[CVE- Requested][Vembu Storegrid - Multiple Critical Vulnerabilities]

[Mike Antcliffe <mikeantcliffe () logicallysecure com>]

1. Advisory Overview

Multiple vulnerabilities exist in the Vembu Storegrid Backup and Disaster Recovery solution affecting both the client 
and server software (see Additional Information section) include but are not limited to reflected XSS, source 
code/sensitive information disclosure, privilege escalation, remote code execution, Denial of Service, and poorly 
implemented business logic in the client which can be leveraged to allow an unauthenticated user to exfiltrate full 
disk backups from a target machine via a rogue server. This is a white-label product and may be labelled as something 
else.

2. Advisory information

- - Public Release Date: 4/8/2014

- - Vendor notified: Yes 30/7/2014

- - CVE’s: requested 1/8/2014

- - Last Revised: 4/7/2014

- - Researchers: Mike Antcliffe and Ed Tredgett

- - Research Organisation: Logically Secure Ltd

- - Organisation Website: https://www.logicallysecure.com


3. Vulnerability Information

- - Vendor: Vembu

- - Affected Software:
    - Storegrid Backup and Disaster recovery solutions SP edition
      (Affects version 4.4.X and version 6.x Client and SP Server on multiple platforms)

- - Product Website: https://www.vembu.com/products/bdr/

- - Vulnerability Class: Multiple

- - Remotely Exploitable: Yes

- - Locally Exploitable: Yes

- - Authentication Required: No

- - Indicator of network presence: Ports 6060 and 6061 accept HTTP/S connections.


4. Vendor Solution

None, however Issues may be addressed in version 6.2 (vendor reviewing the feasibility of a patch)


5. Additional Information.

The main vulnerability takes advantage of the client enrolment procedure. In it’s default state it is possible for an 
unauthenticated attacker to register a client to a rogue backup server. During this enrolment phase a new admin user is 
automatically created on the client using the attacker specified credentials, the attacker can then bounce through 
their rogue server using the cln=<ip/hostname> get parameter which invokes request forwarding functionality allowing 
access the remote client interface. From here they can schedule their own backups to their server and specify their own 
encryption keys. These backups can then be restored to an attacker controlled virtual machine allowing the attacker 
full access to whatever has been taken. It is also possible to backup a directory containing a toolbox of malicious 
scripts and executables from the attacker controlled virtual machine and restore these to a target machine. We found an 
option in the client web interface which allows a user to disable the ability to enrol new servers but were able to 
bypass this using common attack vectors.

The backup functionality also allows the user to execute commands as part of the backup process by default these run 
with system level privs. We have successfully gained system level remote shells using this method. From there we were 
able to manipulate the web console to hide all traces of our exploits from the regular user, kill AV, drop the 
firewall, access the registry, dump password hashes and finally screw up the machine (by deleting arbitrary system 
files) so it wouldn’t boot and needed restoring (thus removing traces of our activity).

The whole process could easily be automated to target an entire subnet.

In addition to the above mentioned issue we discovered reflected XSS vulnerabilities, Source code disclosure via 
incorrect processing of trailing slash (eg http://clientip/index.php/), Denial of Service via unhandled exceptions in 
the client, Local privilege escalation, insecure storage of credentials (MD5), poor mysql implementation (default root 
user configured with a simple password), and several others.

Note: We first discovered the vulnerabilities whilst testing a corporate network with around 60 active installs of the 
client software ranging from domain controllers to HR machines, and client laptops containing personal data. We were 
able to siphon off any data we liked. The client supports our decision to go public now they have removed the software.

We will be providing a full writeup as well as examples on our website shortly.

Note2: This software is white-label and is commonly distributed under many names.

Note3: According to the vendor they have a network of over 3000+ partners holding over 25PB of critical data.


Mike Antcliffe

Logically Secure

@mantcliffe @EdTredgett @LogicallySecure






_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/