The Sterling B2B Integrator is a commercial solution by IBM that businesses can use to exchange data and documents with their partners.

What sounded like an uneventful assessment turned slightly more dramatic when we discovered the implications of disabling authentication for one of its components. Easy fix – curtain call, right? The real plot twist came when a second method of exploitation was found - this time with authentication enabled, leaving the attacker with a philosophical dilemma: To auth, or not to auth?

This is the short story of CVE-2024-31903 – a pre-auth RCE – and its unsung companion, an LPE exploit: two now-patched 0-days found against the B2B Integrator. We muse on the joys of reverse engineering legacy Java services and analysing proprietary binary protocols. Finally, we break the fourth wall with a demo of the PoC exploit developed, resulting in a cathartic reverse shell.

Join us in yet another demonstration of why deserialization is hard, how to make it less so, and how attackers can sometimes cash in by… zooming out!