CVE-2022-26503 PoC — Veeam Agent for Windows 代码问题漏洞

Source

Associated Vulnerability

Readme

# CVE-2022-26503

## Summary:

Vulnerability (CVE-2022-26503) in Veeam Agent *for Microsoft Windows* allows local privilege escalation. An attacker who successfully exploited this vulnerability could run arbitrary code with LOCAL SYSTEM privileges.

Shout out to @ultrayoba

## The Patch:

The implemented patch shows blood trail of Deserialization:

![Patch](images/patch.png)

**Veeam official KB mentions:**

> Veeam Agent *for Microsoft Windows* uses Microsoft .NET data serialization mechanisms. A local user may send malicious code to the network port opened by Veeam Agent for Windows Service *(TCP 9395 by default),* which will not be deserialized properly.
> 

## Analysis:

Reviewing process behind the specified port results in finding `Veeam.EndPoint.Service.exe`

![01](images/01.png)

Reviewing `Veeam.EndPoint.Service.exe` indicates registration of `VeeamService` for .NET Remoting

![02](images/02.png)

Processes communicating with the registered channel gives out information about `Veeam.EndPoint.Tray.exe` showing this channel gets used by Tray process

![03](images/03.png)

Loaded modules by the Tray indicate `Veeam.Common.Remoting.dll`

![04](images/04.png)

Use of `TcpClientChannel` with enabled `Secure`

![05](images/05.png)

## Exploit:

![06](images/PoC.gif)

File Snapshot

 [4.0K]  /data/pocs/0738e4a6bf5847e5f2569f593b5b4a8aa3554e1d
├── [4.0K]  images
│   ├── [ 23K]  01.png
│   ├── [ 64K]  02.png
│   ├── [ 29K]  03.png
│   ├── [ 30K]  04.png
│   ├── [ 67K]  05.png
│   ├── [ 32K]  patch.png
│   └── [796K]  PoC.gif
└── [1.3K]  README.md

1 directory, 8 files

Remarks