CVE-2017-12479
published 2017-08-07CVE-2017-12479: It was discovered that an issue in the session logic in Unitrends Backup (UB) before 10.0.0 allowed using the LOGDIR environment variable during a web session…
PriorityP269high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
11.81%
95.6th percentile
It was discovered that an issue in the session logic in Unitrends Backup (UB) before 10.0.0 allowed using the LOGDIR environment variable during a web session to elevate an existing low-privilege user to root privileges. A remote attacker with existing low-privilege credentials could then execute arbitrary commands with root privileges.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kaseya | unitrends_backup | <= 9.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for POST requests to /api/login followed immediately by GET requests to /api/summary/current/ with a modified AuthToken header containing a base64-encoded path pointing to /var/www/html/tempPDF/ — this is the two-step exploit sequence. ↗
- →Detect AuthToken header values that base64-decode to a token where the LOG_DIR field (4th colon-delimited field) contains a web-accessible path such as /var/www/html/tempPDF/ instead of the expected /usr/bp/logs.dir/ prefix. ↗
- →Alert on creation of any .php file under /var/www/html/tempPDF/ — the exploit drops a random-named PHP webshell and a shell.php file in this directory. ↗
- →The LOGDIR environment variable manipulation during a web session is the root cause; monitor for privilege escalation from low-privilege web session users to root on Unitrends Backup versions before 10.0.0. ↗
- ·The exploit was tested specifically against appliance version 9.1.0-2.201611302120.CentOS6; the exploit path /var/www/html/tempPDF/ is hardcoded because apache has read-write access there on this version — this path may differ on other builds. ↗
- ·The random 5-character lowercase .php filename for the initial webshell means file-name-based detection must use a pattern match (e.g., /tempPDF/[a-z]{5}.php) rather than a static filename, though shell.php is always the final cleaned-up shell. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-08-07
Published