[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1323276154.20308.21.camel@neutron.trustmatta.com>
Date: Wed, 07 Dec 2011 16:42:34 +0000
From: Tavaris Desamito <tavaris.desamito@...stmatta.com>
To: bugtraq@...urityfocus.com, Full-Disclosure
<full-disclosure@...ts.grok.org.uk>
Cc: Advisories <advisories@...stmatta.com>
Subject: Restorepoint Remote root command execution
vulnerability - CVE-2011-4201 CVE-2011-4202
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Matta Consulting - Matta Advisory
https://www.trustmatta.com
Restorepoint Remote root command execution vulnerability
Advisory ID: MATTA-2011-003
CVE reference:
CVE-2011-4201 - Code injection vulnerability
CVE-2011-4202 - Privilege escalation through insecure file permissions
Affected platforms: Tadasoft Restorepoint
Version: 3.2-evaluation
Date: 2011-October-20
Security risk: Critical
Vulnerability: Remote root command execution
Researcher: Tavaris Desamito
Vendor Status: Notified, Patch available
Vulnerability Disclosure Policy:
https://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt
Permanent URL:
https://www.trustmatta.com/advisories/MATTA-2011-003.txt
=====================================================================
Introduction:
Restorepoint is a network appliance backup and disaster recovery system
from Tadasoft.
More information can be found on the following page:
http://www.restorepoint.com/restorepoint/
=====================================================================
Vulnerability:
The 3.2 evaluation image of Restorepoint is vulnerable to a remote
command
execution vulnerability in the remote_support.cgi script prior to
license
activation. By supplying a semi colon followed by a unix shell command
to
the pid1 or pid2 parameters in conjunction with the stop_remote_support
parameter, an unauthenticated remote attacker can execute commands on
the
Restorepoint appliance with the privileges of the www user. The Common
Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2011-4201 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security
problems.
Given that the Restorepoint appliance uses a Linux kernel compiled in
2009, obtaining root access is trivial.
Furthermore, Restorepoint uses sudo in order to run a number of scripts
with
root access. As a large number of these scripts can be modified by the
www
user, root access can be obtained directly through Restorepoint
functionality, without relying on additional exploits. The Common
Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2011-4202 to this issue.
=====================================================================
Impact:
Anyone who is able to connect to Restorepoint on port 443 between
powering up
the appliance and before the appliance is license activated is able to
obtain
root level shell access to the appliance.
The Restorepoint appliance is used to back up the configurations of
network
devices and as such, the Restorepoint appliance holds credentials for
all the
devices it backs up; Which in most cases will be privileged accounts
that will
allow reconfiguration of the network devices.
If someone was able to compromise the security of the Restorepoint
appliance
in the period between powering up the appliance and before the
appliance is
license activated, an attacker is then able to go on to compromise the
security of all devices backed up by Restorepoint.
Having achieved this, an attacker may reposition and begin to compromise
the
rest of the network by using the Restorepoint appliance to launch
further
attacks.
=====================================================================
Versions affected:
Version 3.2 - evaluation image
The vendor reports that they maintain different trees for evaluation and
licensed copies of their software. The version available to licensed
customers
is not vulnerable to this issue. Moreover, all appliances including
evaluations use a built-in auto-update mechanism upon license
activation
that downloads additional software components and security updates
which
ensures their customers are using the latest version of the product.
The
vendor reports that the evaluation image would have been patched if the
evaluation license had been applied.
Matta have not confirmed this at this stage.
=====================================================================
Threat mitigation:
Anyone with evaluation versions of Restorepoint prior to 3.2 should
activate
the license, at which point the software is automatically updated.
Matta suggests that affected parties running this version of the
software
restrict access to port 443 on their Restorepoint appliances to only
allow
trusted administrators to connect.
The vendor reports that the latest version available evaluation image
(3.3) is not vulnerable to this issue. Moreover, the vendor reports
that
the 3.2 evaluation image would have been patched if an evaluation
license
was applied.
In this case, Matta recommends that users activate their appliance to be
able to download the necessary software components and security
updates.
=====================================================================
Credits
This vulnerability was discovered and researched by Tavaris Desamito
from
Matta Consulting.
=====================================================================
History
20-10-11 initial discovery
24-10-11 initial attempt to contact the vendor
24-10-11 vendor response received and draft advisory supplied
25-10-11 vendor feedback received
14-11-11 advisory draft updated
... more interactions with the vendor
04-12-11 advisory draft updated
07-12-11 public disclosure
=====================================================================
About Matta
Matta is a privately held company with Headquarters in London, and a
European
office in Amsterdam. Established in 2001, Matta operates in Europe,
Asia,
the Middle East and North America using a respected team of senior
consultants. Matta is an accredited provider of Tiger Scheme training,
conducts regular research and is the developer behind the webcheck
application scanner, and colossus network scanner.
https://www.trustmatta.com
https://www.trustmatta.com/webapp_va.html
https://www.trustmatta.com/network_va.html
https://www.trustmatta.com/training.html
=====================================================================
Disclaimer and Copyright
Copyright (c) 2011 Matta Consulting Limited. All rights reserved.
This advisory may be distributed as long as its distribution is
free-of-charge and proper credit is given.
The information provided in this advisory is provided "as is" without
warranty of any kind. Matta Consulting disclaims all warranties, either
express or implied, including the warranties of merchantability and
fitness
for a particular purpose. In no event shall Matta Consulting or its
suppliers be liable for any damages whatsoever including direct,
indirect,
incidental, consequential, loss of business profits or special damages,
even if Matta Consulting or its suppliers have been advised of the
possibility of such damages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAEBAgAGBQJO35HHAAoJEKXMIWKFD6qpSrUH/ApJ7WgGlWPEX6pCQTkG36m/
xTkIaLGCaUyA+mkQ4MmHtBjNvd+rgA8B4V/gXOl4n6Cq2OwpuPhIO4ZFZWlKORiU
JMp93glgp96TeozqlR8P+J9zJ+6gJCOtQm74lQkXbd1P914/7PpedOp845/HgA7M
RCsvDDJ4WL2BwOeQAnWWeSYnEOuKiJFZbeRPeIm3dLqsDCy9i9hRdBEdZN5433c5
jzBgF4zSuBn/8B5ebpfnQTqojxPeuasJ6Hfa9cCk71pE1hla2bfc5hcv8XjGavug
IqxWhYyAiyejQfVESf+FVRdhBr8ypz8IzeBlzImyTWZuowMPtP9yZoEQBc7CHgo=
=LnHW
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists