CVE-2017-12478
published 2017-08-07CVE-2017-12478: It was discovered that the api/storage web interface in Unitrends Backup (UB) before 10.0.0 has an issue in which one of its input parameters was not…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
78.27%
99.5th percentile
It was discovered that the api/storage web interface in Unitrends Backup (UB) before 10.0.0 has an issue in which one of its input parameters was not validated. A remote attacker could use this flaw to bypass authentication and execute arbitrary commands with root privilege on the target system.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kaseya | unitrends_backup | < 10.0 | 10.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SQLi authentication bypass by inspecting the AuthToken HTTP header for the pattern 'UNION SELECT -1' or the base64-encoded equivalent of the known bypass string. ↗
- →Alert on HTTP POST requests to /api/storage or /api/hosts containing backtick characters (`) in JSON body fields such as 'hostname' or 'share_name', indicating command injection attempts. ↗
- →Monitor for HTTP GET requests to /api/systems/details with an AuthToken header containing a base64-encoded SQLi string as a pre-exploitation check/fingerprint step. ↗
- →Flag HTTP 500 responses from /api/storage following a POST with a crafted AuthToken, as the exploit expects a 500 response upon successful command injection. ↗
- →Detect use of the X-Requested-With: XMLHttpRequest header combined with a crafted AuthToken on POST requests to /api/storage as an indicator of exploit tooling. ↗
- ·CVE-2017-12478 affects UEB v9 (api/storage, runs as root); a related but distinct vulnerability CVE-2018-6328 affects UEB v10 (api/hosts, runs as limited user). The Metasploit module covers both. ↗
- ·The exploit was tested specifically against appliance version 9.1.0-2.201611302120.CentOS6; detection rules should account for CentOS6-based deployments. ↗
- ·The exploit communicates exclusively over HTTPS (port 443) with SSL enabled by default; network detection must inspect TLS traffic or rely on endpoint/log-based detection. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Unitrends UEB - HTTP API Remote Code Execution (Metasploit)
exploitdb·2018-10-08·CVSS 9.8
CVE-2018-6328 [CRITICAL] Unitrends UEB - HTTP API Remote Code Execution (Metasploit)
Unitrends UEB - HTTP API Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Unitrends UEB http api remote code execution',
'Description' => %q{
It was discovered that the api/storage web interface in Unitrends Backup (UB)
before 10.0.0 has an issue in which one of its input parameters was not validated.
A remote attacker could use this flaw to bypass authentication and execute arbitrary
commands with root privilege on the target system.
UEB v9 runs the api under root privileges and api/storage is vulnerable.
UEB v10 runs the api under limited privileges and api/hosts is vulnerable.
},
'Author' =>
[
'Cale Smith', # @0xC413
'Benny Husted', #
Exploit-DB
Unitrends UEB 9 - http api/storage Remote Root (Metasploit)
exploitdb·2017-10-23·CVSS 9.8
CVE-2017-12478 [CRITICAL] Unitrends UEB 9 - http api/storage Remote Root (Metasploit)
Unitrends UEB 9 - http api/storage Remote Root (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Unitrends UEB 9 http api/storage remote root',
'Description' => %q{
It was discovered that the api/storage web interface in Unitrends Backup (UB)
before 10.0.0 has an issue in which one of its input parameters was not validated.
A remote attacker could use this flaw to bypass authentication and execute arbitrary
commands with root privilege on the target system.
},
'Author' =>
[
'Cale Smith', # @0xC413
'Benny Husted', # @BennyHusted
'Jared Arave' # @iotennui
],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ARCH_X86],
'CmdStagerFlavor' => [ 'printf' ],
Exploit-DB
Unitrends UEB 9.1 - Authentication Bypass / Remote Command Execution
exploitdb·2017-08-08·CVSS 9.8
CVE-2017-12478 [CRITICAL] Unitrends UEB 9.1 - Authentication Bypass / Remote Command Execution
Unitrends UEB 9.1 - Authentication Bypass / Remote Command Execution
---
# Exploit Title: Unauthenticated root RCE for Unitrends UEB 9.1
# Date: 08/08/2017
# Exploit Authors: Cale Smith, Benny Husted, Jared Arave
# Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413
# Vendor Homepage: https://www.unitrends.com/
# Software Link: https://www.unitrends.com/download/enterprise-backup-software
# Version: 9.1
# Tested on: CentOS6
# CVE: CVE-2017-12478
import httplib
import urllib
import ssl
import random
import sys
import base64
import string
from optparse import OptionParser
# Print some helpful words:
print """
###############################################################################
Unauthenticated root RCE for Unitrends UEB 9.1
Tes
Metasploit
Unitrends UEB http api remote code execution
metasploit
Unitrends UEB http api remote code execution
Unitrends UEB http api remote code execution
It was discovered that the api/storage web interface in Unitrends Backup (UB) before 10.0.0 has an issue in which one of its input parameters was not validated. A remote attacker could use this flaw to bypass authentication and execute arbitrary commands with root privilege on the target system. UEB v9 runs the api under root privileges and api/storage is vulnerable. UEB v10 runs the api under limited privileges and api/hosts is vulnerable.
No writeups or analysis indexed.
2017-08-07
Published