[CVE- Requested][Vembu Storegrid - Multiple Critical Vulnerabilities]

From: Mike Antcliffe <mikeantcliffe@logicallysecure.com>
To: bugtraq@securityfocus.com <bugtraq@securityfocus.com>
Subject: [CVE- Requested][Vembu Storegrid - Multiple Critical Vulnerabilities]

1. Advisory Overview

Multiple vulnerabilities exist in the Vembu Storegrid Backup and Disaster
Recovery solution affecting both the client and server software (see
Additional Information section) include but are not limited to reflected
XSS, source code/sensitive
 information disclosure, privilege escalation, remote code execution,
Denial of Service, and poorly implemented business logic in the client
which can be leveraged to allow an unauthenticated user to exfiltrate full
disk backups from a target machine via a
 rogue server. This is a white-label product and may be labelled as
something else.

2. Advisory information

- - Public Release Date: 4/8/2014

- - Vendor notified: Yes 30/7/2014

- - CVEs: requested 1/8/2014

- - Last Revised: 4/7/2014

- - Researchers: Mike Antcliffe and Ed Tredgett

- - Research Organisation: Logically Secure Ltd

- - Research Organisation Website: http://www.logicallysecure.com

3. Vulnerability Information

- - Vendor: Vembu

- - Affected Software:
    - Storegrid Backup and Disaster recovery solutions SP edition
      (Affects version 4.4.X and version 6.x Client and SP Server on
multiple platforms)

- - Product Website: https://www.vembu.com/products/bdr/

- - Vulnerability Class: Multiple

- - Remotely Exploitable: Yes

- - Locally Exploitable: Yes

- - Authentication Required: No

- - Indicator of network presence: Ports 6060 and 6061 accept HTTP/S

4. Vendor Solution

None, however Issues may be addressed in version 6.2 (vendor reviewing the
feasibility of a patch)

5. Additional Information.

The main vulnerability takes advantage of the client enrolment procedure.
In its default state it is possible for an unauthenticated attacker to
register a client to a rogue backup server. During this enrolment phase a
new admin user is automatically
 created on the client using the attacker specified credentials, the
attacker can then bounce through their rogue server using the
cln=<ip/hostname> get parameter which invokes request forwarding
functionality allowing access the remote client interface. From
 here they can schedule their own backups to their server and specify
their own encryption keys. These backups can then be restored to an
attacker controlled virtual machine allowing the attacker full access to
whatever has been taken. It is also possible to
 backup a directory containing a toolbox of malicious scripts and
executables from the attacker controlled virtual machine and restore these
to a target machine. We found an option in the client web interface which
allows a user to disable the ability to enrol
 new servers but were able to bypass this using common attack vectors.

The backup functionality also allows the user to execute commands as part
of the backup process by default these run with system level privs. We
have successfully gained system level remote shells using this method.
From there we were able to manipulate
 the web console to hide all traces of our exploits from the regular user,
kill AV, drop the firewall, access the registry, dump password hashes and
finally screw up the machine (by deleting arbitrary system files) so it
wouldnt boot and needed restoring (thus
 removing traces of our activity).

The whole process could easily be automated to target an entire subnet.

In addition to the above mentioned issue we discovered reflected XSS
vulnerabilities, Source code disclosure via incorrect processing of
trailing slash (eg http://clientip/index.php/), Denial of Service via
 exceptions in the client, Local privilege escalation, insecure storage of
credentials (MD5), poor mysql implementation (default root user configured
with a simple password), and several others.

Note: We first discovered the vulnerabilities whilst testing a corporate
network with around 60 active installs of the client software ranging from
domain controllers to HR machines, and client laptops containing personal
data. We were able to siphon off
 any data we liked. The client supports our decision to go public now they
have removed the software.

We will be providing a full writeup as well as examples on our website

Note2: This software is white-label and is commonly distributed under many

Note3: According to the vendor they have a network of over 3000+ partners
holding over 25PB of critical data.

Mike Antcliffe

Logically Secure

@mantcliffe @EdTredgett @LogicallySecure

Copyright © 1995-2019 LinuxRocket.net. All rights reserved.