Insight Technologies

Yosemite backup 8.7 DtbClsLogin() Buffer Overflow Vulnerability

Introduction:

There exists a vulnerability within a function in Yosemite Backup 8.7 which leads to remote compromise of the vulnerable system if properly exploited.
The vulnerability affects both Linux/Windows versions of Yosemite Backup 8.7.

Details:

From the vendor site:
"Yosemite Backup 8.7: server backup to disk and tape with support for physical and virtual environments"
"Backup software for the small-to-medium sized business that is easy to use, reliable, yet has the power to get the job done for a price designed for the SMB budget."

DtbClsLogin() exists in libytlindtb.so/ytwindtb.dll, which when properly exploited. would trigger a stack overflow.
The vulnerability is triggered by sending a long request in the username field during authentication to a Yosemite Backup domain.

From gdb while debugging:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1378284656 (LWP 4840)]
0x41414141 in ?? ()
(gdb) where
#0 0x41414141 in ?? ()
#1 0x41414141 in ?? ()
#2 0x41414141 in ?? ()
#3 0x41414141 in ?? ()
#4 0x41414141 in ?? ()
#5 0x41414141 in ?? ()
#6 0x41414141 in ?? ()
#7 0x41414141 in ?? ()
#8 0x41414141 in ?? ()
#9 0x41414141 in ?? ()
#10 0x41414141 in ?? ()
#11 0x41414141 in ?? ()
#12 0x41414141 in ?? ()
#13 0x41414141 in ?? ()
#14 0x41414141 in ?? ()
#15 0x41414141 in ?? ()
#16 0x41414141 in ?? ()
#17 0x41414141 in ?? ()
#18 0x41414141 in ?? ()
#19 0x41414141 in ?? ()
#20 0x41414141 in ?? ()
#21 0x41414141 in ?? ()
#22 0x41414141 in ?? ()
#23 0xf6fef600 in ?? ()
#24 0xbed69e96 in ?? ()
#25 0x00deb6be in ?? ()
#26 0xb7ebc790 in DrvExt_System ()
from /usr/local/yosemite/yosemitebackup/lin/x86/libytlinsup.so
#27 0xb4a40580 in ?? () from /usr/local/yosemite/yosemitebackup/lin/x86/libytlindtb.so
#28 0x00806008 in ?? ()
#29 0xb4a39280 in ?? () from /usr/local/yosemite/yosemitebackup/lin/x86/libytlindtb.so
#30 0xb49e6f62 in DtbClsChangePassword ()
from /usr/local/yosemite/yosemitebackup/lin/x86/libytlindtb.so
#31 0x00806008 in ?? ()
#32 0x000001a4 in ?? ()
#33 0x0809c500 in ?? ()
#34 0xadd902d8 in ?? ()
#35 0x02000001 in ?? ()
#36 0x08087080 in ?? ()
#37 0xb49d4f07 in PrvDtbIoCommand ()
from /usr/local/yosemite/yosemitebackup/lin/x86/libytlindtb.so
#38 0x08087080 in ?? ()
#39 0x0000003a in ?? ()
#40 0xb4a39280 in ?? () from /usr/local/yosemite/yosemitebackup/lin/x86/libytlindtb.so
#41 0xadd902d8 in ?? ()
#42 0xb7d8ac98 in SvcIsValidInstanceIocmd ()
from /usr/local/yosemite/yosemitebackup/lin/x86/libytlinsup.so
#43 0xb7d8ac64 in SvcCallDriver ()
from /usr/local/yosemite/yosemitebackup/lin/x86/libytlinsup.so
#44 0x00000005 in ?? ()
#45 0x08087278 in ?? ()
#46 0x00000000 in ?? ()
(gdb) i r
eax 0x3fc 1020
ecx 0xb4a40580 -1264319104
edx 0x1 1
ebx 0x41414141 1094795585
esp 0xadd901e4 0xadd901e4
ebp 0x41414141 0x41414141
esi 0x41414141 1094795585
edi 0x41414141 1094795585
eip 0x41414141 0x41414141
eflags 0x10296 [ PF AF SF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb)

I exploited this vulnerability on Linux, but under Windows it causes yosemite to crash. Further analysis showed that DtbClsLogin() under windows has an exception handling function that causes it to crash.

DtbClsLogin() disassembly under linux:
0xb48f126a <DtbClsLogin+638>: call 0xb48ef260 <PrvUnlockDatabase>
0xb48f126f <DtbClsLogin+643>: mov 0x218(%esp),%ebx
0xb48f1276 <DtbClsLogin+650>: mov %esi,%eax
0xb48f1278 <DtbClsLogin+652>: add $0x22c,%esp
0xb48f127e <DtbClsLogin+658>: pop %ebp
0xb48f127f <DtbClsLogin+659>: pop %esi
0xb48f1280 <DtbClsLogin+660>: pop %edi
0xb48f1281 <DtbClsLogin+661>: ret

DtbClsLogin() disassembly under Windows:
015317CE E8 83FCFDFF CALL ytwindtb.01511456
015317D3 8B8C24 30020000 MOV ECX,DWORD PTR SS:[ESP+230]
015317DA 5F POP EDI
015317DB 8BC6 MOV EAX,ESI
015317DD 5E POP ESI
015317DE 5D POP EBP
015317DF 5B POP EBX
015317E0 33CC XOR ECX,ESP
015317E2 E8 F3030500 CALL ytwindtb.01581BDA <----Exception handling function
015317E7 81C4 24020000 ADD ESP,224
015317ED C3 RETN

Exploit: http://www.insight-tech.org/xploits/yosemiteStackOverflowExploit.zip