Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

.Net Roulette Exploiting Insecure Deserialization in Telerik UI

DerpCon 2020 presentation reviews how .NET deserialization works and how to get shells on real applications.

Presentation by Caleb Gross at DerpCon 2020

In this presentation, we dig into the internals of CVE-2019-18935, a deserialization vulnerability that allows RCE on the popular web UI suite Telerik UI for ASP.NET AJAX.

After demonstrating how to exploit this issue step-by-step, you'll learn a hands-on approach to debugging a locally running ASP.NET application, quickly assessing the site's attack surface, and examining possible avenues for finding and exploiting insecure uses of deserialization. This presentation is for penetration testers and security researchers who'd like to begin testing deserialization vulnerabilities in .NET software.

Presentation includes:

  1. Exploit Demo
  2. Dispel the Magic
  3. .Net Serialization Primer
  4. Develop POC Exploit
  5. Practical ASP.NET pentest

Caleb Gross Light Gray

About the author, Caleb Gross

Director of Capability Development

Caleb Gross is the Director of the Capability Development at Bishop Fox where he leads a team of offensive security professionals specializing in attack surface research and vulnerability intelligence. Prior to coming to Bishop Fox, he served as an exploitation operator in the US Department of Defense's most elite computer network exploitation (CNE) unit. As a top-rated military officer, Caleb led an offensive operations team in the US Air Force's premier selectively manned cyber attack squadron.
More by Caleb

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.