[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] [CVE- Requested][Vembu Storegrid - Multiple Critical Vulnerabilities]

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] [CVE- Requested][Vembu Storegrid - Multiple Critical Vulnerabilities]
From: Mike Antcliffe <mikeantcliffe@xxxxxxxxxxxxxxxxxxx>
Date: Mon, 4 Aug 2014 15:16:47 +0000

1. Advisory Overview

Multiple vulnerabilities exist in the Vembu Storegrid Backup and Disaster 
Recovery solution affecting both the client and server software (see Additional 
Information section) include but are not limited to reflected XSS, source 
code/sensitive information disclosure, privilege escalation, remote code 
execution, Denial of Service, and poorly implemented business logic in the 
client which can be leveraged to allow an unauthenticated user to exfiltrate 
full disk backups from a target machine via a rogue server. This is a 
white-label product and may be labelled as something else.

2. Advisory information

- - Public Release Date: 4/8/2014

- - Vendor notified: Yes 30/7/2014

- - CVE’s: requested 1/8/2014

- - Last Revised: 4/7/2014

- - Researchers: Mike Antcliffe and Ed Tredgett

- - Research Organisation: Logically Secure Ltd

- - Organisation Website: https://www.logicallysecure.com


3. Vulnerability Information

- - Vendor: Vembu

- - Affected Software:
    - Storegrid Backup and Disaster recovery solutions SP edition
      (Affects version 4.4.X and version 6.x Client and SP Server on multiple 
platforms)

- - Product Website: https://www.vembu.com/products/bdr/

- - Vulnerability Class: Multiple

- - Remotely Exploitable: Yes

- - Locally Exploitable: Yes

- - Authentication Required: No

- - Indicator of network presence: Ports 6060 and 6061 accept HTTP/S 
connections.


4. Vendor Solution

None, however Issues may be addressed in version 6.2 (vendor reviewing the 
feasibility of a patch)


5. Additional Information.

The main vulnerability takes advantage of the client enrolment procedure. In 
it’s default state it is possible for an unauthenticated attacker to register a 
client to a rogue backup server. During this enrolment phase a new admin user 
is automatically created on the client using the attacker specified 
credentials, the attacker can then bounce through their rogue server using the 
cln=<ip/hostname> get parameter which invokes request forwarding functionality 
allowing access the remote client interface. From here they can schedule their 
own backups to their server and specify their own encryption keys. These 
backups can then be restored to an attacker controlled virtual machine allowing 
the attacker full access to whatever has been taken. It is also possible to 
backup a directory containing a toolbox of malicious scripts and executables 
from the attacker controlled virtual machine and restore these to a target 
machine. We found an option in the client web interface which allows a user to 
disable the ability to enrol new servers but were able to bypass this using 
common attack vectors.

The backup functionality also allows the user to execute commands as part of 
the backup process by default these run with system level privs. We have 
successfully gained system level remote shells using this method. From there we 
were able to manipulate the web console to hide all traces of our exploits from 
the regular user, kill AV, drop the firewall, access the registry, dump 
password hashes and finally screw up the machine (by deleting arbitrary system 
files) so it wouldn’t boot and needed restoring (thus removing traces of our 
activity).

The whole process could easily be automated to target an entire subnet.

In addition to the above mentioned issue we discovered reflected XSS 
vulnerabilities, Source code disclosure via incorrect processing of trailing 
slash (eg http://clientip/index.php/), Denial of Service via unhandled 
exceptions in the client, Local privilege escalation, insecure storage of 
credentials (MD5), poor mysql implementation (default root user configured with 
a simple password), and several others.

Note: We first discovered the vulnerabilities whilst testing a corporate 
network with around 60 active installs of the client software ranging from 
domain controllers to HR machines, and client laptops containing personal data. 
We were able to siphon off any data we liked. The client supports our decision 
to go public now they have removed the software.

We will be providing a full writeup as well as examples on our website shortly.

Note2: This software is white-label and is commonly distributed under many 
names.

Note3: According to the vendor they have a network of over 3000+ partners 
holding over 25PB of critical data.


Mike Antcliffe

Logically Secure

@mantcliffe @EdTredgett @LogicallySecure






_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Paypal Complete 2-Factor Authentication(2FA) Bypass Exploit. Working as of August 5th, 2014.
Next by Date: [FD] LinkedIn User Account Handling Vulnerability(s)
Previous by thread: [FD] Paypal Complete 2-Factor Authentication(2FA) Bypass Exploit. Working as of August 5th, 2014.
Next by thread: [FD] LinkedIn User Account Handling Vulnerability(s)
Index(es):
- Date
- Thread