Altec DocLink Unauthenticated .NET Remoting Vulnerability Allowing Arbitrary File Read/Write and Remote Code Execution

A vulnerability in Altec DocLink version 4.0.336.0, now maintained by Beyond Limits Inc., exposes insecure .NET Remoting endpoints over TCP and HTTP/SOAP via the Altec.RDCHostService.exe. The ObjectURI 'doclinkServer.soap' is affected. This service, which does not require authentication, is vulnerable to unsafe object unmarshalling. Remote attackers can exploit this to read arbitrary files from the system by specifying local file paths. Furthermore, the vulnerability allows coercion of SMB authentication through UNC paths, enabling attackers to write arbitrary files to server locations. If these writable paths are accessible via the web under IIS, it could lead to unauthenticated remote code execution or a denial-of-service condition through file overwriting.

Impact

Exploitation of this vulnerability could result in unauthorized access to files on the server, potential remote code execution, or a denial-of-service condition due to file overwriting.