![]() ![]() When bztransmit parses the downloaded XML file, it checks to see if the latest client version described in the XML file is newer than the installed client version and if so, downloads the latest client version's installer from Backblaze's data center. This allows a remote attacker to impersonate the web server with an invalid SSL certificate (for example, a self-signed certificate) and supply the client with an attacker-controlled clientversion.xml file. However, the bztransmit functions that leverage libcurl contain peculiar logic that cause them to set CURLOPT_SSL_VERIFYPEER to 0 and CURLOPT_SSL_VERIFYHOST to 0 if the given URL contains one of the following strings: This download is performed via a statically linked libcurl library. The URL for this XML file is constructed from the bzdatacenter hostname in the installed bzinstall.xml file (read-only for unprivileged users) and the hardcoded path api/clientversion.xml, yielding a URL such as. Every couple of hours, bzserv runs a program named bztransmit (executed as SYSTEM/ root) to download an XML file named clientversion.xml from Backblaze's data center to see if a newer version of the Backblaze client is available for download. The Backblaze client's service process, named bzserv, runs as SYSTEM on Windows and as root on macOS. Vulnerable versions of Backblaze for Windows and Backblaze for macOS contain a critical risk vulnerability that allows an unprivileged anonymous remote attacker to perform remote code execution (RCE) as SYSTEM/ root. The service is designed for businesses and end-users, providing unlimited storage space and supporting unlimited file sizes." "an online backup tool that allows Windows and macOS users to back up their data to offsite data centers. Product: Backblaze for Windows and Backblaze for macOSįixed Version: 7.0.1.433 (Windows) and 7.1.0.434 (macOS) Introduction Name: Remote Code Execution as SYSTEM/root via Backblaze CVE-2020-8289 – Remote Code Execution as SYSTEM/root via Backblaze Summary ![]()
0 Comments
Leave a Reply. |