Feb 27, 2024

Leaking ObjRefs to Exploit HTTP .NET Remoting

How leaking valid ObjRefs to target .NET Remoting for Remote Code Execution is not considered a vulnerability – at least according to Microsoft.

Sep 29, 2023

Exploiting ASP.NET TemplateParser — Part II: SharePoint (CVE-2023-33160)

In Part I, we dug into the internals of the ASP.NET TemplateParser and elaborated its capabilities in respect to exploitation. In this part, we will look into whether and how this can also be exploited to gain Remote Code Execution. While this research was originally focussed on the TemplateParser, the newly discovered technique was also applicable to SharePoint on-premises and SharePoint Online. So we’ll elaborate on how SharePoint protects against the use of malicious code and will present a novel trick that allowed to bypass these security measures (CVE-2023-33160).

Sep 25, 2023

Exploiting ASP.NET TemplateParser — Part I: Sitecore (CVE-2023-35813)

The TemplateParser is fundamental in ASP.NET Web Forms. It is used for parsing different ASP.NET source files such as *.aspx and for parsing other input from various sources, including user provided data. In this two part series we will take a deep look into TemplateParser internals, its capabilities, and how they can be exploited. This knowledge is then applied in the field to demonstrate Remote Code Execution vulnerabilities in Sitecore (CVE-2023-35813) and SharePoint (CVE-2023-33160).

Aug 3, 2023

Blindsiding auditd for Fun and Profit

The Linux audit framework provides a powerful audit system for monitoring security relevant events on Linux operating systems. In this blogpost, we demonstrate some attacks on its userspace component auditd with the goal to tamper with audit events to hide malicious activity. We also released two PoCs called daphne and apollon that demonstrate different techniques to tamper with audit events. Background Over the last couple of years, monitoring and endpoint protection solutions have developed rapidly.

Jul 10, 2023

From Blackbox .NET Remoting to Unauthenticated Remote Code Execution

This is a story on discovering an Unauthenticated Remote Code Execution in a CRM product by the vendor ACT!. What made this story special for us was that we had to take a blackbox approach at the beginning and the system was not exploitable with standard .NET Remoting payloads due to several reasons we’ll explain in this blog post.

Apr 11, 2023

Java Exploitation Restrictions in Modern JDK Times

Java deserialization gadgets have a long history in context of vulnerability research and at least go back to the year 2015. One of the most popular tools providing a large set of different gadgets is ysoserial by Chris Frohoff. Recently, we observed increasing concerns from the community why several gadgets do not seem to work anymore with more recent versions of JDKs. In this blog post we try to summarize certain facts to reenable some capabilities which seemed to be broken. But our journey did not begin with deserialization in the first place but rather looking for alternative ways of executing Java code in recent JDK versions. In this blost post, we will focus on OpenJDK and Oracle implementations. Defenders should therefore adjust their search patterns to these alternative code execution patterns accordingly.

Mar 20, 2023

JMX Exploitation Revisited

The Java Management Extensions (JMX) are used by many if not all enterprise level applications in Java for managing and monitoring of application settings and metrics. While exploiting an accessible JMX endpoint is well known and there are several free tools available, this blog post will present new insights and a novel exploitation technique that allows for instant Remote Code Execution with no further requirements, such as outgoing connections or the existence of application specific MBeans.

Sep 6, 2022

Attacks on Sysmon Revisited - SysmonEnte

In this blogpost we demonstrate an attack on the integrity of Sysmon which generates a minimal amount of observable events making this attack difficult to detect in environments where no additional security products are installed.

Jun 28, 2022

Bypassing .NET Serialization Binders

This was originally posted on blogger here. Serialization binders are often used to validate types specified in the serialized data to prevent the deserialization of dangerous types that can have malicious side effects with the runtime serializers such as the BinaryFormatter. In this blog post we’ll have a look into cases where this can fail and consequently may allow to bypass validation. We’ll also walk through two real-world examples of insecure serialization binders in the DevExpress framework (CVE-2022-28684) and Microsoft Exchange (CVE-2022-23277), that both allow remote code execution.

Jan 27, 2022

.NET Remoting Revisited

This was originally posted on blogger here. .NET Remoting is the built-in architecture for remote method invocation in .NET. It is also the origin of the (in-)famous BinaryFormatter and SoapFormatter serializers and not just for that reason a promising target to watch for. This blog post attempts to give insights into its features, security measures, and especially its weaknesses/vulnerabilities that often result in remote code execution. We’re also introducing major additions to the ExploitRemotingService tool, a new ObjRef gadget for YSoSerial.