Zmanda Management Console 3.3.9 - RCE (CVE-2019-19469)
Weak default credentials in combination with missing input validation allow a remote attacker to execute arbitrary code on a server using the Zmanda Management Console 3.3.9.
It's possible to execute whitelisted commands using the following link without any CSRF protection: https://10.123.45.6/ZMC_Admin_Advanced?form=adminTasks&action=Apply&command=
"Only the following non-interactive commands are permitted: amadmin, amcheckdb, amcleanup, amdump, amflush, amlabel, amlabel, amreport, amrmtape, bzip2, chgrp, chmod, chown, cp, date, df, diff, du, echo, env, file, find, grep, gzip, head, ls, lsattr, lsscsi, man, md5sum, mkdir, mt, mtx, mv, nslookup, ping, ps, pstree, sha1sum, sha224sum, sha256sum, sha384sum, sha512sum, sort, star, stty, tail, tar, top, traceroute, tree, uname, uptime"
Clicking the following link will execute the "echo" command displaying the string "test":
By abusing the piping feature via "echo test | whoami" it's possible to bypass the restriction to execute the "whoami" command:
Leveraging that behavior allows to execute arbitrary code using a Python reverse shell. Clicking the following link will connect the server to s3cur3.eu on port 8080 spawning a /bin/sh shell:
Using network fingerprinting techniques it's possible to automatically exploit the vulnerability in combination with weak default credentials if an employee connected to the internal network visits a special website.
The vulnerability was disclosed to Zmanda prior to publishing the vulnerability details. Slides to my BSides Lisbon presentation can be found here.