. NET Remote Code Execution (MS14-026/CVE-2014-1806)

. NET Remote Code Execution (MS14-026/CVE-2014-1806)

Today, I saw pig in the safekey group saying that I have been paying attention to A. NET remote code execution vulnerability for a long time. So I immediately went to exploit-db and found http://www.exploit-db.com/exploits/35280 /.

This is Microsoft in May has released a patch of a vulnerability, that is, MS14-026/CVE-2014-1806, vulnerability author James Forshaw, detailed can see the Microsoft https://technet.microsoft.com/library/security/ms14-026 Security notice, the cause of the vulnerability is. the TypeFilterLevel method set by the NET Remoting service when processing data formats has a vulnerability. When the constructed data is sent, arbitrary code can be executed.

Affected Versions:

Microsoft. NET Framework 1.1 Service Pack 1

Microsoft. NET Framework 2.0 Service Pack 2

Microsoft. NET Framework 3.5

Microsoft. NET Framework 3.5.1

Microsoft. NET Framework 4

Microsoft. NET Framework 4.5

Microsoft. NET Framework 4.5.1

But don't worry, as Microsoft said ,. NET Remoting is not widely used. I did not see any third-party programs I found in the search engine, so I said on Weibo that the impact is not great, however, some large enterprises still use it. If we do not quite understand it, we can simply use it. NET Remoting, and under what circumstances are there vulnerabilities,

. NET Remoting Services is a way to provide external Services. You can understand it like you understand webserver. The difference is that. NET Remoting Services is based on the C/S architecture.

Condition of exploits:

1. This vulnerability exists only when you use the. NET Remoting Service developed in the affected versions listed above.

2. Know the service name of the. NET Remoting service and the listening port.

OK. After knowing this, you can go through some open-source programs or decompile some programs to see if. NET Remoting is used in the code.

Next, let's test this vulnerability. The exp provided by the author contains the use of exp and the test server program. Because port 12345 is occupied, so I slightly changed the server program, changed the port to 8002, and then ran it in the Virtual Machine for testing.