Full Report
Devs and users should know better, Microsoft tells watchTowr Security researchers have revealed a .NET security flaw thought to affect a host of enterprise-grade products that they say Microsoft refuses to fix.…
Analysis Summary
# Vulnerability: .NET SoapHttpClientProtocol Arbitrary File Write / RCE via SOAP Messages
## CVE Details
- CVE ID: Not explicitly assigned/disclosed in the provided text. (Implies a zero-day or unpatched issue reported privately).
- CVSS Score: Not provided.
- CWE: Likely related to Improper Neutralization of Special Elements in Output Used by a Web Page (CWE-74) or similar file operation vulnerability.
## Affected Systems
- Products: Host of enterprise-grade products utilizing the .NET Framework, specifically mentioning Barracuda Service Center, Umbraco 8 CMS.
- Versions: Applications built on Microsoft's .NET Framework utilizing the `SoapHttpClientProtocol` class, particularly when processing SOAP messages.
- Configurations: Applications that accept untrusted or user-controlled input for setting the target URL or importing Web Services Description Language (WSDL) files.
## Vulnerability Description
The flaw resides within the `SoapHttpClientProtocol` class inheriting from `HttpWebClientProtocol` in the .NET Framework. Although designed to handle SOAP messages over HTTP, this class uses a generic creation method supporting protocols like HTTP, HTTPS, FTP, and **FILE**. When attackers can manipulate the target URL to point to a local file path instead of an expected HTTP address, the class will proceed to write the SOAP request data (via POST method) directly into the target file path. This allows for arbitrary file writing.
A second exploitation path involves feeding a malicious URL pointing to a controlled WSDL file to the vulnerable application during proxy generation, which then triggers the underlying flaw, enabling Remote Code Execution (RCE).
## Exploitation
- Status: Proof-of-Concept (PoC) demonstrated by watchTowr researchers. Exploitation paths toward RCE were shown to work against specific products (Barracuda Service Center, Umbraco 8 CMS).
- Complexity: The initial file write appears relatively straightforward if input validation is absent. RCE exploitation is complex but demonstrated possible via WSDL import or namespace abuse.
- Attack Vector: Primarily Network (via SOAP requests or WSDL imports).
## Impact
- Confidentiality: Potentially High (if file write leads to credential exposure or arbitrary file read via associated mechanisms).
- Integrity: High (Arbitrary file write capability, leading to webshell deployment and RCE).
- Availability: Potentially High (RCE can lead to system compromise or denial of service).
## Remediation
### Patches
- None confirmed or provided by Microsoft, as they currently consider the behavior expected behavior if inputs are not validated by developers. Developers must audit their use of `SoapHttpClientProtocol`.
### Workarounds
- Developers must ensure that any URL passed to or resolved by components using `SoapHttpClientProtocol` (or related proxy types) is strictly validated and sourced only from trusted origins, preventing any file protocol paths (`file://`, etc.) from being set as the target URL.
- Validate WSDL inputs thoroughly before importing or processing them to generate proxies.
## Detection
- Indicators of Compromise: Look for unexpected file writes to arbitrary locations within application server directories, especially files with extensions like `.aspx` or `.cshtml` appearing where they should not exist. Examine network traffic for SOAP requests destined for local file paths instead of standard web endpoints.
- Detection methods and tools: Static analysis of application code leveraging `SoapHttpClientProtocol` is crucial. Runtime monitoring should inspect file system write operations originating from web application processes.
## References
- Vendor Advisories: Microsoft officially declined to fix the original behavior, shifting responsibility to developers to avoid untrusted inputs.
- Relevant links - defanged: `labs[dot]watchtowr[dot]com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/`