.Net Roulette Exploiting Insecure Deserialization in Telerik UI
DerpCon 2020 presentation reviews how .NET deserialization works and how to get shells on real applications.
Presentation by Caleb Gross at DerpCon 2020
In this presentation, we dig into the internals of CVE-2019-18935, a deserialization vulnerability that allows RCE on the popular web UI suite Telerik UI for ASP.NET AJAX.
After demonstrating how to exploit this issue step-by-step, you'll learn a hands-on approach to debugging a locally running ASP.NET application, quickly assessing the site's attack surface, and examining possible avenues for finding and exploiting insecure uses of deserialization. This presentation is for penetration testers and security researchers who'd like to begin testing deserialization vulnerabilities in .NET software.
- Exploit Demo
- Dispel the Magic
- .Net Serialization Primer
- Develop POC Exploit
- Practical ASP.NET pentest