Title: ArcServe UDP - Download Manager/Setup - DLL Hijacking CWE Class: CWE-427: Uncontrolled Search Path Element Date: 04/09/2016 Vendor: ArcServe Product: ArcServe UDP Standard Edition for Windows, TRIAL Type: Backup Software Version: 6.0.3792 Update 2 Build 516 Download URL: http://arcserve.com/free-backup-software-trial/ Tested on: Windows 7x86 EN Release Mode: coordinated release - 1. Product Description: - A comprehensive solution that empowers even a one-person IT department to protect virtual and physical environments with a high degree of simplicity: Design and manage your entire data protection strategy with a unified management console Scale your data backup coverage as your organization grows with the push of a button - 2. Vulnerability Details: - ArcServe UDP for Windows provides a download manager to obtain the installation files. The download manager retrieves a ZIP file which will be automatically extracted. Once extracted setup.exe is automatically executed which in turns executes MasterSetup.exe During execution all of these executables fail to load various DLLs to the following conditions: A - loads DLLs without using a hard-coded path B - loads DLLs which do not exist on this Windows version Various of these DLLS are not on the list of known DLLs: HKMLSYSTEMCurrentControlSetControlSession ManagerKnownDLLs Therefore the copy in %WINDIR%system32 is not automatically used. These conditions can be used to trick the executables into loading untrusted code. Custom DLL files must be planted in the same directory (e.g. Downloads or an SMB share). The untrusted code will be executed under elevated privileges. Executable Details: Executable name: ASDownloadManager.exe SHA1 hash: cf6edcb2e4bc4c1cadea38a6cbf7c7ab4eb2b831 Executable name: Setup.exe SHA1 hash: 02c440df057d32b9fcbde28f4aa55bb1d771f878 Executable name: MasterSetup.exe SHA1 hash: 1f767a51ece261980fe003e6db41ca5d6be06f16 File description: Arcserve Unified Data Protection File version: 6.0.3792.0 Product version: r6.0 - 3. PoC Details: - Step 1: Identify the issue Dynamic: Run SysInternals procmon.exe with the correct filters. Static: Load into IDA Pro with correct filters. Step 2: Create a test DLL These can be created by hand or with msfvenom, part of the Metasploit Framework. The payload could be anything e.g. a MessageBox or execution of calc.exe or cmd.exe Once created they should be renamed to either of the following names (partial listing): For the download manager: rasadhlp.dll CRYPTBASE.dll dwmapi.dll For Setup.exe: CRYPTBASE.dll dwmapi.dll For MasterSetup.exe: CRYPTBASE.dll netutils.dll api-ms-win-downlevel-shlwapi-l2-1-0.dll api-ms-win-downlevel-advapi32-l2-1-0.dll d2d1.dll PROPSYS.dll Step 3: Exploitation Create a limited user account on the local machine. Place the DLL together with the executable in the same directory e.g. Downloads. Run the executable. Enter administrative credentials for elevation. Observe DLL code execution. Tested with a payload which creates a new local administrative user. Success. - 4. Vendor Mitigation: - See the following link for various mitigation solutions: http://seclists.org/bugtraq/2015/Dec/112 Decide with your engineers which methods could be used. Ensure methods used provided sufficient mitigation. - 5. End-user Mitigation: - A patch has been released by Arcserve. All customer should upgrade to the latest version as described in the release notes: http://documentation.arcserve.com/Arcserve-UDP/Available/V6/ENU/Bookshelf_Files/HTML/Update3/Default.htm#Update3/upd3_Issues_Fixed.htm%3FTocPath%3D_____6 - 6. Author: - sh4d0wman / Herman Groeneveld herman_worldwide AT hotmail. com - 7. Timeline: - * 01/06/2016: Vulnerability discovery * 18/06/2016: Request sent to info@arcserve.com for a security point-of-contact * 21/06/2016: Received contact but no secure channel. Requested confirmation to send PoC over unsecure channel * 22/06/2016: vendor supplied PGP key, vulnerability PoC sent * 09/07/2016: Received information: 2 out of 3 issues have fixes pending. Vendor requests additional mitigation techniques for the third issue. * 13/07/2016: Sent vendor various mitigation solutions and their limitations. * 13/08/2016: Vendor informs release is pending for all discovered issues. * 15/08/2016: Vendor requests text for release bulletin. * 19/08/2016: A fix has been released.