.svg)
.svg)
Gal Nagli
CEO
Shockwave Attack Surface Management - CVE-2024-29059 .NET Remote Code Execution
CVE-2024-29059 .NET Remote Code Execution through Leaking ObjRefs to Exploit HTTP .NET Remoting
A new way to achieve Remote Code Execution on .NET servers has been disclosed on Feb 27, 2024 by Code White Post the vulnerability has been assigned CVE-2024-29059.
Detection and Exploitation
Shockwave was able to create detection template using Nuclei's YAML rules and to successfully exploit the vulnerability by following CodeWhite's POC repository
We have shared our detection template on our dedicated Github Repository for Attack Surface CVE Threats:
id: CVE-2024-29059
info:
name: Leaking ObjRefs to Exploit HTTP .NET Remoting
author: shockwave + Critical Thinking
severity: critical
tags: rce
requests:
- raw:
- |+
GET /RemoteApplicationMetadata.rem?wsdl HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
__RequestVerb: POST
redirects: true
matchers:
- type: regex
part: body
regex:
- '/[0-9a-f_]+/[0-9A-Za-z_+]+_\d+\.rem'
Remediation
Update your ASP.NET application ASAP, run our detection module to ensure your servers aren't leaking the UUID that is needed to perform the exploit.
Closing Words
As always, our customers are the first to know on emerging threats, as proof of our testimony we were also able to be the first to report to various Bug Bounty Programs and help more entities protect their Attack Surface, in this case together with our friends at Critical Thinking Podcast.
.svg)
.svg)
.svg)
