what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Vembu Storegrid Backup / Disaster Recovery Solution XSS / Code Execution

Vembu Storegrid Backup / Disaster Recovery Solution XSS / Code Execution
Posted Aug 5, 2014
Authored by Mike Antcliffe, Ed Tredgett

Vembu Storegrid Backup and Disaster Recovery solution suffers from privilege escalation, information disclosure, remote code execution, cross site scripting, and denial of service vulnerabilities.

tags | advisory, remote, denial of service, vulnerability, code execution, xss, info disclosure
SHA-256 | d618d75a0f84b532d28659f6547552d0538321f116fca1ea5115a8b5e9f9d91b

Vembu Storegrid Backup / Disaster Recovery Solution XSS / Code Execution

Change Mirror Download
1. Advisory Overview


Multiple vulnerabilities exist in the Vembu Storegrid Backup and Disaster
Recovery solution affecting both the client and server software (see
Additional Information section) include but are not limited to reflected
XSS, source code/sensitive
information disclosure, privilege escalation, remote code execution,
Denial of Service, and poorly implemented business logic in the client
which can be leveraged to allow an unauthenticated user to exfiltrate full
disk backups from a target machine via a
rogue server. This is a white-label product and may be labelled as
something else.


2. Advisory information

- - Public Release Date: 4/8/2014

- - Vendor notified: Yes 30/7/2014

- - CVE¹s: requested 1/8/2014

- - Last Revised: 4/7/2014

- - Researchers: Mike Antcliffe and Ed Tredgett

- - Research Organisation: Logically Secure Ltd

- - Research Organisation Website: http://www.logicallysecure.com


3. Vulnerability Information

- - Vendor: Vembu

- - Affected Software:
- Storegrid Backup and Disaster recovery solutions SP edition
(Affects version 4.4.X and version 6.x Client and SP Server on
multiple platforms)

- - Product Website: https://www.vembu.com/products/bdr/

- - Vulnerability Class: Multiple

- - Remotely Exploitable: Yes

- - Locally Exploitable: Yes

- - Authentication Required: No

- - Indicator of network presence: Ports 6060 and 6061 accept HTTP/S
connections.


4. Vendor Solution

None, however Issues may be addressed in version 6.2 (vendor reviewing the
feasibility of a patch)



5. Additional Information.

The main vulnerability takes advantage of the client enrolment procedure.
In it¹s default state it is possible for an unauthenticated attacker to
register a client to a rogue backup server. During this enrolment phase a
new admin user is automatically
created on the client using the attacker specified credentials, the
attacker can then bounce through their rogue server using the
cln=<ip/hostname> get parameter which invokes request forwarding
functionality allowing access the remote client interface. From
here they can schedule their own backups to their server and specify
their own encryption keys. These backups can then be restored to an
attacker controlled virtual machine allowing the attacker full access to
whatever has been taken. It is also possible to
backup a directory containing a toolbox of malicious scripts and
executables from the attacker controlled virtual machine and restore these
to a target machine. We found an option in the client web interface which
allows a user to disable the ability to enrol
new servers but were able to bypass this using common attack vectors.

The backup functionality also allows the user to execute commands as part
of the backup process by default these run with system level privs. We
have successfully gained system level remote shells using this method.
>From there we were able to manipulate
the web console to hide all traces of our exploits from the regular user,
kill AV, drop the firewall, access the registry, dump password hashes and
finally screw up the machine (by deleting arbitrary system files) so it
wouldn¹t boot and needed restoring (thus
removing traces of our activity).

The whole process could easily be automated to target an entire subnet.

In addition to the above mentioned issue we discovered reflected XSS
vulnerabilities, Source code disclosure via incorrect processing of
trailing slash (eg http://clientip/index.php/), Denial of Service via
unhandled
exceptions in the client, Local privilege escalation, insecure storage of
credentials (MD5), poor mysql implementation (default root user configured
with a simple password), and several others.

Note: We first discovered the vulnerabilities whilst testing a corporate
network with around 60 active installs of the client software ranging from
domain controllers to HR machines, and client laptops containing personal
data. We were able to siphon off
any data we liked. The client supports our decision to go public now they
have removed the software.

We will be providing a full writeup as well as examples on our website
shortly.

Note2: This software is white-label and is commonly distributed under many
names.

Note3: According to the vendor they have a network of over 3000+ partners
holding over 25PB of critical data.


Mike Antcliffe

Logically Secure

@mantcliffe @EdTredgett @LogicallySecure



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close