Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

SinSinology saw an advisory for an RCE bug via deserialization in Telerik, a report management solution. Although it was authenticated, it was interesting to the author of the post. Hence, they decided to dive into the bug and see if they could find an authentication bypass.

The product is a powerful solution with processing of many different types of files and creation of charts and other graphics on the server side to present to the user. As a result, the author thought this was prime for a deserialization issue.

When performing the deserialization, if a type is unknown then it will attempt to find it based upon passed in XML. In particular, a provided ResourceDictionary can specify the execution path for it. Using the ProcessStartInfo parameter, it's possible to execute cmd on Windows. The author provides much more detail on the path for doing this though.

While setting up the software to try to find the vulnerability described above, they discovered an authentication bypass. At start up, the installing user is supposed to call Register to add the administrative user. However, nothing stops another user from calling this, adding a System Admin role. This effectively creates a backdoor user.

I found the beginning of this post hard to read with all of the code snippets. If you were trying to understand this specific piece of software well (unlike me who wants to just understand the vulnerability), then it would be super useful though. The author runs a course on dotnet hacking, which I'm sure would be filled with juicy C# knowledge after reading this.

The authentication bypass found is fairly common, according to the author. So, something to keep an eye out for. As far as the deserialization... there's a lot of custom handling here for generic types. This is 100% a red flag.