CVE-2017-12477
published 2017-08-07CVE-2017-12477: It was discovered that the bpserverd proprietary protocol in Unitrends Backup (UB) before 10.0.0, as invoked through xinetd, has an issue in which its…
PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
68.22%
99.2th percentile
It was discovered that the bpserverd proprietary protocol in Unitrends Backup (UB) before 10.0.0, as invoked through xinetd, has an issue in which its authentication can be bypassed. A remote attacker could use this issue to execute arbitrary commands with root privilege on the target system.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kaseya | unitrends_backup | < 10.0 | 10.0 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xa5\x52\x00\x2d\x00\x00\x00[packet_len]\x00\x00\x00\x01\x00\x00\x00\x4c\x00\x00\x00[cmd_len][cmd]\x00\x00\x00
- →Monitor for inbound TCP connections to port 1743 (xinetd bpserverd listener); this port is the initial attack entry point for CVE-2017-12477 exploitation. ↗
- →Detect exploit packets beginning with the magic bytes \xa5\x52\x00\x2d on TCP port 1743; this is the fixed header of the malicious bpserverd command injection packet. ↗
- →Alert on a two-stage TCP connection pattern: a client connects to port 1743, parses a dynamic port from the server banner (last 8–3 bytes), then immediately opens a second connection to that dynamic port — characteristic of bpserverd exploitation. ↗
- →Look for processes spawned as root by xinetd/bpserverd that execute shell commands (e.g., bash reverse shells or arbitrary OS commands), indicating successful authentication bypass. ↗
- →The Metasploit module targets linux/x86 with a default payload of linux/x86/meterpreter/reverse_tcp and uses printf-based CmdStager with linemax 200; hunt for short printf-staged payloads written to /tmp on Unitrends appliances. ↗
- →Unitrends appliances running UEB version 9.1.0-2.201611302120.CentOS6 are confirmed vulnerable; inventory and prioritize patching of these specific build strings. ↗
- ·The dynamic bpd port is not fixed — it is returned in the xinetd banner and varies per session. Detection rules on port 1743 must also account for follow-on connections to this ephemeral port. ↗
- ·The exploit requires the second (bpd) connection to be established even if command output is not needed; blocking only port 1743 is insufficient — the dynamic bpd port must also be firewalled. ↗
- ·Commands longer than 240 bytes may not execute reliably via this exploit; staged payloads using short commands (linemax 200) are used to work around this limit. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Unitrends UEB 9 - bpserverd Authentication Bypass Remote Command Execution (Metasploit)
exploitdb·2017-10-23·CVSS 9.8
CVE-2017-12477 [CRITICAL] Unitrends UEB 9 - bpserverd Authentication Bypass Remote Command Execution (Metasploit)
Unitrends UEB 9 - bpserverd Authentication Bypass Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Unitrends UEB bpserverd authentication bypass RCE',
'Description' => %q{
It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd,
has an issue in which its authentication can be bypassed. A remote attacker could use this
issue to execute arbitrary commands with root privilege on the target system.
},
'Author' =>
[
'Jared Arave', # @iotennui
'Cale Smith', # @0xC413
'Benny Husted' # @BennyHusted
],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ARCH_X86],
'CmdStagerFlavor' => [ 'printf' ],
'R
Exploit-DB
Unitrends UEB 9.1 - 'Unitrends bpserverd' Remote Command Execution
exploitdb·2017-08-08·CVSS 9.8
CVE-2017-12477 [CRITICAL] Unitrends UEB 9.1 - 'Unitrends bpserverd' Remote Command Execution
Unitrends UEB 9.1 - 'Unitrends bpserverd' Remote Command Execution
---
# Exploit Title: Unauthenticated root RCE for Unitrends UEB 9.1
# Date: 08/08/2017
# Exploit Authors: Jared Arave, Cale Smith, Benny Husted
# Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413
# Vendor Homepage: https://www.unitrends.com/
# Software Link: https://www.unitrends.com/download/enterprise-backup-software
# Version: 9.1
# Tested on: CentOS6
# CVE: CVE-2017-12477
import socket
import binascii
import struct
import time
import sys
from optparse import OptionParser
print """
###############################################################################
Unauthenticated root RCE for Unitrends UEB 9.1
Tested against appliance versions:
[+] 9.1.0-2.201611302120
Metasploit
Unitrends UEB bpserverd authentication bypass RCE
metasploit
Unitrends UEB bpserverd authentication bypass RCE
Unitrends UEB bpserverd authentication bypass RCE
It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd, has an issue in which its authentication can be bypassed. A remote attacker could use this issue to execute arbitrary commands with root privilege on the target system.
No writeups or analysis indexed.
2017-08-07
Published