ush.it - a beautiful place

Veeam Backup & Replication Local Privilege Escalation Vulnerability

October 8, 2015 at 5:02 pm - Filed under Hacks - 1737 words, reading time ~5 minutes - Permalink - Comments

Pasquale "sid" Fiorillo found a critical vulnerability in Veeam Backup & Replication version 6, 7 and 8. At the time of writing this impact a very large of updated and outdated/legacy Veeam deployments. The vulnerability allows a local unprivileged user of a Windows guest to gain Local and/or Domain Administrator access when VeeamVixProxy is active, the de-facto default in VMWare and Hyper-V environments.

Veeam Backup & Replication Local Privilege Escalation Vulnerability

 Name              Sensitive Data Exposure in Veem Backup
 Systems Affected  Veeam Backup & Replication (B&R) v6, v6.5, v7, v8
 Severity          High 7.9/10
 Impact            CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
 Vendor            http://www.veeam.com/
 Advisory          http://www.ush.it/team/ush/hack-veeam_6_7_8/veeam.txt
 Authors           Pasquale "sid" Fiorillo (sid AT ush DOT it) 
                   Francesco "ascii" Ongaro (ascii AT ush DOT it)
                   Antonio "s4tan" Parata (s4tan AT ush DOT it)
 Date              20151002

I. BACKGROUND

Veeam Software provides backup, disaster recovery and virtualization 
management software for the VMware and Hyper-V environments. In 2012
Veeam gained more than 1200 employees worldwide, from 10 employees in
2008. It has more than 157'000 customers, 33'000 partners and 80 top 
industry awards and claims to be the "#1 VM Backup" solution after it
gained traction against competitors like Backup Exec and Tivoli Storage
Manager.

Veeam Backup & Replication is the foundation of many Veeam products,
like Veeam Availability Suite and Veeam One.

ISGroup is an Italian Information Security boutique, we found this 
0day issue while performing a Penetration Test for a customer, you
can discover more about ISGroup by visiting http://www.isgroup.biz/.

Responsible disclosure with Veeam: Veeam has no public security@ contact
and we worked with them through the ticket system opening a case using
one of our customer's assistance contract. We were unable to escape
from the sternness of this type of communication and move to PGP emails.

Their response anyway was pretty prompt, we spoke first with Denis
Bodnar and then escalate to Fred Bozhanov, Veeam Support Management. He
managed communication with the developers. We advise Veeam to give some
of their senior developers a "security team" mandate and to expose such 
team to external, direct, communication. The people we spoke to did 
their best and were extremely kind but they must be supported by a
corporate process.

Prior vulnerabilities in Veeam: It's very difficult to say if Veeam had
previous vulnerabilities, there are no CVE assigned to this vendor both
on Nist and to it's CPE (cpe:/:veeam). Information to customers of the
vulnerability is shown in the "other" section of the changelog: "Removed
weakly encrypted username and password logging from guest processing 
components using networkless (VIX) guest interaction mode. Veeam thanks 
Pasquale Fiorillo and Francesco Ongaro of ISGroup for vulnerability 
discovery.".

The latest version of the software at the time of writing can be 
obtained from:

http://www.veeam.com/kb2068
http://forums.veeam.com/veeam-backup-replication-f2/8-0-common-issues-and-fixes-t24157.html#p130849
http://www.veeam.com/vmware-esx-backup.html

II. DESCRIPTION

The vulnerability allows a local Windows user, even with low privileges
as the ones provided to an anonymous IIS's virtualhost user, to access
Veeam Backup logfiles that include a double-base64 encoded version of
the password used by Veeam to run.

The affected component is VeeamVixProxy, created by default on 
installation and the user must be a privileged Local Administrator or 
a Domain Administrator.

For example the wizard for adding a VMware or Hyper-V Backup Proxy
explicitly state "Type in an account with local administrator privileges
on the server you are adding. Use DOMAIN\USER format for domain 
accounts, or HOST\USER for local accounts.".

We conservatively refer to this issue as a Local Administrator Privilege
Escalation but the use of Domain Administrator accounts is not 
discouraged, if not advised, and we saw this pattern in our customer’s
production infrastructures.

TLDR: Anything able to read VeeamVixProxy logfiles, world readable by
default, can escalate to Local or Domain Administrator.

III. ANALYSIS

Veeam Backup & Replication (B&R) v6, v6.5, v7, v8 store VeeamVixProxy 
logfiles in a directory accessible by Everyone and with permissions
that make them readable by Everyone (Everyone is, in the Microsoft 
Windows terminology, the equivalent of the Unix’s nobody user).

Such logs, that are continuously generated, contain a Local or Domain
Administration user and password in an easily reversible (obfuscated)
format.

In versions of Veeam prior to 8 a bug prevented log rotation [3,4], on
older systems there could be a large amount of logs and thus an 
extensive history of past and current Local or Domain Administrator 
credentials.

A) Logfiles readable by Everyone

  As shown in http://www.veeam.com/kb1789 the default log path is

  Windows Server 2003: %allusersprofile%\Application Data\Veeam\Backup
  Windows Server 2008 and up: %programdata%\Veeam\Backup

  Our evidence is for Windows Server 2003, access to the needed files 
  are guaranteed to the Windows group "Everyone" so any local user, even
  the ones used to map IIS sites, can access them.

  This pose all the information contained in the logfiles at risk and
  is a violation of the principle of least privilege.

  https://en.wikipedia.org/wiki/Principle_of_least_privilege

B) Double encoded password in Logfiles

  The install/execution username and password is stored double-base64
  encoded in Veeam Backup "VeeamVixProxy" logfiles.

  Such files exists in "Veeam\Backup" with a name scheme as follows:

  VeeamVixProxy_%dd%mm%yyyy.log

  eg: VeeamVixProxy_16072015.log

  The password is present in multiple points of the log-file and the
  files are generated contentiously.

  In this scenario, a Local File Read vulnerability could lead to full
  system compromise given the fact that an attacker can re-use such
  credentials by RDP or RPC (eg: psexec).

  The log format leaking the credentials is:

  <date> <time> <number> Blob Data: <base64>

  eg: 01/07/2015 1.33.42 3936 Blob Data:
  IwAAAAoAAABWAGUAZQBhAG0AVQBzAGUAcgAQAAAAVQAyAFYAagBjAG0AVgAwAA

  The "<base64>" of interest has the following format:

  echo 'IwAAAAoAAABWAGUAZQBhAG0AVQBzAGUAcgAQAAAAVQAyAFYAagBjAG0AVgAwAA'\
  | base64 -d | hexdump -C
  00000000  23 00 00 00 0a 00 00 00  56 00 65 00 65 00 61 00 |#.......V.e.e.a.|
  00000010  6d 00 55 00 73 00 65 00  72 00 10 00 00 00 55 00 |m.U.s.e.r.....U.|
  00000020  32 00 56 00 6a 00 63 00  6d 00 56 00 30 00       |2.V.j.c.m.V.0.  |

  First byte is \x23 (#), followed by a NULL and a newline (\x0a),
  followed by a NULL. Next bytes specify the username, followed by
  a DLE (data link escape) and a NULL. Everything in the first base64
  container is in UTF16.

  echo -n "isgroup" | iconv -t UTF-16LE | hexdump -C

  What follows is the most interesting part, a base64 representation of
  the password.

  echo -en "U2VjcmV0" | base64 -d
  Secret

  Since the VeeamVixProxy files are continuously written the leak will
  occur even if administrators delete them. An official fix from Veeam 
  is needed in order to fully resolve the vulnerability.

  This vulnerability is especially dangerous when the "VeeamAdmin" 
  (or whenever you called it) is also a Domain Administration user.

IV. WORKAROUND

Update: on 8 October 2015 Veeam B&R 8.0 Update 3 has been released and
the vendor states it fixes the vulnerability. You are strongly advised
to update to the latest version. We did not investigate but will update
you on ush.it if needed.

Follow this steps to mitigate the issue meanwhile an official patch
is released:

If you are on Windows 2003 environment fix the permission on 
"%alluserprofile%\Application Data\Veeam\Backup" path so that only 
"Administrators" group can read it. 

If you are on Windows 2008 environment fix the permission on 
"%programdata%\Veeam\Backup\" so that only "Administrators" group can 
read it.

Create a scheduled task to delete this logfiles from disk.

VI. VENDOR RESPONSE

Vendor released Update 3 of Veeam B&R 8.0 that contains the proper 
security patch. At the time of this writing an official patch is 
currently available.

VII. CVE INFORMATION

Mitre assigned the CVE-2015-5742 for this vulnerability, internally to
Veeam it's referred as Case #00984117.

VIII. DISCLOSURE TIMELINE

20150723 Bug discovered
20150724 Vulnerability disclosed to ISGroup's Partners
20150805 Request for CVE to Mitre
20150805 Got CVE-2015-5742 from cve-assign (fast!)
20150806 Details disclosure to Support/Denis Bodnar and CVE
20150806 Escalation to Fred Bozhanov (fast!) will fix in Veeam B&R v8
20150818 Veeam closes the ticket
20150923 ISGroup asks for updates, no release date from vendor
20150923 We extend the disclosure date as 30 Sept will not be met
20151008 Veeam releases Update 3 for Version 8.0
20151008 Advisory disclosed to the public

IXI. REFERENCES

[1] Top 10 2013-A6-Sensitive Data Exposure
    https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure

[2] Access Control Cheat Sheet
    https://www.owasp.org/index.php/Access_Control_Cheat_Sheet

[3] http://forums.veeam.com/veeam-backup-replication-f2/veeamvix
    proxy-log-t20579.html
    User reporting 5.5 GB of VeeamVixProxy_date.log files

[4] http://forums.veeam.com/veeam-backup-replication-f2/feature-req
    uest-t28404.html
    User reporting 7 GB of VeeamVixProxy logs on 7.0.0.839

[4] http://www.veeam.com/kb1825
    How to Change the settings related to Veeam Backup & 
    Replication Log Files

[5] http://www.veeam.com/kb1789
    How to locate and collect VSS/VIX log files from Guest OS

XI. CREDIT

Pasquale "sid" Fiorillo, Francesco "ascii" Ongaro and Antonio "s4tan" 
Parata are credited with the discovery of this vulnerability.

Pasquale "sid" Fiorillo
web site: http://www.ush.it/
mail: sid AT ush DOT it

Francesco "ascii" Ongaro
web site: http://www.ush.it/
mail: ascii AT ush DOT it

Antonio "s4tan" Parata
web site: http://www.ush.it/
mail: s4tan AT ush DOT it

XI. LEGAL NOTICES

Copyright (c) 2015 Francesco "ascii" Ongaro

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
THP USH Wisec DigitalBullets