Ivanti's Desktop & Server Management (DSM) product is an old acquaintance that we have encountered in numerous red team and internal assessments. The main purpose of the product is the centralized distribution of software packages. In our blog post *Analyzing the Attack Surface of Ivanti's DSM* we take a look at the software from an attacker's perspective. We discuss common misconfigurations, uncover the technical details of two vulnerabilities we identified and provide recommendations to har...| code-white.com
This blog post provides insights into three exploitation techniques that can still be used in cases of a hardened .NET Remoting server with `TypeFilterLevel.Low` and Code Access Security (CAS) restrictions in place. Two of these tricks are considered novel and can help in cases where ExploitRemotingService is stuck.| CODE WHITE | Red Teaming & Attack Surface Management
How leaking valid `ObjRef`s to target .NET Remoting for Remote Code Execution is not considered a vulnerability – at least according to Microsoft.| code-white.com
In Part I, we dug into the internals of the ASP.NET `TemplateParser` and elaborated its capabilities in respect to exploitation. In this part, we will look into whether and how this can also be exploited to gain Remote Code Execution. While this research was originally focussed on the `TemplateParser`, the newly discovered technique was also applicable to SharePoint on-premises and SharePoint Online. So we'll elaborate on how SharePoint protects against the use of malicious code and will pres...| CODE WHITE | Red Teaming & Attack Surface Management
The `TemplateParser` is fundamental in ASP.NET Web Forms. It is used for parsing different ASP.NET source files such as `*.aspx` and for parsing other input from various sources, including user provided data. In this two part series we will take a deep look into `TemplateParser` internals, its capabilities, and how they can be exploited. This knowledge is then applied in the field to demonstrate Remote Code Execution vulnerabilities in Sitecore (CVE-2023-35813) and SharePoint (CVE-2023-33160).| CODE WHITE | Red Teaming & Attack Surface Management
| CODE WHITE | Red Teaming & Attack Surface Management
This is a story on discovering an Unauthenticated Remote Code Execution in a CRM product by the vendor ACT!. What made this story special for us was that we had to take a blackbox approach at the beginning and the system was not exploitable with standard .NET Remoting payloads due to several reasons we'll explain in this blog post.| CODE WHITE | Red Teaming & Attack Surface Management
Java deserialization gadgets have a long history in context of vulnerability research and at least go back to the year 2015. One of the most popular tools providing a large set of different gadgets is ysoserial by Chris Frohoff. Recently, we observed increasing concerns from the community why several gadgets do not seem to work anymore with more recent versions of JDKs. In this blog post we try to summarize certain facts to reenable some capabilities which seemed to be broken. But our journey...| CODE WHITE | Red Teaming & Attack Surface Management
The Java Management Extensions (JMX) are used by many if not all enterprise level applications in Java for managing and monitoring of application settings and metrics. While exploiting an accessible JMX endpoint is well known and there are several free tools available, this blog post will present new insights and a novel exploitation technique that allows for instant Remote Code Execution with no further requirements, such as outgoing connections or the existence of application specific MBeans.| CODE WHITE | Red Teaming & Attack Surface Management
In this blogpost we demonstrate an attack on the integrity of Sysmon which generates a minimal amount of observable events making this attack difficult to detect in environments where no additional security products are installed.| CODE WHITE | Red Teaming & Attack Surface Management
| CODE WHITE | Red Teaming & Attack Surface Management
| CODE WHITE | Red Teaming & Attack Surface Management
| CODE WHITE | Red Teaming & Attack Surface Management
Public list of vulnerabilities, found by CODE WHITE| code-white.com
This was originally posted on blogger here. .NET Remoting is the built-in architecture for remote method invocation in .NET. It is also the origin of the (in-)famous BinaryFormatter and SoapFormatter serializers and not just for that reason a promising target to watch for. This blog post attempts to give insights into its features, security measures, and especially its weaknesses/vulnerabilities that often result in remote code execution. We’re also introducing major additions to the Exploi...| code-white.com