Full Report
In .NET, the ViewState parameter contains information about the state of a users session. This is serialized in the __VIEWSTATE parameter, which is sent on every request the user sends. People running .NET sites ran into the problem of the ViewState being too large. So, developers added another variable called __VSTATE and compressed it. Why does this matter? The handler is serialized data, giving potential RCE if unchecked. Later, the data was encrypted so that it couldn't be tampered with. However, the changes were no backfilled to __VSTATE. Knowing about this issue, they decided to do a wide search on this. While searching on the code search platform, they saw that Higher Logic used this technique and may be vulnerable. They set up a interactsh (personal Burp Collaborator), setup a ysoserial payload and attempted the modification of the variable. Boom! It worked. A DNS interact was spotted, indicating that this was successful. The reporting process was extremely hairy. HigherLogic did not care at all. So, they reported to IBM and 8x8's bug bounty programs directly, who asked HigherLogic about it. Finally, the bug was fixed but they refused to make a security release about it; only the customers who knew about it could ask for the patch. They wrote up a nuclei template for scanning. They found 1.7K websites that were vulnerable to the HigherLogic issues RCE bug. They sent another email informing them about a public disclosure and blog post. This time, they silently patched all of the devices without telling anyone of the issues. A lot of the articles on this blog are inspired by other issues. I enjoy seeing where the ideas came from and how they helped the author track down the issues. Overall, fun article that's explained like a veteran of the industry.
Analysis Summary
# Vulnerability: HigherLogic Community Remote Code Execution (RCE) via __VSTATE
## CVE Details
- **CVE ID**: Not explicitly assigned in the article (Commonly referred to as a "Zero Day" at the time of discovery).
- **CVSS Score**: Estimated 9.8 (Critical) based on unauthorized RCE.
- **CWE**: CWE-502: Deserialization of Untrusted Data.
## Affected Systems
- **Products**: HigherLogic Community (Online community/forum platform).
- **Versions**: All versions prior to the silent patch in early 2022.
- **Configurations**: .NET applications utilizing a custom `__VSTATE` parameter for compressed ViewState management.
## Vulnerability Description
In standard .NET applications, `__VIEWSTATE` is used to manage session data. Modern .NET implementations encrypt/sign this data to prevent tampering. However, HigherLogic implemented a custom parameter called `__VSTATE` to handle gzipped (compressed) ViewState data to reduce page size. This custom implementation bypassed the built-in .NET security protections (MAC validation and encryption) applied to the standard `__VIEWSTATE`. An attacker can provide a malicious, serialized .NET object within the `__VSTATE` parameter, which the server then decompresses and deserializes, leading to Remote Code Execution.
## Exploitation
- **Status**: PoC available; exploited in the wild (referenced as used by the "Praying Mantis" APT group).
- **Complexity**: Low.
- **Attack Vector**: Network (Remote).
- **Payload**: Generated using `ysoserial.net` using the `TypeConfuseDelegate` gadget and `LosFormatter`.
## Impact
- **Confidentiality**: High (Full access to server data).
- **Integrity**: High (Full control over application logic).
- **Availability**: High (Ability to crash or wipe the server).
## Remediation
### Patches
- **Vendor Patch**: HigherLogic silently patched their hosted instances and released a private patch to customers. Users of HigherLogic Community must ensure they are on the latest version provided by the vendor.
### Workarounds
- **Disable __VSTATE**: Revert to the standard, protected `__VIEWSTATE` parameter.
- **Network Filtering**: Implement Web Application Firewall (WAF) rules to inspect and block suspicious serialized objects in hidden form fields.
## Detection
- **Indicators of Compromise**:
- Presence of the `__VSTATE` parameter in HTTP POST requests containing Gzip headers (hex `1f 8b`).
- Unusual DNS lookups or outbound network connections from web servers (indicating a ping-back payload).
- **Detection methods and tools**:
- **Nuclei Template**: A template exists to scan for this specific vulnerability by injecting a DNS interactsh payload into the `__VSTATE` field.
- **Vulnerability Scanner**: Use `ysoserial.net` to test for deserialization vulnerabilities in hidden .NET fields.
## References
- **Original Research**: hxxps[://]blog[.]sorcery[.]ie/posts/higherlogic_rce/
- **Technique Inspiration**: hxxps[://]graa[.]nl/articles/2010[.]html
- **Related APT Activity**: hxxps[://]therecord[.]media/praying-mantis-apt-targets-iis-servers-with-asp-net-exploits/
- **Deserialization Research**: hxxps[://]soroush[.]secproject[.]com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/