Full Disclosure – Veeam Backup Enterprise Manager Service v9

Vendor: Veeam
Product: Veeam Backup Enterprise Manager Service v9.0.0.902
Type of vulnerability: Multiple, persistent Cross Site Scripting
CVSS: 4.1 (AV:A/AC:L/Au:S/C:P/I:P/A:N)
CVE: requested
Exploit-DB
OSVDB:

Discovered by: GoSecure!
Date of discovery: 16 september 2016
First contact with vendor: 18  september 2016 – Case Id: 01702458
Patching date: 24 march 2016
Full Disclosure: 25 march 2016

Details:
A cross site scripting web vulnerability has been discovered in Veeam Backup Enterprise Manager Service v9.0.0.902.
Authenticated users are able to inject own malicious Java Script codes in order to spoof session of other users of the affected web-application.

The issues are located in:
1 – Configuration > Search Server > Add > “DNS name” field – reflected XSS
2 – Configuration > Backup Server > Add > “Server description” field – stored XSS
3 – Jobs > “Description” field – stored XSS injected via remote backup server

The security risk of the client-side web vulnerability is estimated as medium with a Overall CVSS (common vulnerability scoring system) Score 4.1 .The attackers can spoof session or emulate every action that the victim can do in the web application.

Proof of Concept (PoC):
The cross site scripting web vulnerability can be exploited by authenticated user that may want to make a privilege escalation or impersonate another user of the web-application. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.

1 – Configuration > Search Server > Add > “DNS name” field – reflected XSS
Attacker injection and activation:
– Go to Configuration > Search Server
– click on Add button
– insert the following string in the “DNS name or IP …” field and click ok
<iframe width="300" height="150">
– the script is activated

2 – Configuration > Backup Server > Add > “Server description” field – stored XSS
Attacker injection and activation:
– Go to Configuration > Backup Server
– click on Add button
– add a server and insert the follow string in the “Server description” field
<iframe onload=alert('GoSecure!')>
– point the mouse over the description of the new server: the script is activated

Otherwise edit the description of an existing server

3 – Jobs > “Description” field – stored XSS injected via remote backup server
Attacker injection:
– Go in a “Veeam Backup an Replication Server” that is managed by the “Veeam Backup Enterprise Manager Server”
– In “Home” > “Managed server” click on a job (eg. File Copy)
– Create e new job and insert the following description:§
<iframe onload=alert('Peru GoSecure!')></iframe>
– Complete the creation of the job and click finish.

Victim activation:
– Go in the Enterprise Manager web interface
– In Jobs, point the mouse over the description of the new job: the script is activated.

Note that, although this third issue is not unauthenticated, the problem can be that an evil user can create Job in a remote Backup server and inject code in another server/app in order to get e session in the Enterprise Manager Server
The JS injected, using POSTDATA as payload, can do every thing the victim can do in the web interface of the Enterprise Manager Server

Remediation:
https://www.veeam.com/kb2114

Leave a Reply

Your email address will not be published.