CVE-2018-6329
published 2018-03-14CVE-2018-6329: It was discovered that the Unitrends Backup (UB) before 10.1.0 libbpext.so authentication could be bypassed with a SQL injection, allowing a remote attacker to…
PriorityP181critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
62.46%
99.1th percentile
It was discovered that the Unitrends Backup (UB) before 10.1.0 libbpext.so authentication could be bypassed with a SQL injection, allowing a remote attacker to place a privilege escalation exploit on the target system and subsequently execute arbitrary commands.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| unitrends | backup | < 10.1.10 | 10.1.10 |
Detection & IOCsextracted from sources · hover to see the quote
- ·The exploit targets Unitrends UEB versions up to and including 10.0.x; version 10.1.0 and later are not vulnerable. Additionally, bpserverd was restricted from listening remotely starting in version 10, so the local privesc path (via localhost:1743) is the relevant attack vector for v10.x. ↗
- ·The Metasploit module targets only x86 architecture (ARCH_X86); detections or mitigations scoped to other architectures may not apply. ↗
- ·The exploit was tested specifically against CentOS 6 appliance builds; behavior on other OS variants is unconfirmed. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Unitrends Enterprise Backup - bpserverd Privilege Escalation (Metasploit)
exploitdb·2018-11-29
CVE-2018-6329 Unitrends Enterprise Backup - bpserverd Privilege Escalation (Metasploit)
Unitrends Enterprise Backup - bpserverd Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Unitrends Enterprise Backup bpserverd Privilege Escalation',
'Description' => %q{
It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd,
has an issue in which its authentication can be bypassed. A remote attacker could use this
issue to execute arbitrary commands with root privilege on the target system.
This is very similar to exploits/linux/misc/ueb9_bpserverd however it runs against the
localhost by dropping a python script on the local file system. Unitrends stopped
bpserverd from listening remotely on version
Exploit-DB
Unitrends UEB 10.0 - Root Remote Code Execution
exploitdb·2018-03-16·CVSS 9.8
CVE-2018-6329 [CRITICAL] Unitrends UEB 10.0 - Root Remote Code Execution
Unitrends UEB 10.0 - Root Remote Code Execution
---
# Exploit Title: Unauthenticated root RCE for Unitrends UEB 10.0
# Date: 10/17/2017
# Exploit Authors: Cale Smith, Benny Husted, Jared Arave
# Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413
# Vendor Homepage: https://www.unitrends.com/
# Software Link: https://www.unitrends.com/download/enterprise-backup-software
# Version: 10.0.0
# Tested on: 10.0.0-2.201706252204.CentOS6, 10.0.0-5.201708151911.CentOS6
# CVE: CVE-2018-6328, CVE-2018-6329
import httplib
import urllib
import ssl
import random
import sys
import base64
import string
import socket
from optparse import OptionParser
# Print some helpful words:
print """
##################################################################
Metasploit
Unitrends Enterprise Backup bpserverd Privilege Escalation
metasploit
Unitrends Enterprise Backup bpserverd Privilege Escalation
Unitrends Enterprise Backup bpserverd Privilege Escalation
It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd, has an issue in which its authentication can be bypassed. A remote attacker could use this issue to execute arbitrary commands with root privilege on the target system. This is very similar to exploits/linux/misc/ueb9_bpserverd however it runs against the localhost by dropping a python script on the local file system. Unitrends stopped bpserverd from listening remotely on version 10.
No writeups or analysis indexed.
https://support.unitrends.com/UnitrendsBackup/s/article/000001150https://support.unitrends.com/UnitrendsBackup/s/article/000006003https://www.exploit-db.com/exploits/44297/https://www.exploit-db.com/exploits/45913/https://support.unitrends.com/UnitrendsBackup/s/article/000001150https://support.unitrends.com/UnitrendsBackup/s/article/000006003https://www.exploit-db.com/exploits/44297/https://www.exploit-db.com/exploits/45913/
2018-03-14
Published