Executive Summary

CVE-2023-7334 is a critical remote code execution vulnerability in Changjetong T+ versions up to 16.x. It occurs due to unsafe deserialization of attacker-controlled .NET objects in an AjaxPro endpoint. An attacker can send a specially crafted JSON request to the endpoint /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore, which deserializes the malicious data and allows execution of arbitrary commands, such as launching processes via System.Diagnostics.Process.Start. This leads to remote code execution with the privileges of the T+ application service account. [3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow a remote attacker to execute arbitrary commands on the affected system without any authentication or user interaction. This can lead to full compromise of the system running Changjetong T+, including unauthorized access, data theft, system manipulation, or disruption of services. Since the commands run with the T+ application service account privileges, the attacker may gain significant control over the affected environment. [3]

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring for malicious requests sent to the vulnerable endpoint `/tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore` with suspicious JSON payloads that attempt .NET deserialization. Network intrusion detection systems (NIDS) or web application firewalls (WAF) can be configured to alert on such requests. Additionally, reviewing web server logs for POST requests to this endpoint with unusual or large JSON bodies may help identify exploitation attempts. Using the publicly available proof-of-concept exploit script (Resource 4) can assist in testing detection capabilities. Specific commands depend on your environment, but examples include using `curl` to simulate requests or `grep` to search logs, e.g.: `grep '/tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore' /var/log/nginx/access.log` or `tail -f /var/log/httpd/access_log | grep 'GetStoreWarehouseByStore'`. [3, 4]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying the latest security patches or updates provided by the vendor that address deserialization vulnerabilities and other security hardening measures, as detailed in the T+ Exclusive Cloud 16.0 patch package (Resource 2). If patching is not immediately possible, restrict access to the vulnerable endpoint by implementing network-level controls such as firewall rules or WAF rules to block or monitor requests to `/tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore`. Additionally, monitor logs for suspicious activity and consider disabling or restricting the affected service until a patch can be applied. [2, 3]

Useful 0 Not Useful 0