[Obout Ultimate Suite Download
Ainoha Sistek
When surfing around I found this great range ASP.Net controls. Obout.com offers a great variety of ASP and ASP .Net controls. The controls are Cross-Browser (including Safari and Opera).You can download the obout Suite for .Net 2.0. The suite contains the following controls:
In addition, thoughts, opinions code and solutions change from time to time. I consider this a necessary consequence of having an open mind. This blog is intended to provide a semi-permanent point in time snapshot and manifestation of the various thought and solutions that are in our minds, and as such any code, solutions and opinions/thoughts expressed within out-of-date posts may not the same, nor even similar, to those I may hold today.
The TemplateParser is fundamental in ASP.NET Web Forms. It is used for parsing different ASP.NET source files such as *.aspx and for parsing other input from various sources, including user provided data.
In this two part series we will take a deep look into TemplateParser internals, its capabilities, and how they can be exploited. This part focuses on how the TemplateParser is used by ASP.NET, explores its inner processing and their implications, and presents two gadgets suitable for Sitecore (CVE-2023-35813) that allow for Sensitive Data Exfiltration or Remote Code Execution, respectively. Part II will focus on SharePoint, explain the added security restrictions, and present another gadget using a novel technique that allowed to bypass these security restrictions to eventually gain Remote Code Execution in SharePoint (CVE-2023-33160).
The software contains a vulnerability that allows invoking arbitrary methods on OboutInv.oboutAJAXPage instances, which extend the System.Web.UI.Page and thus also the System.Web.UI.TemplateControl class of ASP.NET. The invocable methods include the TemplateControl.ParseControl methods, which parse the provided code using the internal TemplateParser.ParseTemplateInternal(string, VirtualPath, bool) method.
Attacks on the TemplateParser have already been described by other researchers. Amongst others, there is Soroush Dalili with A Security Review of SharePoint Site Pages and also Oleksandr Mirosh and Alvaro Muoz with their Room for Escape: Scribbling Outside the Lines of Template Security.
While previous research focused on compiling and calling the compiled code, this blog post will solely focus on the parsing step, i.e., being able to control the content argument value to the TemplateParser.ParseTemplateInternal(string, VirtualPath, bool) method. This is the first step in the first stage of the general page life-cycle stages and is independent from whether compilation happens and/or whether the compiled code gets invoked during rendering or elsewhere.
For all these different kinds of files, ASP.NET has different classes that extend the abstract TemplateParser class where each of them returns a different type for the DefaultBaseType property (abstract classes are in italics):
This DefaultBaseType also defines the ControlType of the RootBuilder the parsing process returns when the TemplateParser.ParseTemplateInternal(string, VirtualPath, bool) method gets called internally. The RootBuilder extends ControlBuilder, which has a BuildObject() method that is then capable of building the object defined by the parsed source code.
At the core, there is the internal TemplateParser.Parse() method. Apart from the parsing during design-time using System.Web.UI.DesignTimeTemplateParser (which happens when using a design editor such as Visual Web Developer) the other calls to the TemplateParser.Parse() method originate from the following non-public methods:
The first is used for VirtualPath-backed sources like the aforementioned .aspx files processed by the PageHandlerFactory. The latter is used for string-backed input, which is the one called by the TemplateControl.ParseControl methods. These methods do not include compilation:
While the TemplateControl.ParseControl methods do not incorporate compilation, they do incorporate the instantiation of the parsed ControlBuilder graph generated by TemplateControl using the ITemplate.InstantiateIn(Control) of the ITemplate instance returned by TemplateParser.ParseTemplateInternal.
Source code tags with an runat="server" attribute are considered a server control. Apart from using built-in server controls provided by ASP.NET, it is also possible to use custom server controls. For that, it is required to register a mapping of a tag prefix onto an assembly and namespace pair using the @ Register directive expressions syntax:
If the TemplateParser was called from one of the ParseControl methods, the next step after tokenizing the input and translating it into a tree of ControlBuilders is to instantiate the returned RootBuilder in an empty Control instance by calling the ITemplate.InstantiateIn(Control) method on the RootBuilder instance. This happens in the internal TemplateParser.ParseControl(string, VirtualPath, bool) method.
During object instantiation of the RootBuilder in the empty Control, the ITemplate.BuildChildren(Control) method gets called. For ControlBuilder instances that are not instances of CodeBlockBuilder, the respective ControlBuilder.BuildObject(bool) method gets called. For ControlBuilder instances, this results in a call to ControlBuilder.BuildObjectInternal(), which creates an instance of the type specified for the server control using Activator.CreateInstance(Type), thereby requiring the type to have a public parameter-less constructor.
The Sitecore.Web.UI.HtmlControls.Control, Sitecore.Web.UI.XamlSharp.Xaml.XamlControl, and Sitecore.Web.UI.XamlSharp.Xaml.XamlPage types implement the Sitecore.Web.UI.XamlSharp.Ajax.IIsAjaxEventHandler interface whose event handler implementations allow calling an arbitrary method on the corresponding instance.
For specific web control instances, the __SOURCE would contain their corresponding ID. For pages, the ID is left blank. Any .aspx page using any one of the aforementioned types can be targeted. It is also possible to use the Sitecore.Web.UI.XamlSharp.Xaml.XamlPageHandlerFactory mapped by sitecore_xaml.ashx to create an appropriate page or control defined in one of the .xaml.xml files:
While this may achieve instant Remote Code Execution, it requires the server to establish an outbound SMB connection, which may fail. So for a simple proof, a more reliable gadget would be desireable.
While looking for classes that may allow a more reliable and direct response, the RemotingService class came up. Its Context property calls HttpContext.Current, which allows access to the current HttpResponse instance, which again allows writing into the HTTP response using a property path:
This can also be used to exfiltrate sensitive information: While data binding events of data-bound controls with data-binding expressions () only happen when the control gets rendered, expression builder expressions () are evaluated during parsing as well.
The TemplateParser is capable of creating objects of arbitrary types using their public parameter-less constructors and invoking property setter methods on them. This can be exploited to gain Remote Code Execution by using AssemblyInstaller to load a remote assembly file via SMB. Or, if outgoing connections fail, the RemotingService class together with expression builder expressions () can be used to write app settings or connection strings into the HTTP response.
In Part II we take a closer look at how SharePoint uses the TemplateParser, why the aforementioned gadgets do not work, and how a novel bypass eventually allowed for Remote Code Execution in SharePoint on-premises and SharePoint Online.
.NET controls not only enable developers to build applications with intuitive user interfaces but also enhances productivity. While Microsoft provides standard set of controls with Visual Studio, third party suites contain numerous controls with wide range of unique features for the development of applications for PC and portable mobile devices.
I used the beautiful Hand-Penned Designer Series Paper which was cut in half and added to the card. The Hand-Penned Petals stamp set is a two-step set. One is the image outline stamp and then I added the fill-in for the flower with our new in-colour, Pale Papaya and the leaves in another new In-Colour, Soft Succulent. I love how our suites offer product coordination to make creating easy.
xfinitySay hi to your new neighbor.See what's in store at our newest location.Stop in today to learn how Xfinity can help get you and your familyconnected. We're here to make things simple, easy, awesome.Wireless savingsBook an appointment onlineSafer shoppingLearn obout awesomeVisit us in store today or go toxfinitystores.com to schedulesavings when you getXfinity Internet & XfinityMobile together,an appointment at a time that'sconvenient for you.We're social distancing,professionally cleaningfrequently, and requiringeveryone to wear face coverings.Xfinity Retail StoreVadnais Square, 925 E. County Road, Suite 170, Vadnais Heights, MN 55127Monday-Saturday, 10:00am-8:00pm Sunday, 11:00am-6:00pmAsk, shop, discover at your new Xfinity Store.xfinityNestictore apply Not avalable in al aean. Xnity Moble equires identel pontpay Xnty Intenet senvice. NAZ7740009 xfinity Say hi to your new neighbor. See what's in store at our newest location. Stop in today to learn how Xfinity can help get you and your family connected. We're here to make things simple, easy, awesome. Wireless savings Book an appointment online Safer shopping Learn obout awesome Visit us in store today or go to xfinitystores.com to schedule savings when you get Xfinity Internet & Xfinity Mobile together, an appointment at a time that's convenient for you. We're social distancing, professionally cleaning frequently, and requiring everyone to wear face coverings. Xfinity Retail Store Vadnais Square, 925 E. County Road, Suite 170, Vadnais Heights, MN 55127 Monday-Saturday, 10:00am-8:00pm Sunday, 11:00am-6:00pm Ask, shop, discover at your new Xfinity Store. xfinity Nestictore apply Not avalable in al aean. Xnity Moble equires identel pontpay Xnty Intenet senvice. NAZ7740009
795a8134c1