Restorepoint 3.2-Evaluation Remote Root Command Execution

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
  
Matta Consulting - Matta Advisory  
https://www.trustmatta.com  
Restorepoint Remote root command execution vulnerability  
  
Advisory ID: MATTA-2011-003  
CVE reference:  
CVE-2011-4201 - Code injection vulnerability  
CVE-2011-4202 - Privilege escalation through insecure file permissions  
Affected platforms: Tadasoft Restorepoint  
Version: 3.2-evaluation  
Date: 2011-October-20  
Security risk: Critical  
Vulnerability: Remote root command execution  
Researcher: Tavaris Desamito  
Vendor Status: Notified, Patch available  
Vulnerability Disclosure Policy:  
https://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt  
Permanent URL:  
https://www.trustmatta.com/advisories/MATTA-2011-003.txt  
  
=====================================================================  
Introduction:  
  
Restorepoint is a network appliance backup and disaster recovery system  
from Tadasoft.  
More information can be found on the following page:  
http://www.restorepoint.com/restorepoint/  
  
=====================================================================  
Vulnerability:  
  
The 3.2 evaluation image of Restorepoint is vulnerable to a remote  
command  
execution vulnerability in the remote_support.cgi script prior to  
license  
activation. By supplying a semi colon followed by a unix shell command  
to  
the pid1 or pid2 parameters in conjunction with the stop_remote_support  
parameter, an unauthenticated remote attacker can execute commands on  
the  
Restorepoint appliance with the privileges of the www user. The Common  
Vulnerabilities and Exposures (CVE) project has assigned the name  
CVE-2011-4201 to this issue. This is a candidate for inclusion in  
the CVE list (http://cve.mitre.org), which standardizes names for  
security  
problems.  
  
Given that the Restorepoint appliance uses a Linux kernel compiled in  
2009, obtaining root access is trivial.  
  
Furthermore, Restorepoint uses sudo in order to run a number of scripts  
with  
root access. As a large number of these scripts can be modified by the  
www  
user, root access can be obtained directly through Restorepoint  
functionality, without relying on additional exploits. The Common  
Vulnerabilities and Exposures (CVE) project has assigned the name  
CVE-2011-4202 to this issue.  
  
=====================================================================  
Impact:  
  
Anyone who is able to connect to Restorepoint on port 443 between  
powering up  
the appliance and before the appliance is license activated is able to  
obtain  
root level shell access to the appliance.  
  
The Restorepoint appliance is used to back up the configurations of  
network  
devices and as such, the Restorepoint appliance holds credentials for  
all the  
devices it backs up; Which in most cases will be privileged accounts  
that will  
allow reconfiguration of the network devices.  
  
If someone was able to compromise the security of the Restorepoint  
appliance  
in the period between powering up the appliance and before the  
appliance is  
license activated, an attacker is then able to go on to compromise the  
security of all devices backed up by Restorepoint.  
  
Having achieved this, an attacker may reposition and begin to compromise  
the  
rest of the network by using the Restorepoint appliance to launch  
further  
attacks.  
  
=====================================================================  
Versions affected:  
  
Version 3.2 - evaluation image  
The vendor reports that they maintain different trees for evaluation and  
licensed copies of their software. The version available to licensed  
customers  
is not vulnerable to this issue. Moreover, all appliances including  
evaluations use a built-in auto-update mechanism upon license  
activation  
that downloads additional software components and security updates  
which  
ensures their customers are using the latest version of the product.  
The  
vendor reports that the evaluation image would have been patched if the  
evaluation license had been applied.  
  
Matta have not confirmed this at this stage.  
  
=====================================================================  
Threat mitigation:  
  
Anyone with evaluation versions of Restorepoint prior to 3.2 should  
activate  
the license, at which point the software is automatically updated.   
  
Matta suggests that affected parties running this version of the  
software  
restrict access to port 443 on their Restorepoint appliances to only  
allow  
trusted administrators to connect.  
  
The vendor reports that the latest version available evaluation image  
(3.3) is not vulnerable to this issue. Moreover, the vendor reports  
that  
the 3.2 evaluation image would have been patched if an evaluation  
license  
was applied.  
  
In this case, Matta recommends that users activate their appliance to be  
able to download the necessary software components and security  
updates.  
  
=====================================================================  
Credits  
  
This vulnerability was discovered and researched by Tavaris Desamito  
from  
Matta Consulting.  
  
=====================================================================  
History  
  
20-10-11 initial discovery  
24-10-11 initial attempt to contact the vendor  
24-10-11 vendor response received and draft advisory supplied  
25-10-11 vendor feedback received  
14-11-11 advisory draft updated  
... more interactions with the vendor  
04-12-11 advisory draft updated  
07-12-11 public disclosure  
  
=====================================================================  
About Matta  
  
Matta is a privately held company with Headquarters in London, and a  
European  
office in Amsterdam. Established in 2001, Matta operates in Europe,  
Asia,  
the Middle East and North America using a respected team of senior  
consultants. Matta is an accredited provider of Tiger Scheme training,  
conducts regular research and is the developer behind the webcheck  
application scanner, and colossus network scanner.  
https://www.trustmatta.com  
https://www.trustmatta.com/webapp_va.html  
https://www.trustmatta.com/network_va.html  
https://www.trustmatta.com/training.html  
  
=====================================================================  
Disclaimer and Copyright  
  
Copyright (c) 2011 Matta Consulting Limited. All rights reserved.  
This advisory may be distributed as long as its distribution is  
free-of-charge and proper credit is given.  
The information provided in this advisory is provided "as is" without  
warranty of any kind. Matta Consulting disclaims all warranties, either  
express or implied, including the warranties of merchantability and  
fitness  
for a particular purpose. In no event shall Matta Consulting or its  
suppliers be liable for any damages whatsoever including direct,  
indirect,  
incidental, consequential, loss of business profits or special damages,  
even if Matta Consulting or its suppliers have been advised of the  
possibility of such damages.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.11 (GNU/Linux)  
  
iQEcBAEBAgAGBQJO35HHAAoJEKXMIWKFD6qpSrUH/ApJ7WgGlWPEX6pCQTkG36m/  
xTkIaLGCaUyA+mkQ4MmHtBjNvd+rgA8B4V/gXOl4n6Cq2OwpuPhIO4ZFZWlKORiU  
JMp93glgp96TeozqlR8P+J9zJ+6gJCOtQm74lQkXbd1P914/7PpedOp845/HgA7M  
RCsvDDJ4WL2BwOeQAnWWeSYnEOuKiJFZbeRPeIm3dLqsDCy9i9hRdBEdZN5433c5  
jzBgF4zSuBn/8B5ebpfnQTqojxPeuasJ6Hfa9cCk71pE1hla2bfc5hcv8XjGavug  
IqxWhYyAiyejQfVESf+FVRdhBr8ypz8IzeBlzImyTWZuowMPtP9yZoEQBc7CHgo=  
=LnHW  
-----END PGP SIGNATURE-----  
  
  
`