Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

In 2024, SolarWinds Web Help Desk made headlines after being exploited in the wild with an RCE via Java deserialization. The issue was pre-auth, and led to several others being discovered in that year. The post goes through several new bugs they discovered in SolarWinds in recent months.

CVE-2024-28986 is a good case study. The application uses the Java WebObjects framework. It's a stateful web framework where the final path contains many numbers that represent the user's state. The first number is the current state (operation counter), which increments with each action. The other values have a hierarchy of pages and components currently in use. WebObjects requires traversing the full component hierarchy to reach a given page or component.

The API request /helpdesk/WebObjects/Helpdesk.woa/ajax/9.7.43.0.0.0.4.3.7.0.7.1.1.1 contains a method and params parameters in JSON. Upon seeing this, they found the method takeValueForKey(), which performs deserialization via a custom JSON-to-Java bridge. Further down the path, it's a classic setter-based deserialization attack where the attacker controls the target type. WrapperConnectionPoolDataSource contains one and this leads to RCE

CVE-2025-26399 was a bypass for the original SolarWinds issue. The patch added a regex-based check for which classes were NOT allowed via a blacklist. The request JSON body is decoded with Apache Commons. The same JSON is extracted via a different parser in org.json.JSONObject. They found an encoding difference between the libraries... Apache Commons didn't support short hex escape sequences (2 bytes instead of 4), but the JSONObject did. So, java\\x43lass bypassed the check.

Crazily enough, this wasn't how CVE-2025-26399 was exploited. The new sanitizeRequest method parses the JSON into Jackson and checks whether the Params key is there. If so, it overrides params with an empty array. Why? If the request includes parameters for AjexProxy, it strips them away. Using the same trick as before, this can be bypassed with p\\x61rams. Jackson doesn't see the \\x escape, and the sanitizer logic is bypassed. So, this creates a new zero-day on SolarWinds!

They found an authentication bypass through the odd routing in Java WebObjects. Java WebObjects is supposed to enforce hierarchical page traversal, but the wopage parameter allows selecting an arbitrary page. Using this, it's possible to access any page without authentication. Putting this together with the previous RCE bug and a new gadget, they got a pre-auth RCE. They had an additional authentication bypass that was less powerful.

Overall, a great post on real vulnerability discovery. It's funny they found a bypass for a fix without even realizing it initially... patch bypasses are fairly common, especially with something like SolarWinds that feels like a game of wack-a-mole with its design.