Blog on CODE WHITE | Red Teaming & Attack Surface Management

Unauthenticated RCE in NetSupport Manager - A Technical Deep Dive

Tue, 13 Jan 2026 12:11:59 +0000

NetSupport Manager is a remote control and support software that we find surprisingly often utilized in sensitive Operational Technology (OT) environments, such as production plant networks. Besides describing two 0-day vulnerabilities that we found in the client component of the software, we also walk you through an exploit odyssey to finally gain unauthenticated Remote Code Execution.

A Retrospective Analysis of CVE-2025-59287 in Microsoft WSUS

Wed, 29 Oct 2025 00:00:00 +0000

How the n-day research for a suspected vulnerability in Microsoft WSUS (CVE-2025-59287) led to the surprising discovery of a new SoapFormatter vulnerability added by the Patch Tuesday updates of October 2025.

Analyzing the Attack Surface of Ivanti's DSM

Mon, 12 May 2025 12:00:00 +0000

Ivanti’s Desktop & Server Management (DSM) product is an old acquaintance that we have encountered in numerous red team and internal assessments. The main purpose of the product is the centralized distribution of software packages. In our blog post Analyzing the Attack Surface of Ivanti’s DSM we take a look at the software from an attacker’s perspective. We discuss common misconfigurations, uncover the technical details of two vulnerabilities we identified and provide recommendations to harden existing DSM environments.

Teaching the Old .NET Remoting New Exploitation Tricks

Wed, 31 Jul 2024 00:00:00 +0200

This blog post provides insights into three exploitation techniques that can still be used in cases of a hardened .NET Remoting server with TypeFilterLevel.Low and Code Access Security (CAS) restrictions in place. Two of these tricks are considered novel and can help in cases where ExploitRemotingService is stuck.

Leaking ObjRefs to Exploit HTTP .NET Remoting

Tue, 27 Feb 2024 00:00:00 +0000

How leaking valid ObjRefs to target .NET Remoting for Remote Code Execution is not considered a vulnerability – at least according to Microsoft.

Exploiting ASP.NET TemplateParser — Part II: SharePoint (CVE-2023-33160)

Fri, 29 Sep 2023 00:00:00 +0000

In Part I, we dug into the internals of the ASP.NET TemplateParser and elaborated its capabilities in respect to exploitation. In this part, we will look into whether and how this can also be exploited to gain Remote Code Execution. While this research was originally focussed on the TemplateParser, the newly discovered technique was also applicable to SharePoint on-premises and SharePoint Online. So we’ll elaborate on how SharePoint protects against the use of malicious code and will present a novel trick that allowed to bypass these security measures (CVE-2023-33160).

Exploiting ASP.NET TemplateParser — Part I: Sitecore (CVE-2023-35813)

Mon, 25 Sep 2023 00:00:00 +0000

The TemplateParser is fundamental in ASP.NET Web Forms. It is used for parsing different ASP.NET source files such as *.aspx and for parsing other input from various sources, including user provided data. In this two part series we will take a deep look into TemplateParser internals, its capabilities, and how they can be exploited. This knowledge is then applied in the field to demonstrate Remote Code Execution vulnerabilities in Sitecore (CVE-2023-35813) and SharePoint (CVE-2023-33160).

Blindsiding auditd for Fun and Profit

Thu, 03 Aug 2023 08:40:00 +0200

The Linux audit framework provides a powerful audit system for monitoring security relevant events on Linux operating systems. In this blogpost, we demonstrate some attacks on its userspace component auditd with the goal to tamper with audit events to hide malicious activity. We also released two PoCs called daphne and apollon that demonstrate different techniques to tamper with audit events. Background Over the last couple of years, monitoring and endpoint protection solutions have developed rapidly.

From Blackbox .NET Remoting to Unauthenticated Remote Code Execution

Mon, 10 Jul 2023 08:17:48 +0000

This is a story on discovering an Unauthenticated Remote Code Execution in a CRM product by the vendor ACT!. What made this story special for us was that we had to take a blackbox approach at the beginning and the system was not exploitable with standard .NET Remoting payloads due to several reasons we’ll explain in this blog post.

Java Exploitation Restrictions in Modern JDK Times

Tue, 11 Apr 2023 17:03:00 +0100

Java deserialization gadgets have a long history in context of vulnerability research and at least go back to the year 2015. One of the most popular tools providing a large set of different gadgets is ysoserial by Chris Frohoff. Recently, we observed increasing concerns from the community why several gadgets do not seem to work anymore with more recent versions of JDKs. In this blog post we try to summarize certain facts to reenable some capabilities which seemed to be broken. But our journey did not begin with deserialization in the first place but rather looking for alternative ways of executing Java code in recent JDK versions. In this blost post, we will focus on OpenJDK and Oracle implementations. Defenders should therefore adjust their search patterns to these alternative code execution patterns accordingly.

JMX Exploitation Revisited

Mon, 20 Mar 2023 12:05:00 +0200

The Java Management Extensions (JMX) are used by many if not all enterprise level applications in Java for managing and monitoring of application settings and metrics. While exploiting an accessible JMX endpoint is well known and there are several free tools available, this blog post will present new insights and a novel exploitation technique that allows for instant Remote Code Execution with no further requirements, such as outgoing connections or the existence of application specific MBeans.

Attacks on Sysmon Revisited - SysmonEnte

Tue, 06 Sep 2022 11:02:00 +0200

In this blogpost we demonstrate an attack on the integrity of Sysmon which generates a minimal amount of observable events making this attack difficult to detect in environments where no additional security products are installed.

Bypassing .NET Serialization Binders

Tue, 28 Jun 2022 16:00:00 +0200

This was originally posted on blogger here. Serialization binders are often used to validate types specified in the serialized data to prevent the deserialization of dangerous types that can have malicious side effects with the runtime serializers such as the BinaryFormatter. In this blog post we’ll have a look into cases where this can fail and consequently may allow to bypass validation. We’ll also walk through two real-world examples of insecure serialization binders in the DevExpress framework (CVE-2022-28684) and Microsoft Exchange (CVE-2022-23277), that both allow remote code execution.

.NET Remoting Revisited

Thu, 27 Jan 2022 15:49:00 +0100

This was originally posted on blogger here. .NET Remoting is the built-in architecture for remote method invocation in .NET. It is also the origin of the (in-)famous BinaryFormatter and SoapFormatter serializers and not just for that reason a promising target to watch for. This blog post attempts to give insights into its features, security measures, and especially its weaknesses/vulnerabilities that often result in remote code execution. We’re also introducing major additions to the ExploitRemotingService tool, a new ObjRef gadget for YSoSerial.

RCE in Citrix ShareFile Storage Zones Controller (CVE-2021-22941) – A Walk-Through

Tue, 21 Sep 2021 10:04:00 +0200

This was originally posted on blogger here. Citrix ShareFile Storage Zones Controller uses a fork of the third party library NeatUpload. Versions before 5.11.20 are affected by a relative path traversal vulnerability (CTX328123/CVE-2021-22941) when processing upload requests. This can be exploited by unauthenticated users to gain Remote Code Execution. Come and join us on a walk-though of finding and exploiting this vulnerability. Background Part of our activities here at Code White is to monitor what vulnerabilities are published.

About the Unsuccessful Quest for a Deserialization Gadget (or: How I found CVE-2021-21481)

Fri, 11 Jun 2021 12:05:00 +0200

This was originally posted on blogger here. This blog post describes the research on SAP J2EE Engine 7.50 I did between October 2020 and January 2021. The first part describes how I set off to find a pure SAP deserialization gadget, which would allow to leverage SAP’s P4 protocol for exploitation, and how that led me, by sheer coincidence, to an entirely unrelated, yet critical vulnerability, which is outlined in part two.

Sophos XG - A Tale of the Unfortunate Re-engineering of an N-Day and the Lucky Find of a 0-Day

Mon, 13 Jul 2020 16:46:00 +0200

This was originally posted on blogger here. On April 25, 2020, Sophos published a knowledge base article (KBA) 135412 which warned about a pre-authenticated SQL injection (SQLi) vulnerability, affecting the XG Firewall product line. According to Sophos this issue had been actively exploited at least since April 22, 2020. Shortly after the knowledge base article, a detailed analysis of the so called Asnarök operation was published. Whilst the KBA focused solely on the SQLi, this write-up clearly indicated that the attackers had somehow extended this initial vector to achieve remote code execution (RCE).

Liferay Portal JSON Web Service RCE Vulnerabilities

Fri, 20 Mar 2020 13:31:00 +0100

This was originally posted on blogger here. Code White has found multiple critical rated JSON deserialization vulnerabilities affecting the Liferay Portal versions 6.1, 6.2, 7.0, 7.1, and 7.2. They allow unauthenticated remote code execution via the JSON web services API. Fixed Liferay Portal versions are 6.2 GA6, 7.0 GA7, 7.1 GA4, and 7.2 GA2. The corresponding vulnerabilities are: CST-7111: RCE via JSON deserialization (LPS-88051/LPE-1659811 ) The JSONDeserializer of Flexjson allows the instantiation of arbitrary classes and the invocation of arbitrary setter methods.

CVE-2019-19470: Rumble in the Pipe

Fri, 17 Jan 2020 10:18:00 +0100

This was originally posted on blogger here. This blog post describes an interesting privilege escalation from a local user to SYSTEM for a well-known local firewall solution called TinyWall in versions prior to 2.1.13. Besides a .NET deserialization flaw through Named Pipe communication, an authentication bypass is explained as well. Introduction TinyWall is a local firewall written in .NET. It consists of a single executable that runs once as SYSTEM and once in the user context to configure it.

Exploiting H2 Database with native libraries and JNI

Thu, 01 Aug 2019 14:54:00 +0200

This was originally posted on blogger here. Techniques to gain code execution in an H2 Database Engine are already well known but require H2 being able to compile Java code on the fly. This blog post will show a previously undisclosed way of exploiting H2 without the need of the Java compiler being available, a way that leads us through the native world just to return into the Java world using Java Native Interface (JNI).

Heap-based AMSI bypass for MS Excel VBA and others

Fri, 19 Jul 2019 14:03:00 +0200

This was originally posted on blogger here. This blog post describes how to bypass Microsoft’s AMSI (Antimalware Scan Interface) in Excel using VBA (Visual Basic for Applications). In contrast to other bypasses this approach does not use hardcoded offsets or opcodes but identifies crucial data on the heap and modifies it. The idea of an heap-based bypass has been mentioned by other researchers before but at the time of writing this article no public PoC was available.

Telerik Revisited

Thu, 07 Feb 2019 11:04:00 +0100

This was originally posted on blogger here. In 2017, several vulnerabilities were discovered in Telerik UI, a popular UI component library for .NET web applications. Although details and working exploits are public, it often proves to be a good idea to take a closer look at it. Because sometimes it allows you to explore new avenues of exploitation. Introduction Telerik UI for ASP.NET is a popular UI component library for ASP.

LethalHTA - A new lateral movement technique using DCOM and HTA

Fri, 06 Jul 2018 14:08:00 +0200

This was originally posted on blogger here. The following blog post introduces a new lateral movement technique that combines the power of DCOM and HTA. The research on this technique is partly an outcome of our recent research efforts on COM Marshalling: Marshalling to SYSTEM - An analysis of CVE-2018-0824. Previous Work Several lateral movement techniques using DCOM were discovered in the past by Matt Nelson, Ryan Hanson, Philip Tsukerman and @bohops.

Marshalling to SYSTEM - An analysis of CVE-2018-0824

Fri, 15 Jun 2018 15:19:00 +0200

This was originally posted on blogger here. In May 2018 Microsoft patched an interesting vulnerability (CVE-2018-0824) which was reported by Nicolas Joly of Microsoft’s MSRC: A remote code execution vulnerability exists in “Microsoft COM for Windows” when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.

Poor RichFaces

Wed, 30 May 2018 15:00:00 +0200

This was originally posted on blogger here. RichFaces is one of the most popular component libraries for JavaServer Faces (JSF). In the past, two vulnerabilities (CVE-2013-2165 and CVE-2015-0279) have been found that allow RCE in versions 3.x ≤ 3.3.3 and 4.x ≤ 4.5.3. Code White discovered two new vulnerabilities which bypass the implemented mitigations. Thereby, all RichFaces versions including the latest 3.3.4 and 4.5.17 are vulnerable to RCE. Introduction JavaServer Faces (JSF) is a framework for building user interfaces for web applications.

Exploiting Adobe ColdFusion before CVE-2017-3066

Tue, 13 Mar 2018 15:41:00 +0100

This was originally posted on blogger here. In a recent penetration test my teammate Thomas came across several servers running Adobe ColdFusion 11 and 12. Some of them were vulnerable to CVE-2017-3066 but no outgoing TCP connections were possible to exploit the vulnerability. He asked me whether I had an idea how he could still get a SYSTEM shell and the outcome of the short research effort is documented here.

Handcrafted Gadgets

Thu, 18 Jan 2018 16:07:00 +0100

This was originally posted on blogger here. Introduction In Q4 2017 I was pentesting a customer. Shortly before, I had studied json attacks when I stumbled over an internet-facing B2B-portal-type-of-product written in Java they were using (I cannot disclose more details due to responsible disclosure). After a while, I found that one of the server responses sent a serialized Java object, so I downloaded the source code and found a way to make the server deserialize untrusted input.

SAP Customers: Make sure your SAPJVM is up-to-date!

Wed, 17 May 2017 16:56:00 +0200

This was originally posted on blogger here. Summary Code White have already an impressive publication record on Java Deserialization. This post is dedicated to a vulnerability in SAP NetWeaver Java. We could reach remote code execution through the p4 protocol and the Jdk7u21 gadget with certain engines and certain versions of the SAP JVM. We would like to emphasize the big threat unauthenticated RCE poses to a SAP NetWeaver Java. An attacker with a remote shell can read out the secure storage, access the database, create a local NetWeaver user with administrative privileges, in other words, fully compromise the host.

AMF – Another Malicious Format

Tue, 04 Apr 2017 16:01:00 +0200

This was originally posted on blogger here. AMF is a binary serialization format primarily used by Flash applications. Code White has found that several Java AMF libraries contain vulnerabilities, which result in unauthenticated remote code execution. As AMF is widely used, these vulnerabilities may affect products of numerous vendors, including Adobe, Atlassian, HPE, SonicWall, and VMware. Vulnerability disclosure has been coordinated with US CERT (see US CERT VU#307983). Summary Code White has analyzed the following popular Java AMF implementations:

Return of the Rhino: An old gadget revisited

Wed, 04 May 2016 21:06:00 +0200

This was originally posted on blogger here. [Update 08/05/2015: Added reference to CVE-2012-3213 of James Forshaw. Thanks for the heads up] As already mentioned in our Infiltrate ‘16 and RuhrSec ‘16 talks, Code White spent some research time to look for serialization gadgets. Apart from the Javassist/Weld gadget we also found an old but interesting gadget, only using classes from the Java Runtime Environment (so called JRE gadget). We called the gadget Return of the Rhino since the relevant gadget classes are part of the Javascript engine Rhino, bundled with Oracle JRE6 and JRE7.

Infiltrate 2016 Slidedeck: Java Deserialization Vulnerabilities

Tue, 12 Apr 2016 16:11:00 +0200

This was originally posted on blogger here. The outcome of Code White’s research efforts into Java deserialization vulnerabilities was presented at Infiltrate 2016 by Matthias Kaiser. The talk gave an introduction into finding and exploiting Java deserialization vulnerabilities. Technical details about the Oracle Weblogic deserialization RCE (CVE-2015-4852) and a SAP Netweaver AS Java 0day were shown. The slidedeck doesn’t include the SAP Netweaver AS Java 0day POC and it won’t be published until fixed.

Compromised by Endpoint Protection: Legacy Edition

Tue, 23 Feb 2016 14:50:00 +0100

This was originally posted on blogger here. The previous disclosure of the vulnerabilities in Symantec Endpoint Protection (SEP) 12.x showed that a compromise of both the SEP Manager as well as the managed clients is possible and can have a severe impact on a whole corporate environment. Unfortunately, in older versions of SEP, namely the versions 11.x, some flawed features of 12.x weren’t even implemented, e.g., the password reset feature. However, SEP 11.

Java and Command Line Injections in Windows

Thu, 04 Feb 2016 17:03:00 +0100

This was originally posted on blogger here. Everyone knows that incorporating user provided fragments into a command line is dangerous and may lead to command injection. That’s why in Java many suggest using ProcessBuilder instead where the program’s arguments are supposed to be passed discretely in separate strings. However, in Windows, processes are created with a single command line string. And since there are different and seemingly confusing parsing rules for different runtime environments, proper quoting seems to be likewise complicated.

CVE-2015-3269: Apache Flex BlazeDS XXE Vulnerabilty

Mon, 24 Aug 2015 13:23:00 +0200

This was originally posted on blogger here. In a recent Product Security Review, Code White Researchers discovered a XXE vulnerability in Apache Flex BlazeDS/Adobe (see ASF Advisory). The vulnerable code can be found in the BlazeDS Remoting/AMF protocol implementation. All versions before 4.7.1 are vulnerable. Software products providing BlazeDS Remoting destinations might be also affected by the vulnerability (e.g. Adobe LiveCycle Data Services, see APSB15-20). Vulnerability Details An AMF message has a header and a body.

Compromised by Endpoint Protection

Fri, 31 Jul 2015 08:23:00 +0200

This was originally posted on blogger here. In a recent research project, Markus Wulftange of Code White discovered several critical vulnerabilities in the Symantec Endpoint Protection (SEP) suite 12.1, affecting versions prior to 12.1 RU6 MP1 (see SYM15-007). As with any centralized enterprise management solution, compromising a management server is quite attractive for an attacker, as it generally allows some kind of control over its managed clients. Taking control of the manager can yield a takeover of the whole enterprise network.

Reading/Writing files with MSSQL's OPENROWSET

Tue, 09 Jun 2015 15:19:00 +0200

This was originally posted on blogger here. Unfortunately, Microsoft SQL Server’s SQL dialect Transact-SQL does not support reading and writing files in an easy way as opposed to MySQL’s LOAD_FILE() function and INTO OUTFILE clause. Of course, with xp_cmdshell being enabled, you can read and write files using OS commands. However, one is not always blessed with the CONTROL SERVER permission, which is generally only granted with the sysadmin role. But if you happen to have the ADMINISTER BULK OPERATIONS permission (implied by the bulkadmin role), then OPENROWSET is a viable option for both reading and writing files.

CVE-2015-2079: Arbitrary Command Execution in Usermin

Wed, 20 May 2015 14:56:00 +0200

This was originally posted on blogger here. While performing a penetration test for a customer, I stumbled across a command execution vulnerability in Usermin that is pretty trivial to identify and to exploit. The interesting part is that this vulnerability survived for almost 13 years. Introduction According to the Usermin Homepage: Usermin is a web-based interface for webmail, password changing, mail filters, fetchmail and much more. It is designed for use by regular non-root users on a Unix system, and limits them to tasks that they would be able to perform if logged in via SSH or at the console.

CVE-2015-0935: PHP Object Injection in Bomgar Remote Support Portal

Fri, 08 May 2015 20:48:00 +0200

This was originally posted on blogger here. Serialization is often used to convert objects into a string representation for communication or to save them for later use. However, deserialization in PHP has certain side effects, which can be exploited by an attacker who is able to provide the data to be deserialized. This post will give you an insight on the deserialization of untrusted data vulnerability in the Bomgar Remote Support Portal 14.

$@|sh – Or: Getting a shell environment from Runtime.exec

Mon, 09 Mar 2015 09:55:00 +0100

This was originally posted on blogger here. If you happen to have command execution via Java’s Runtime.exec on a Unix system, you may already have noticed that it doesn’t behave like a normal shell. Although simple commands like ls -al, uname -a, or netstat -ant work fine, more complex commands and especially commands with indispensable features like pipes, redirections, quoting, or expansions do not work at all. Well, the reason for that is that the command passed to Runtime.

Exploiting the hidden Saxon XSLT Parser in Ektron CMS

Mon, 02 Mar 2015 14:54:00 +0100

This was originally posted on blogger here. Another vulnerability I came across was in Ektron CMS. It’s a .NET-based Web CMS System. If you want to find running instances try “inurl:/workarea filetype:asmx” at Google. The interesting thing about is that Microsoft already reported the initial vulnerability as MSVR12-016 (CVE-2012-5357), but I found a different vector to exploit it. Summary From US CERT VU#110652: Ektron Content Management System version 8.5, 8.7, and 9.

How I could (i)pass your client security

Wed, 25 Feb 2015 16:55:00 +0100

This was originally posted on blogger here. Half a year ago I stumbled over a software called iPass Open Mobile during a Windows Client security review. iPass Open Mobile helps you in getting network connectivity over Wifi-Hotspots, modem, DSL, etc. It’s widely deployed on Windows Clients in large corporations. Summary From US CERT VU#110652: The iPass Open Mobile Windows Client versions 2.4.4 and earlier allows Remote Code Execution as SYSTEM. It utilizes named pipes for interprocess communication.