Microsoft .NET Framework Remote Code Execution


Microsoft .net Framework is prone to a critical remote code execution vulnerability. When the WSDL parser is handling the data from a certain crafted document file, the IsValidUrl improperly handles the checking procedure, and allows malicious URLs to pass the validation, eventually causes a code injection vulnerability. By exploiting this vulnerability, a remote attacker could execute arbitrary code as the administrator.

This vulnerability is triggered in the WSDL parser.cs in the System.Runtime.Remoting package. ( The IsValidUrl has been called to validate the user provided URL. This function will automatically add “//base.ConfigureProxy(this.GetType(),” string after detecting the first URL, to nullify the later part of the URL.

Figure 1: The vulnerable function

However, if the data contains CRLF, the later part of the URL will not be commented. If the method System.Diagnostics.Process.Start is in the injected code, the code will be compiled by .net framework and eventually delivers to the dll and executable.

Figure 2: The exploit code

The exploit of this vulnerability is already in the wild. SonicWall IPS team has developed the following signatures to identify and stop the attacks:

  • IPS 12980: Microsoft .NET Framework Remote Code Execution (SEP 17) 1
  • IPS 12982: Microsoft .NET Framework Remote Code Execution (SEP 17) 2
  • IPS 12983: Microsoft .NET Framework Remote Code Execution (SEP 17) 3
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.