Calero VeraSMART .NET Remoting Unauthenticated Arbitrary File Operations Leading to ViewState RCE Vulnerability

A vulnerability exists in Calero VeraSMART versions prior to 2022 R1, where an unauthenticated .NET Remoting HTTP service is exposed on TCP port 8001. This service publishes default ObjectURIs, including EndeavorServer.rem and RemoteFileReceiver.rem, and allows the use of SOAP and binary formatters with TypeFilterLevel set to Full. An unauthenticated remote attacker can exploit these remoting endpoints to perform arbitrary file read and write operations using the WebClient class. This exploitation can lead to the retrieval of sensitive files, such as WebRoot\web.config, which may contain critical IIS machineKey validation and decryption keys. These keys can be used to create a malicious ASP.NET ViewState payload, enabling remote code execution within the IIS application context. Furthermore, providing a UNC path can initiate outbound SMB authentication from the service account, potentially revealing NTLMv2 hashes for relay or offline cracking.

Impact

Exploitation of this vulnerability allows for arbitrary file read and write operations, with the potential to execute remote code in the context of the IIS application. Additionally, the vulnerability can be exploited to access sensitive authentication hashes that could be relayed or cracked offline.