Hyland OnBase Unauthenticated Remote Code Execution Vulnerability via Insecure Deserialization

A remote code execution vulnerability has been identified in Hyland OnBase versions prior to 17.0.2.87, with the potential for other versions to be affected. This vulnerability arises from insecure deserialization on the .NET Remoting TCP channel, where untrusted input is deserialized using the .NET BinaryFormatter. The exploitation of this vulnerability allows attackers to execute arbitrary code with the highest privileges, under the context of NT AUTHORITY\SYSTEM.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution on the affected system, with the executed code running under the NT AUTHORITY\SYSTEM account, allowing for full system compromise.

Reproduction

The vulnerability can be reproduced by sending a crafted payload that exploits the deserialization flaw in the .NET Remoting TCP channel. This can be done using the ysoserial tool to create a payload that, when deserialized, executes a command on the server. The generated payload can then be sent to the OnBase server's TimerServer endpoint on port 6031 using ExploitRemotingService.exe.

Remediation

Users can upgrade to OnBase version 24.1, which addresses this vulnerability. For instructions on upgrading, consult the Hyland Community or the OnBase Upgrade Guidelines.