"Its name and the official documentation both paint a simple picture: it should handle SOAP messages transported over HTTP. Straightforward. Predictable. Safe. Reality is less cooperative."
"Wait, what. Why should a SOAP proxy be able to 'send' SOAP requests to a local file? Nobody on this planet expects to receive a valid SOAP response from the filesystem."
Piotr Bazydło of watchTowr revealed at Black Hat Europe a vulnerability in the .NET SoapHttpClientProtocol class that can enable remote code execution. The class, commonly used as a client proxy, inherits from HttpWebClientProtocol and uses a generic creation method supporting multiple protocols including HTTP/HTTPS, FTP, and FILE. The class allows attackers who can control the target URL to set a filesystem path; SoapHttpClientProtocol then writes the SOAP POST request directly into the file instead of rejecting the non-HTTP scheme. This unintended behavior enables arbitrary writing to local files and can be abused to achieve RCE across vendor and in-house solutions. Microsoft reportedly refuses to fix the flaw.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]