cbcvebase.
CVE-2017-12479
published 2017-08-07

CVE-2017-12479: It was discovered that an issue in the session logic in Unitrends Backup (UB) before 10.0.0 allowed using the LOGDIR environment variable during a web session…

PriorityP269high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
11.81%
95.6th percentile
It was discovered that an issue in the session logic in Unitrends Backup (UB) before 10.0.0 allowed using the LOGDIR environment variable during a web session to elevate an existing low-privilege user to root privileges. A remote attacker with existing low-privilege credentials could then execute arbitrary commands with root privileges.

Affected

1 ranges
VendorProductVersion rangeFixed in
kaseyaunitrends_backup<= 9.1

Detection & IOCsextracted from sources · hover to see the quote

url/api/login
url/api/summary/current/
path/var/www/html/tempPDF/
url/tempPDF/shell.php
path/usr/bp/logs.dir/gui_root.log
otherAuthToken
  • Monitor for POST requests to /api/login followed immediately by GET requests to /api/summary/current/ with a modified AuthToken header containing a base64-encoded path pointing to /var/www/html/tempPDF/ — this is the two-step exploit sequence.
  • Detect AuthToken header values that base64-decode to a token where the LOG_DIR field (4th colon-delimited field) contains a web-accessible path such as /var/www/html/tempPDF/ instead of the expected /usr/bp/logs.dir/ prefix.
  • Alert on creation of any .php file under /var/www/html/tempPDF/ — the exploit drops a random-named PHP webshell and a shell.php file in this directory.
  • The LOGDIR environment variable manipulation during a web session is the root cause; monitor for privilege escalation from low-privilege web session users to root on Unitrends Backup versions before 10.0.0.
  • ·The exploit was tested specifically against appliance version 9.1.0-2.201611302120.CentOS6; the exploit path /var/www/html/tempPDF/ is hardcoded because apache has read-write access there on this version — this path may differ on other builds.
  • ·The random 5-character lowercase .php filename for the initial webshell means file-name-based detection must use a pattern match (e.g., /tempPDF/[a-z]{5}.php) rather than a static filename, though shell.php is always the final cleaned-up shell.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.