Description: Given a low level account to access the Unitrends console, one can escalate to root.
Versions Affected: 8.X and below.
Researcher: N/A
Disclosure Link: N/A
NIST CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2017-7279
The “token” value is susceptible to modification, allowing a user to flip out of their current session and into an administrative session. This is because each token issued is not checked against the user.
Given user credentials for a unitrends application, an arbitrary user can escalate to administrator by
- Urldecode the "token" cookie
- Base64 decode the "token" cookie
- The cookis of the format: v0:session_key:UID:/path/to/log/file.log:log_level
- Change the UID value to 1
- Re-encode base64 and URL. Save, refresh.