README.md
Rendering markdown...
id: CVE-2022-31199
info:
name: Netwrix Auditor < 10.5 - Remote Code Execution
author: codingsh
severity: critical
description: |
Netwrix Auditor versions prior to 10.5 are vulnerable to insecure object deserialization through an unsecured .NET remoting service on TCP port 9004.
An unauthenticated remote attacker can submit arbitrary objects to the UAVRServer endpoint to achieve remote code execution with NT AUTHORITY\SYSTEM privileges.
This vulnerability has been actively exploited by threat actors including the Truebot malware campaign.
reference:
- https://bishopfox.com/blog/netwrix-auditor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2022-31199
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.netwrix.com/netwrix_statement_on_cve202231199.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-31199
cwe-id: CWE-502
epss-score: 0.00303
epss-percentile: 0.67695
cpe: cpe:2.3:a:netwrix:auditor:*:*:*:*:*:*:*:*
metadata:
verified: false
max-request: 1
vendor: netwrix
product: auditor
shodan-query: port:9004
fofa-query: port="9004"
tags: cve,cve2022,netwrix,rce,deserialization,dotnet,tcp,kev
tcp:
- inputs:
- data: |
{{hex_decode('00010000010000000000000000000c020000005c53797374656d2e52756e74696d652e52656d6f74696e672e4d657373616769696e672c2056657273696f6e3d342e302e302e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d623737613563353631393334653038390a')}}
host:
- "{{Hostname}}"
port: 9004
read-size: 2048
matchers-condition: and
matchers:
- type: word
part: body
words:
- "System.Runtime.Remoting"
- ".NET"
condition: or
- type: regex
part: body
regex:
- "(?i)(UAVRServer|Netwrix)"
- "RemotingException"
condition: or
extractors:
- type: regex
part: body
group: 1
regex:
- '(UAVRServer|Netwrix[A-Za-z0-9\.]*)'
- 'System\.Runtime\.Remoting\.([A-Za-z]+Exception)'