March 28, 2024

Gal Nagli


Shockwave Attack Surface Management - CVE-2024-29059 .NET Remote Code Execution

CVE-2024-29059 .NET Remote Code Execution through Leaking ObjRefs to Exploit HTTP .NET Remoting

A new way to achieve Remote Code Execution on .NET servers has been disclosed on Feb 27, 2024 by Code White Post the vulnerability has been assigned CVE-2024-29059.

Detection and Exploitation

Shockwave was able to create detection template using Nuclei's YAML rules and to successfully exploit the vulnerability by following CodeWhite's POC repository

We have shared our detection template on our dedicated Github Repository for Attack Surface CVE Threats:

Detection Link

id: CVE-2024-29059

  name: Leaking ObjRefs to Exploit HTTP .NET Remoting
  author: shockwave + Critical Thinking
  severity: critical
  tags: rce

- raw:
  - |+
    GET /RemoteApplicationMetadata.rem?wsdl HTTP/1.1
    Host: {{Hostname}}
    Content-Type: text/xml
    __RequestVerb: POST

  redirects: true
  - type: regex
    part: body
    - '/[0-9a-f_]+/[0-9A-Za-z_+]+_\d+\.rem'


Update your ASP.NET application ASAP, run our detection module to ensure your servers aren't leaking the UUID that is needed to perform the exploit.

Closing Words

As always, our customers are the first to know on emerging threats, as proof of our testimony we were also able to be the first to report to various Bug Bounty Programs and help more entities protect their Attack Surface, in this case together with our friends at Critical Thinking Podcast.

The security first platform

Supercharge your security

Identify, Secure and Continuously Monitor your Externally Facing Attack Surface.
Significantly Improve your security posture within minutes with an easy, smooth onboarding process.

Get Started