Vulnerability (CVE-2022-26503) in Veeam Agent for Microsoft Windows allows local privilege escalation. An attacker who successfully exploited this vulnerability could run arbitrary code with LOCAL SYSTEM privileges.
Shout out to @ultrayoba
The implemented patch shows blood trail of Deserialization:
Veeam official KB mentions:
Veeam Agent for Microsoft Windows uses Microsoft .NET data serialization mechanisms. A local user may send malicious code to the network port opened by Veeam Agent for Windows Service (TCP 9395 by default), which will not be deserialized properly.
Reviewing process behind the specified port results in finding Veeam.EndPoint.Service.exe
Reviewing Veeam.EndPoint.Service.exe
indicates registration of VeeamService
for .NET Remoting
Processes communicating with the registered channel gives out information about Veeam.EndPoint.Tray.exe
showing this channel gets used by Tray process
Loaded modules by the Tray indicate Veeam.Common.Remoting.dll
Use of TcpClientChannel
with enabled Secure