Veeam ONE Agent .NET Deserialization

Posted by deepcore on May 5, 2020 – 7:33 pm

This Metasploit module exploits a .NET deserialization vulnerability in the Veeam ONE Agent before the hotfix versions 9.5.5.4587 and 10.0.1.750 in the 9 and 10 release lines. Specifically, the module targets the HandshakeResult() method used by the Agent. By inducing a failure in the handshake, the Agent will deserialize untrusted data. Tested against the pre-patched release of 10.0.0.750. Note that Veeam continues to distribute this version but with the patch pre-applied.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« Outline Service 1.3.3 Unquoted Service Path HP Performance Monitoring xglance Privilege Escalation »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

Veeam ONE Agent .NET Deserialization

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL