
source="IIS" AND (url="*ajaxpro*" AND (body="*TypeName*" OR body="*ObjectStateFormatter*"))🔗 References
- http://packetstormsecurity.com/files/175677/AjaxPro-Deserialization-Remote-Code-Execution.html
- https://github.com/michaelschwarz/Ajax.NET-Professional/commit/b0e63be5f0bb20dfce507cb8a1a9568f6e73de57
- https://snyk.io/vuln/SNYK-DOTNET-AJAXPRO2-1925971
- http://packetstormsecurity.com/files/175677/AjaxPro-Deserialization-Remote-Code-Execution.html
- https://github.com/michaelschwarz/Ajax.NET-Professional/commit/b0e63be5f0bb20dfce507cb8a1a9568f6e73de57
- https://snyk.io/vuln/SNYK-DOTNET-AJAXPRO2-1925971
