Unitrends Enterprise Backup bpserverd Privilege Escalation
It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd, has an issue in which its authentication can be bypassed. A remote attacker could use this issue to execute arbitrary commands with root privilege on the target system. This is very similar to exploits/linux/misc/ueb9_bpserverd however it runs against the localhost by dropping a python script on the local file system. Unitrends stopped bpserverd from listening remotely on version 10.
- Cale Smith
- Benny Husted
- Jared Arave
- UEB <= 10.0
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/linux/local/ueb_bpserverd_privesc msf exploit(ueb_bpserverd_privesc) > show targets ...targets... msf exploit(ueb_bpserverd_privesc) > set TARGET <target-id> msf exploit(ueb_bpserverd_privesc) > show options ...show and set options... msf exploit(ueb_bpserverd_privesc) > exploit