Attacking backup softwares


Published on

Presentation on "Attacking Backup Softwares" at nullcon2012, goa

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Attacking backup softwares

  1. 1. Attacking Backup Softwares Nibin Varghese iViZ Security
  2. 2. Agenda <ul><li>Role of Backup Softwares </li></ul><ul><li>History of backup software vulnerabilities </li></ul><ul><li>Demonstration of Symantec Backup Exec NDMP MiTM attack </li></ul>
  3. 3. Role of Backup Softwares <ul><li>“ To protect valuable data” </li></ul><ul><li>From a security perspective, can we really rely on them ? </li></ul>
  4. 4. History of Backup Software vulnerabilities <ul><li>Symantec Backup Exec </li></ul><ul><ul><ul><li>CVE-2011-0547 </li></ul></ul></ul><ul><ul><ul><li>CVE-2011-0546 </li></ul></ul></ul><ul><ul><ul><li>CVE-2009-3027 </li></ul></ul></ul><ul><ul><ul><li>CVE-2009-0651 </li></ul></ul></ul><ul><ul><ul><li>CVE-2008-5407 </li></ul></ul></ul><ul><ul><ul><li>CVE-2008-5408 </li></ul></ul></ul><ul><ul><ul><li>CVE-2007-6016 </li></ul></ul></ul><ul><ul><ul><li>CVE-2007-6017 </li></ul></ul></ul><ul><ul><ul><li>CVE-2008-4339 </li></ul></ul></ul><ul><ul><ul><li>CVE-2008-2512 </li></ul></ul></ul><ul><ul><ul><li>CVE-2007-6016 </li></ul></ul></ul><ul><ul><ul><li>CVE-2007-6017 </li></ul></ul></ul><ul><ul><ul><li>CVE-2008-0457 </li></ul></ul></ul><ul><ul><ul><li>CVE-2007-4346 </li></ul></ul></ul><ul><ul><ul><li>CVE-2007-4347 and more… </li></ul></ul></ul><ul><li>HP Data Protector </li></ul><ul><ul><ul><li>CVE-2011-3156 </li></ul></ul></ul><ul><ul><ul><li>CVE-2011-3157 </li></ul></ul></ul><ul><ul><ul><li>CVE-2011-3158 </li></ul></ul></ul><ul><ul><ul><li>CVE-2011-3159 </li></ul></ul></ul><ul><ul><ul><li>CVE-2011-3160 </li></ul></ul></ul><ul><ul><ul><li>CVE-2011-3161 </li></ul></ul></ul><ul><ul><ul><li>CVE-2011-3162 </li></ul></ul></ul><ul><ul><ul><li>CVE-2011-0921 </li></ul></ul></ul><ul><ul><ul><li>CVE-2011-0922 </li></ul></ul></ul><ul><ul><ul><li>CVE-2011-0923 </li></ul></ul></ul><ul><ul><ul><li>CVE-2011-0924 </li></ul></ul></ul><ul><ul><ul><li>CVE-2011-0514 </li></ul></ul></ul><ul><ul><ul><li>CVE-2011-2399 and more… </li></ul></ul></ul>
  5. 5. Why back up softwares are good targets ? <ul><li>Critical data’s are backed up to prevent loss </li></ul><ul><li>What would be an attackers motivation ? </li></ul><ul><li>If I am looking for confidential information, do I have to pwn all the machines in a network? </li></ul><ul><ul><li>OR </li></ul></ul><ul><li>Look for a software that is trusted by all machines in a network </li></ul><ul><li>Vulnerability in backup softwares are capable of providing the sweet spot to steal confidential informations. </li></ul><ul><li>I will demonstrate one such vulnerability </li></ul><ul><ul><li>“ CVE-2011-0546: Symantec Backup Exec NDMP MiTM Attack” </li></ul></ul>
  6. 6. Symantec Backup Exec Software <ul><li>Short demo of the software </li></ul><ul><ul><li>DMA or the client </li></ul></ul><ul><ul><li>DSP or the server </li></ul></ul>
  7. 7. CVE-2011-0546 Symantec Backup Exec NDMP MiTM Attack <ul><li>Timelines of disclosure </li></ul><ul><ul><li>Bug discovered in early 2009 </li></ul></ul><ul><ul><li>Disclosed to the vendor in Jan’2010 </li></ul></ul><ul><ul><li>Vendor confirmation in Mar’2010 </li></ul></ul><ul><ul><li>Patch released on 26 th May,2011 </li></ul></ul><ul><ul><li>iViZ advisory published on 27 th May,2011 </li></ul></ul><ul><ul><li>PoC published to exploit-db in July, 2011 </li></ul></ul>
  8. 8. Hunt for the bug <ul><li>Started with survey of Symantec Backup Software </li></ul><ul><ul><li>Product sheets for features </li></ul></ul><ul><ul><li>Closely looked at technologies it implements </li></ul></ul><ul><ul><li>Available open ports for communication </li></ul></ul><ul><li>Short baby steps to fuzzing </li></ul><ul><ul><li>Blind fuzzing on open ports - Failed </li></ul></ul><ul><ul><li>Fuzzing with captured packets - Failed </li></ul></ul><ul><ul><li>Protocol based fuzzing (NDMP) - Failed </li></ul></ul>
  9. 9. Hunt for the bug (cont) <ul><ul><li>What is Network Data Management Protocol (NDMP) ? </li></ul></ul><ul><ul><li>Based on client-server model </li></ul></ul><ul><ul><li>Allows data transfers between various storage devices connected over a network </li></ul></ul><ul><ul><li>Data channel and control channel </li></ul></ul><ul><li>Challenges in fuzzing NDMP </li></ul><ul><ul><li>Driven by a state machine </li></ul></ul><ul><ul><li>Sequence of commands is important </li></ul></ul><ul><li>As part of my survey, I found an academic paper “Security Analysis of the NDMP Protocol” </li></ul><ul><li>[1] </li></ul>
  10. 10. Security Analysis of the NDMP Protocol <ul><li>Passive attacks on data channel </li></ul><ul><ul><li>If attacker has network access, he can capture data channel traffic </li></ul></ul><ul><li>Active Attacks </li></ul><ul><ul><li>NDMP uses sequence numbering with no message authentication. </li></ul></ul><ul><ul><li>MiTM attack on NDMP MD5 auth scheme </li></ul></ul><ul><li> </li></ul>
  11. 11. NDMP MD5 auth scheme Client Server Sends a request to authenticate Server sends 64 byte challenge Client sends hash of the credentials Server authenticates the client Executes post authenticated commands
  12. 12. MiTM attack on NDMP MD5 auth scheme Client Server Client request to authenticate Server sends 64 byte challenge Attacker Attacker replays the request to authenticate Attacker replays the 64 byte challenge Client sends hash of the credentials Attacker replays hash of the credentials Authenticates the attacker Executes post authenticated commands
  13. 13. Practical validation of MiTM attack <ul><li>Possible attack vector#1 </li></ul><ul><li>Objective is to impersonate as a client to server </li></ul><ul><ul><li>No ARP Poisoning </li></ul></ul><ul><li>Looking out for more clues at Symantec Backup Exec Software </li></ul><ul><ul><li>Two open ports </li></ul></ul><ul><ul><ul><li>6101/TCP at DMA </li></ul></ul></ul><ul><ul><ul><li>10000/TCP at DSP (NDMP) </li></ul></ul></ul>
  14. 14. Backup Exec Agent Browser at DMA <ul><li>Backup Exec Remote Agent (DSP) publishes host details to the media servers (which runs the DMA) </li></ul><ul><ul><li>NETBIOS name </li></ul></ul><ul><ul><li>IP address. </li></ul></ul><ul><li>Establishes a TCP/IP socket connection to port 6101/TCP at the media server </li></ul><ul><li>The packet is processed by the Backup Exec Agent Browser (benetns.exe) at DMA </li></ul>
  15. 15. Identifies the type of host IP Address of the host NetBIOS name of the host
  16. 16. Backup Exec Agent Browser at DMA <ul><li>Publish fake hosts by changing IP address </li></ul><ul><li>DMA successfully processes the packet with no validations of source </li></ul><ul><ul><li>Even if it was a TCP packet and not a UDP packet </li></ul></ul><ul><li>Good enough for us to impersonate the attacker as a valid DSP </li></ul>
  17. 17. Combining both Attack Vectors <ul><li>Attack Vector#1 </li></ul><ul><ul><li>MiTM attack on NDMP MD5 Auth </li></ul></ul><ul><li>Attack Vector#2 </li></ul><ul><ul><li>Spoof valid DSP with attacker IP </li></ul></ul><ul><li>Result </li></ul><ul><ul><li>MiTM attack on Symantec Backup Exec to steal information from DSP </li></ul></ul>
  18. 18. MiTM Attack Sequence Attacker <ul><li>Attacker publishes fake details to DMA@6101/TCP </li></ul><ul><li>Attacker starts a fake NDMP server@10000/TCP </li></ul><ul><li>Client connects to the fake server of attacker </li></ul><ul><li>Client requests for authentication </li></ul><ul><li>Attacker connects to Server@10000/TCP </li></ul><ul><li>Attacker request for authentication on Server </li></ul><ul><li>Server sends challenge to Attacker </li></ul><ul><li>Attacker sends challenge to Client </li></ul><ul><li>Client sends the authentication credentials back to the attacker </li></ul><ul><li>Attacker uses this credentials to authenticate to the victim server </li></ul><ul><li>Attacker is authenticated and instructs to open a data channel </li></ul><ul><li>Attacker opens an NDMP data channel </li></ul>6101/TCP 10000/TCP Client requests for authentication Attacker requests for authentication Server sends challenge Attacker sends challenge Client sends credentials Attacker sends credentials Server authenticates attacker Attacker opens a data channel Client(DMA) Server(DSP) 10000/TCP
  19. 19. Ready for PoC Demo? <ul><li>Scope for PoC </li></ul><ul><ul><li>Exploit the weakness in NDMP to execute post authenticated commands </li></ul></ul><ul><li>Out of scope </li></ul><ul><ul><li>Reverse engineer all the proprietary NDMP commands </li></ul></ul><ul><li>Demo </li></ul>
  20. 20. References <ul><li>iViZ Security Advisory </li></ul><ul><ul><li> </li></ul></ul><ul><li>Symantec Advisory </li></ul><ul><ul><li> </li></ul></ul><ul><li>Security Analysis of NDMP Protocol </li></ul><ul><ul><li> </li></ul></ul><ul><li>NDMP Specification </li></ul><ul><ul><li> </li></ul></ul><ul><li>Exploit DB for PoC </li></ul><ul><ul><li> </li></ul></ul>
  21. 21. Questions
  22. 22. Thank you