-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


  Matta Consulting - Matta Advisory
      https://www.trustmatta.com
 Restorepoint Remote root command execution vulnerability

Advisory ID: MATTA-2011-003
CVE reference:
 CVE-2011-4201 - Code injection vulnerability
 CVE-2011-4202 - Privilege escalation through insecure file permissions
Affected platforms: Tadasoft Restorepoint
Version: 3.2-evaluation
Date: 2011-October-20
Security risk: Critical
Vulnerability: Remote root command execution
Researcher: Tavaris Desamito
Vendor Status: Notified, Patch available
Vulnerability Disclosure Policy:
 https://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt
Permanent URL:
 https://www.trustmatta.com/advisories/MATTA-2011-003.txt

=====================================================================
Introduction:

Restorepoint is a network appliance backup and disaster recovery system
from Tadasoft.
More information can be found on the following page:
http://www.restorepoint.com/restorepoint/

=====================================================================
Vulnerability:

The 3.2 evaluation image of Restorepoint is vulnerable to a remote
command
 execution vulnerability in the remote_support.cgi script prior to
license
 activation. By supplying a semi colon followed by a unix shell command
to
 the pid1 or pid2 parameters in conjunction with the stop_remote_support
 parameter, an unauthenticated remote attacker can execute commands on
the
 Restorepoint appliance with the privileges of the www user. The Common
 Vulnerabilities and Exposures (CVE) project has assigned the name
 CVE-2011-4201 to this issue. This is a candidate for inclusion in
 the CVE list (http://cve.mitre.org), which standardizes names for
security
 problems.

Given that the Restorepoint appliance uses a Linux kernel compiled in
 2009, obtaining root access is trivial.

Furthermore, Restorepoint uses sudo in order to run a number of scripts
with
 root access. As a large number of these scripts can be modified by the
www
 user, root access can be obtained directly through Restorepoint
 functionality, without relying on additional exploits. The Common
 Vulnerabilities and Exposures (CVE) project has assigned the name
 CVE-2011-4202 to this issue.

=====================================================================
Impact:

Anyone who is able to connect to Restorepoint on port 443 between
powering up
 the appliance and before the appliance is license activated is able to
obtain
 root level shell access to the appliance.

The Restorepoint appliance is used to back up the configurations of
network
 devices and as such, the Restorepoint appliance holds credentials for
all the
 devices it backs up; Which in most cases will be privileged accounts
that will
 allow reconfiguration of the network devices.

If someone was able to compromise the security of the Restorepoint
appliance
 in the period between powering up the appliance and before the
appliance is
 license activated, an attacker is then able to go on to compromise the
 security of all devices backed up by Restorepoint.

Having achieved this, an attacker may reposition and begin to compromise
the
 rest of the network by using the Restorepoint appliance to launch
further
 attacks.

=====================================================================
Versions affected:

Version 3.2 - evaluation image
The vendor reports that they maintain different trees for evaluation and
 licensed copies of their software. The version available to licensed
customers
 is not vulnerable to this issue. Moreover, all appliances including
 evaluations use a built-in auto-update mechanism upon license
activation
 that downloads additional software components and security updates
which
 ensures their customers are using the latest version of the product.
The
 vendor reports that the evaluation image would have been patched if the
 evaluation license had been applied.

Matta have not confirmed this at this stage.

=====================================================================
Threat mitigation:

Anyone with evaluation versions of Restorepoint prior to 3.2 should
activate
 the license, at which point the software is automatically updated. 

Matta suggests that affected parties running this version of the
software
 restrict access to port 443 on their Restorepoint appliances to only
allow
 trusted administrators to connect.

The vendor reports that the latest version available evaluation image
 (3.3) is not vulnerable to this issue. Moreover, the vendor reports
that
 the 3.2 evaluation image would have been patched if an evaluation
license
 was applied.

In this case, Matta recommends that users activate their appliance to be
 able to download the necessary software components and security
updates.

=====================================================================
Credits

This vulnerability was discovered and researched by Tavaris Desamito
from
 Matta Consulting.

=====================================================================
History

20-10-11 initial discovery
24-10-11 initial attempt to contact the vendor
24-10-11 vendor response received and draft advisory supplied
25-10-11 vendor feedback received
14-11-11 advisory draft updated
... more interactions with the vendor
04-12-11 advisory draft updated
07-12-11 public disclosure

=====================================================================
About Matta

Matta is a privately held company with Headquarters in London, and a
European
 office in Amsterdam. Established in 2001, Matta operates in Europe,
Asia,
 the Middle East and North America using a respected team of senior
 consultants.  Matta is an accredited provider of Tiger Scheme training,
 conducts regular research and is the developer behind the webcheck
 application scanner, and colossus network scanner.
https://www.trustmatta.com
https://www.trustmatta.com/webapp_va.html
https://www.trustmatta.com/network_va.html
https://www.trustmatta.com/training.html

=====================================================================
Disclaimer and Copyright

Copyright (c) 2011 Matta Consulting Limited. All rights reserved.
This advisory may be distributed as long as its distribution is
 free-of-charge and proper credit is given.
The information provided in this advisory is provided "as is" without
 warranty of any kind. Matta Consulting disclaims all warranties, either
 express or implied, including the warranties of merchantability and
fitness
 for a particular purpose. In no event shall Matta Consulting or its
 suppliers be liable for any damages whatsoever including direct,
indirect,
 incidental, consequential, loss of business profits or special damages,
 even if Matta Consulting or its suppliers have been advised of the
 possibility of such damages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJO35HHAAoJEKXMIWKFD6qpSrUH/ApJ7WgGlWPEX6pCQTkG36m/
xTkIaLGCaUyA+mkQ4MmHtBjNvd+rgA8B4V/gXOl4n6Cq2OwpuPhIO4ZFZWlKORiU
JMp93glgp96TeozqlR8P+J9zJ+6gJCOtQm74lQkXbd1P914/7PpedOp845/HgA7M
RCsvDDJ4WL2BwOeQAnWWeSYnEOuKiJFZbeRPeIm3dLqsDCy9i9hRdBEdZN5433c5
jzBgF4zSuBn/8B5ebpfnQTqojxPeuasJ6Hfa9cCk71pE1hla2bfc5hcv8XjGavug
IqxWhYyAiyejQfVESf+FVRdhBr8ypz8IzeBlzImyTWZuowMPtP9yZoEQBc7CHgo=
=LnHW
-----END PGP SIGNATURE-----