Microsoft .NET Framework Remote Code Execution

September 27, 2017

Microsoft .net Framework is prone to a critical remote code execution vulnerability. When the WSDL parser is handling the data from a certain crafted document file, the IsValidUrl improperly handles the checking procedure, and allows malicious URLs to pass the validation, eventually causes a code injection vulnerability. By exploiting this vulnerability, a remote attacker could execute arbitrary code as the administrator.

This vulnerability is triggered in the WSDL parser.cs in the System.Runtime.Remoting package. (http://referencesource.microsoft.com/#System.Runtime.Remoting/metadata/wsdlparser.cs) The IsValidUrl has been called to validate the user provided URL. This function will automatically add “//base.ConfigureProxy(this.GetType(),” string after detecting the first URL, to nullify the later part of the URL.


Figure 1: The vulnerable function

However, if the data contains CRLF, the later part of the URL will not be commented. If the method System.Diagnostics.Process.Start is in the injected code, the code will be compiled by .net framework and eventually delivers to the dll and executable.


Figure 2: The exploit code

The exploit of this vulnerability is already in the wild. SonicWall IPS team has developed the following signatures to identify and stop the attacks:

  • IPS 12980: Microsoft .NET Framework Remote Code Execution (SEP 17) 1
  • IPS 12982: Microsoft .NET Framework Remote Code Execution (SEP 17) 2
  • IPS 12983: Microsoft .NET Framework Remote Code Execution (SEP 17) 3