Changjetong T+ .NET Deserialization Vulnerability Leading to Remote Code Execution
Vulnerability
A deserialization vulnerability has been identified in Changjetong T+ versions up to and including 16.x. This vulnerability exists in an AjaxPro endpoint and can be exploited by remote attackers to execute arbitrary code. By sending a crafted request with a malicious JSON payload to the specified endpoint, attackers can leverage the deserialization of controlled .NET types to invoke methods such as System.Diagnostics.Process.Start. This exploitation allows for the execution of commands in the context of the T+ application service account.
Impact
Exploitation of this vulnerability allows for remote code execution on the server where Changjetong T+ is running.
Reproduction
To reproduce this vulnerability, send a POST request to the '/tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore' endpoint. Include a JSON body that exploits the deserialization vulnerability by invoking the 'System.Diagnostics.Process.Start' method with arguments to execute a command. After the command is executed, the output can be retrieved from a file created by the command.
Remediation
Users are advised to update to the latest version of Changjetong T+ where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.