Veeam Backup & Replication Local Privilege Escalation Vulnerability Name Sensitive Data Exposure in Veem Backup Systems Affected Veeam Backup & Replication (B&R) v6, v6.5, v7, v8 Severity High 7.9/10 Impact CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L Vendor http://www.veeam.com/ Advisory http://www.ush.it/team/ush/hack-veeam_6_7_8/veeam.txt Authors Pasquale "sid" Fiorillo (sid AT ush DOT it) Francesco "ascii" Ongaro (ascii AT ush DOT it) Antonio "s4tan" Parata (s4tan AT ush DOT it) Date 20151002 I. BACKGROUND Veeam Software provides backup, disaster recovery and virtualization management software for the VMware and Hyper-V environments. In 2012 Veeam gained more than 1200 employees worldwide, from 10 employees in 2008. It has more than 157'000 customers, 33'000 partners and 80 top industry awards and claims to be the "#1 VM Backup" solution after it gained traction against competitors like Backup Exec and Tivoli Storage Manager. Veeam Backup & Replication is the foundation of many Veeam products, like Veeam Availability Suite and Veeam One. ISGroup is an Italian Information Security boutique, we found this 0day issue while performing a Penetration Test for a customer, you can discover more about ISGroup by visiting http://www.isgroup.biz/. Responsible disclosure with Veeam: Veeam has no public security@ contact and we worked with them through the ticket system opening a case using one of our customer's assistance contract. We were unable to escape from the sternness of this type of communication and move to PGP emails. Their response anyway was pretty prompt, we spoke first with Denis Bodnar and then escalate to Fred Bozhanov, Veeam Support Management. He managed communication with the developers. We advise Veeam to give some of their senior developers a "security team" mandate and to expose such team to external, direct, communication. The people we spoke to did their best and were extremely kind but they must be supported by a corporate process. Prior vulnerabilities in Veeam: It's very difficult to say if Veeam had previous vulnerabilities, there are no CVE assigned to this vendor both on Nist and to it's CPE (cpe:/:veeam). Information to customers of the vulnerability is shown in the "other" section of the changelog: "Removed weakly encrypted username and password logging from guest processing components using networkless (VIX) guest interaction mode. Veeam thanks Pasquale Fiorillo and Francesco Ongaro of ISGroup for vulnerability discovery.". The latest version of the software at the time of writing can be obtained from: http://www.veeam.com/kb2068 http://forums.veeam.com/veeam-backup-replication-f2/8-0-common-issues-and-fixes-t24157.html#p130849 http://www.veeam.com/vmware-esx-backup.html II. DESCRIPTION The vulnerability allows a local Windows user, even with low privileges as the ones provided to an anonymous IIS's virtualhost user, to access Veeam Backup logfiles that include a double-base64 encoded version of the password used by Veeam to run. The affected component is VeeamVixProxy, created by default on installation and the user must be a privileged Local Administrator or a Domain Administrator. For example the wizard for adding a VMware or Hyper-V Backup Proxy explicitly state "Type in an account with local administrator privileges on the server you are adding. Use DOMAIN\USER format for domain accounts, or HOST\USER for local accounts.". We conservatively refer to this issue as a Local Administrator Privilege Escalation but the use of Domain Administrator accounts is not discouraged, if not advised, and we saw this pattern in our customer’s production infrastructures. TLDR: Anything able to read VeeamVixProxy logfiles, world readable by default, can escalate to Local or Domain Administrator. III. ANALYSIS Veeam Backup & Replication (B&R) v6, v6.5, v7, v8 store VeeamVixProxy logfiles in a directory accessible by Everyone and with permissions that make them readable by Everyone (Everyone is, in the Microsoft Windows terminology, the equivalent of the Unix’s nobody user). Such logs, that are continuously generated, contain a Local or Domain Administration user and password in an easily reversible (obfuscated) format. In versions of Veeam prior to 8 a bug prevented log rotation [3,4], on older systems there could be a large amount of logs and thus an extensive history of past and current Local or Domain Administrator credentials. A) Logfiles readable by Everyone As shown in http://www.veeam.com/kb1789 the default log path is Windows Server 2003: %allusersprofile%\Application Data\Veeam\Backup Windows Server 2008 and up: %programdata%\Veeam\Backup Our evidence is for Windows Server 2003, access to the needed files are guaranteed to the Windows group "Everyone" so any local user, even the ones used to map IIS sites, can access them. This pose all the information contained in the logfiles at risk and is a violation of the principle of least privilege. https://en.wikipedia.org/wiki/Principle_of_least_privilege B) Double encoded password in Logfiles The install/execution username and password is stored double-base64 encoded in Veeam Backup "VeeamVixProxy" logfiles. Such files exists in "Veeam\Backup" with a name scheme as follows: VeeamVixProxy_%dd%mm%yyyy.log eg: VeeamVixProxy_16072015.log The password is present in multiple points of the log-file and the files are generated contentiously. In this scenario, a Local File Read vulnerability could lead to full system compromise given the fact that an attacker can re-use such credentials by RDP or RPC (eg: psexec). The log format leaking the credentials is: