Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30025
HistoryNov 26, 2013 - 12:00 a.m.

CVE-2013-6795 Vulnerability in the Rackspace Windows Agent and Updater

2013-11-2600:00:00
vulners.com
21
JSON

A vulnerability in the Rackspace Windows Agent and Updater was discovered that allows for modified Agent binaries to be remotely uploaded (without authentication) to Rackspace Cloud Server guest instances. Modified Agent binaries are processed as an update for the Agent and arbitrary code can then be executed after the service is restarted. CloudPassage disclosed the vulnerability to Rackspace and CVE-2013-6795 was issued by MITRE Corporation.

The Windows Agent and Updater is used by Windows Cloud Server instances on OpenStack Nova to handle boot configurations for Windows guests running on the Xen hypervisor. The agent was created by Rackspace for their Windows instances and both the Agent and Updater services run under the LocalSystem account.

Previous versions of the Updater (before 1.2.6.0) allowed for unsigned agent updates utilizing a specially crafted .NET remote call to TCP port 1984. The Update service takes a single .NET serializable object with a URL and an MD5 checksum. Once the sequence is triggered, a ZIP file is downloaded, verified using the checksum, and extracted into the program folder of the Agent service before the service is restarted. No authentication is performed by the .NET remoting service, making it possible to deploy a modified Agent update that overwrites the running Agent service binary. A proof of concept tool was developed to trigger the sequence with an arbitrary download URL using the original .NET libraries from a target.

Full details here: http://blog.cloudpassage.com/2013/11/18/cve-2013-6795-vulnerability-rackspace-windows-agent-updater/

CloudPassage responsibly disclosed the finding to Rackspace and, as of version 1.2.6.0, the Updater has been changed to use IPC with XenStore and no longer listens on port 1984. Rackspace recommends that users running the Windows agent less than version 1.2.6.1 update to the latest version, available on GitHub at https://github.com/rackerlabs/openstack-guest-agents-windows-xenserver.

Related

prion 2
securityvulns 1
cve 2
prion
prion
Design/Logic Flaw
2013-12-24 18:55:00
Design/Logic Flaw
2014-05-19 14:55:00
securityvulns
securityvulns
RackSpace Windows Agent update spoofing
2013-11-26 00:00:00
cve
cve
CVE-2013-6795
2013-12-24 18:55:00
CVE-2013-6764
2014-05-19 14:55:00
JSON
Related for SECURITYVULNS:DOC:30025
prion2securityvulns1cve2