Insecure .NET Remoting deserialization in Quanos SCHEMA ST4 Client Update Service allows local privilege escalation

A local authenticated attacker connects to the named pipe `ST4Updater2` and sends the string `"init"`, which returns a TCP port used for .NET Remoting [ref_id=1]. The attacker then uses a tool such as ExploitRemotingService to send a specially crafted serialized .NET Remoting payload to the endpoint `tcp://127.0.0.1:<port>/UpdateProcessCore`. Because the service runs with `NT AUTHORITY\SYSTEM` privileges and `TypeFilterLevel.Full` is enabled, the deserialization of the attacker's object results in arbitrary code execution at the SYSTEM integrity level [ref_id=1]. Network-only exploitation is not possible; the attacker must already have an authenticated session on the local host.

The vulnerability resides in the SCHEMA ST4 Client Update Service, specifically its .NET Remoting interface exposed over a named pipe (`ST4Updater2`). The service is configured with `TypeFilterLevel.Full`, which permits deserialization of arbitrary types from local callers [ref_id=1].

The vendor does not provide a patch but offers a workaround: disable the affected Client Update Service entirely [ref_id=1]. Without the service running, the named pipe endpoint is not available, preventing both the insecure deserialization attack and the arbitrary file overwrite vector. Customers must then perform client updates manually using a privileged user account [ref_id=1].