Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/documentation/modules/exploit/windows/backupexec/ssl_uaf.md
Views: 11788
Vulnerability Summary
The Backup Exec Remote Agent for Windows is vulnerable to a use-after-free in its handling of SSL/TLS-wrapped NDMP connections. If SSL/TLS is established on a NDMP connection, ended, and finally re-established, the agent will re-use previously freed SSL/TLS structures. This allows for remote code execution over an unauthenticated network connection.
Vulnerable Application
Backup Exec consists of a server component as well as remote agents that are installed on each host that should be backed up by the server.
There are remote agents available for a range of data sources, including operating-system level agents for Windows and Linux hosts' local filesystems, application-specific agents for Microsoft Exchange, SharePoint, Active Directory, etc., and agents for virtual machines such as VMware or Hyper-V instances. This exploit targets the Windows OS-level remote agents, which are the most common type in a typical Backup Exec deployment on a Windows-based network. The agents are installed as services running by default as the NT AUTHORITY\SYSTEM user.
A trial version of Backup Exec can be downloaded from Veritas' website; currently the download is available here.
Vulnerability Description
The agent accepts NDMP connections on TCP port 10000. The vendor-specific 0xF383 NDMP packet type allows for NDMP connections to be wrapped in a SSL/TLS session. Sub-type 4 initiates the SSL/TLS handshake; after successfully completing this the client and server continue the NDMP session through the SSL/TLS session.
The agent makes use of OpenSSL to handle these SSL/TLS sessions. When a SSL/TLS session is created, the agent creates necessary OpenSSL structures, including a struct BIO from the connection's associated network socket using BIO_new_socket. Upon the end of the SSL/TLS session, this structure is freed by a call to BIO_free through a call to SSL_free.
However, if a SSL/TLS connection is then re-established on the same NDMP connection, the previously freed BIO is re-used in the new SSL/TLS session even though it is no longer allocated. The BIO is stored during the first connection setup and then retrieved during second connection setup as a member of the CSecuritySSLConnection class, despite the call to SSL_free previously freeing it. This leads to a use-after-free as the BIO contains a pointer to a structure (BIO_METHOD *method) of function pointers that are used to perform operations such as reading and writing from the wrapped BIO object (in this case, the network socket).
By overwriting the previously allocated BIO with controlled data, it is possible to gain remote code execution when OpenSSL attempts to call one of these function pointers.
Verification Steps
Install the Backup Exec server on a host.
Install the Backup Exec Remote Agent for Windows on another host, either manually or through the server's remote agent installation feature. Note that in this contrived test situation you should be sure to let the agent run for a few minutes before continuing so it can finish initial startup work that otherwise interferes with the exploit's heap manipulation.
Start
msfconsole.Select the module and configure it with, at minimum, the address of the host running the remote agent:
Check the service is running and potentially vulnerable with the
checkcommand.Select a target version using
set target [TARGET].Select a payload and its options; for example:
Start the exploit using the
exploitcommand.Hopefully get a
NT AUTHORITY\SYSTEMshell 😃
An example session is as follows:
Options
Apart from the usual exploit module options such as RHOST, the module has a few exploit-specific options. These should not normally need to be set or changed from their default values in most situations as the exploit will pick suitable values for them depending on the target selected.
NumSpraySockets The number of sockets connected to the remote agent in order to spray stage 1 of the exploit, which should overwrite the freed BIO.
NumTLSSpraySockets The number of sockets connected to the remote agent in order to spray TLS extensions. This is used to massage the low fragmentation heap in order to increase chances of stage 1 successfully overwriting the freed BIO.
NumTriggerAttempts The number of attempts made to trigger the use-after-free for Windows 8+ targets, where it is possible to retry calling the overwritten function pointer multiple times.
Scenarios
The Backup Exec Remote Agent for Windows is installed on each host that has local filesystems that should be backed up. These agents listen on the network for NDMP connections (on port 10000), appearing in Nmap scans with scripts enabled as follows:
(Note that the ndmp-version script fails to execute due to not sending an NDMP_CONNECT_OPEN request before querying version information with the NDMP_CONFIG_GET_HOST_INFO request. This exploit module's check command will carry this query out successfully.)
While the exploit is not guaranteed to gain RCE (see the module's description), in practise the agent is often widely installed in a Windows domain across a range of hosts (including fileservers and domain controllers). This means usually at least one instance of the agent will give a shell on a server where it's easy enough to further escalate to Domain Administrator from SYSTEM.