what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Rackspace Windows Agent / Updater Arbitrary Code Execution

Rackspace Windows Agent / Updater Arbitrary Code Execution
Posted Nov 24, 2013
Authored by Andrew Hay | Site blog.cloudpassage.com

The Rackspace Windows Agent and Updater allows for modified Agent binaries to be remotely uploaded (without authentication) to Rackspace Cloud Server guest instances. Modified Agent binaries are processed as an update for the Agent and arbitrary code can then be executed after the service is restarted. Previous versions of the Updater (before 1.2.6.0) allowed for unsigned agent updates utilizing a specially crafted .NET remote call to TCP port 1984.

tags | advisory, remote, arbitrary, tcp
systems | windows
advisories | CVE-2013-6795
SHA-256 | e1432ce56dfb5361bc47edbd2d3c8d08d7d01f9b5dba847ea442095175de0442

Rackspace Windows Agent / Updater Arbitrary Code Execution

Change Mirror Download
A vulnerability in the Rackspace Windows Agent and Updater was discovered that allows for modified Agent binaries to be remotely uploaded (without authentication) to Rackspace Cloud Server guest instances. Modified Agent binaries are processed as an update for the Agent and arbitrary code can then be executed after the service is restarted. CloudPassage disclosed the vulnerability to Rackspace and CVE-2013-6795 was issued by MITRE Corporation.

The Windows Agent and Updater is used by Windows Cloud Server instances on OpenStack Nova to handle boot configurations for Windows guests running on the Xen hypervisor. The agent was created by Rackspace for their Windows instances and both the Agent and Updater services run under the LocalSystem account.

Previous versions of the Updater (before 1.2.6.0) allowed for unsigned agent updates utilizing a specially crafted .NET remote call to TCP port 1984. The Update service takes a single .NET serializable object with a URL and an MD5 checksum. Once the sequence is triggered, a ZIP file is downloaded, verified using the checksum, and extracted into the program folder of the Agent service before the service is restarted. No authentication is performed by the .NET remoting service, making it possible to deploy a modified Agent update that overwrites the running Agent service binary. A proof of concept tool was developed to trigger the sequence with an arbitrary download URL using the original .NET libraries from a target.

Full details here: http://blog.cloudpassage.com/2013/11/18/cve-2013-6795-vulnerability-rackspace-windows-agent-updater/

CloudPassage responsibly disclosed the finding to Rackspace and, as of version 1.2.6.0, the Updater has been changed to use IPC with XenStore and no longer listens on port 1984. Rackspace recommends that users running the Windows agent less than version 1.2.6.1 update to the latest version, available on GitHub at https://github.com/rackerlabs/openstack-guest-agents-windows-xenserver.
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close