CVE-2021-23758 Overview
CVE-2021-23758 is a critical insecure deserialization vulnerability affecting all versions of the AjaxPro.2 package for .NET. The vulnerability allows remote attackers to execute arbitrary code on affected systems by exploiting the deserialization of untrusted data. AjaxPro.2 fails to properly validate or restrict the types of .NET classes that can be deserialized, enabling attackers to craft malicious serialized objects that execute code upon deserialization.
Critical Impact
Remote attackers can achieve full system compromise through arbitrary code execution by sending specially crafted serialized .NET objects to vulnerable AjaxPro.2 endpoints, requiring no authentication or user interaction.
Affected Products
- AjaxPro.2 (all versions) for .NET framework
- Applications utilizing the ajaxpro.2_project:ajaxpro.2 NuGet package
- Web applications with exposed AjaxPro.2 AJAX endpoints
Discovery Timeline
- 2021-12-03 - CVE-2021-23758 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-23758
Vulnerability Analysis
This vulnerability stems from insecure deserialization practices within the AjaxPro.2 library. AjaxPro.2 is a .NET library that enables AJAX functionality in ASP.NET applications by serializing and deserializing .NET objects for client-server communication. The library's deserialization mechanism accepts arbitrary .NET class types without implementing a type allowlist or blocklist, creating a dangerous attack surface.
When a .NET application deserializes data, it can instantiate objects and execute code defined in the object's constructor or through other automatically invoked methods. An attacker can exploit this behavior by crafting serialized payloads containing gadget chains—sequences of existing .NET classes that, when deserialized together, result in arbitrary code execution. Common gadget chains used in .NET deserialization attacks leverage classes from System.Windows.Data.ObjectDataProvider, System.Web.UI.LosFormatter, or the TypeConfuseDelegate pattern.
Root Cause
The root cause is the lack of type restrictions during the deserialization process. AjaxPro.2 does not implement a secure type binder or allowlist that would restrict which .NET types can be instantiated during deserialization. This allows attackers to specify malicious types in the serialized payload that will be instantiated and potentially execute code when deserialized by the server.
Attack Vector
The vulnerability is exploitable over the network without requiring authentication or user interaction. An attacker can send a specially crafted HTTP request containing a malicious serialized .NET object to any exposed AjaxPro.2 endpoint. The attack flow typically involves:
- Identifying an AjaxPro.2 endpoint in the target application
- Crafting a serialized payload containing a known .NET gadget chain
- Sending the payload via HTTP POST request to the vulnerable endpoint
- The server deserializes the payload, triggering code execution
The security patch addressed this by implementing type restrictions:
</ApplicationIcon>
<AssemblyKeyContainerName>
</AssemblyKeyContainerName>
- <AssemblyName>AjaxPro</AssemblyName>
+ <AssemblyName>AjaxPro.2</AssemblyName>
<AssemblyOriginatorKeyFile>
</AssemblyOriginatorKeyFile>
<DefaultClientScript>JScript</DefaultClientScript>
Source: GitHub Commit
Detection Methods for CVE-2021-23758
Indicators of Compromise
- Unusual HTTP POST requests to AjaxPro endpoints containing serialized .NET objects with suspicious type names
- Presence of known .NET deserialization gadget class names in request bodies (e.g., ObjectDataProvider, TypeConfuseDelegate, ProcessStartInfo)
- Unexpected child process spawning from IIS worker processes (w3wp.exe)
- Web application logs showing deserialization exceptions or type resolution errors
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block known .NET deserialization gadget patterns in HTTP request bodies
- Monitor IIS and application logs for AjaxPro-related requests with unusual payload sizes or content patterns
- Deploy runtime application self-protection (RASP) solutions capable of detecting deserialization attacks
- Use SentinelOne Singularity to detect post-exploitation behaviors such as abnormal process creation from web server processes
Monitoring Recommendations
- Enable verbose logging on AjaxPro endpoints and monitor for deserialization-related exceptions
- Implement network traffic analysis to identify serialized .NET object patterns in incoming requests
- Monitor for unusual outbound connections from web servers that could indicate successful exploitation
- Track process genealogy from web server worker processes to detect command execution
How to Mitigate CVE-2021-23758
Immediate Actions Required
- Identify all applications using AjaxPro.2 by scanning for the NuGet package dependency or DLL references
- Apply the security patch from the GitHub commit that implements type restrictions
- Consider migrating to alternative, actively maintained AJAX libraries if the application architecture permits
- Implement input validation and type allowlisting at the application level as defense-in-depth
Patch Information
The vendor has released a security fix via the Ajax.NET Professional GitHub repository. The patch implements allowed customized types to prevent arbitrary class deserialization. Organizations should review the commit and apply the updated library to all affected applications. Additional technical details are available in the Snyk Vulnerability Report.
Workarounds
- Implement a custom type binder that restricts deserialization to known, safe types only
- Deploy a Web Application Firewall (WAF) with rules to detect and block .NET deserialization payloads
- Restrict network access to AjaxPro endpoints using authentication and authorization controls
- Consider disabling or removing AjaxPro functionality entirely if not critical to application operations
# IIS URL Rewrite rule to block potential deserialization attacks
# Add to web.config in the <system.webServer> section
# This blocks requests containing common .NET gadget chain indicators
# <rule name="Block Deserialization Attacks" stopProcessing="true">
# <match url=".*\.ashx" />
# <conditions>
# <add input="{REQUEST_METHOD}" pattern="POST" />
# <add input="{HTTP_Content-Type}" pattern="application/json" />
# </conditions>
# <action type="CustomResponse" statusCode="403" statusReason="Forbidden" />
# </rule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
