DataDomainOS Remote Root
Here's a bug I found a bit more than a year ago.
I think some of you will enjoy it.
Data Domain is a leading company in data storage and backup solutions.
Data Domain storage systems optimize data protection and disaster recovery (DR) performance.
Data Domain offers a comprehensive range of products to meet the near line storage needs of enterprises of all sizes,
as they seek to reduce costs and simplify data management. Data Domain systems support all leading enterprise backup and
archiving applications for seamless integration into existing IT infrastructures.
Over 1,800 enterprises customers around the world have purchased Data Domain systems.
Following applications are discussed in this post:
The Data Domain OS Enterprise Manager Restorer Web Interface is used as main utility to manage backups and to monitor the system
like RAID information, job controls, etc.
The application is combining multiple technologies to display the management web interface and displaying interactive content:
It is suspected that all versions of the Data Domain OS Enterprise Manager Restorer Web Interface up and including 220.127.116.11-66000
are vulnerable to this security issue.
An advisory from DataDomain regarding this issue is unknown until now.
Following information was possible to gather from the target system:
The Data Domain OS Enterprise Manager Restorer Web Interface is listening on host/port 0.0.0.0:80 and 0.0.0.0:443, in which the
services on port 80 just redirects to 443.
There is no known hardening guide or any security recommendations for these services.
Previous security issues
Data Domain Administration Interface Local Privilege Escalation Vulnerability
The bug was discovered on 15th May 2008
Vulnerability details (1)
The vulnerability can be triggered without any authentication and can be classified as critical, as it leads to remote root compromise.
The bug is located in the file view.cgi in the following snippet:
As we see, the CGI script executes a shell command with parameters gathered from the requested URL. The vulnerable variable is $retry_count, as we will see later.
The malicious request looks like that:
The working escape sequence is a question mark in our case or %0a.
And the result looks like that:
Where is the mistake located
At first sight everything seems to be pretty much in order.
We find a sanitize function for the GET variables:
This function is applied to all requests done to the target script as we see here:
At this moment it was interesting to see the test result, where we successfully executed code on the target system and the quick look at the code, where it seems to be correctly sanitized.
But let us take a closer look at the GET variables handling:
Got it. The GET variable $auth_retry_count which is used in our malicious request gets co-pied here to a local variable called $retry_count before it gets sanitized.
Vulnerability details (2)
As we saw, the first vulnerability allows us to execute commands on the target system. But we need to be root to have a full system compromise.
Here we will discuss about a local privilege escalation found during the same audit.
The Data Domain OS provides its own local shell, to be used by clients to monitor the sys-tem and its jobs, execute specific commands and create or modify existing jobs.
Let us take a closer look at the help description:
The affected option is –se which allows us to execute pre defined commands as root, with-out any authentication.
With this option we can modify the ownership and the rights on the binary to have our backdoor suid root.
We will see here how to add multiple stages together to achieve a full remote root compro-mise.
For a full compromise in our example we need:
There are some character limitations like quote and + and there might surely be others, which I did not catch during my tests.
The impact is a simple but effective remote command execution under the apache privileges. But with the right combination we achieve a full remote root compromise of the box.
And as the system is a pure black box with no shell access for clients, except the proprietary DDShell which is provided with the DataDomain OS, it is a paradise for attackers.
And those systems are not monitored at all.
© 2015 coma. All rights reserved.
Disclaimer: There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk.
In no event shall the author be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.