Title: ArcServe UDP - Download Manager/Setup - DLL Hijacking
CWE Class: CWE-427: Uncontrolled Search Path Element
Date: 04/09/2016
Vendor: ArcServe
Product: ArcServe UDP Standard Edition for Windows, TRIAL
Type: Backup Software
Version: 6.0.3792 Update 2 Build 516
Download URL: http://arcserve.com/free-backup-software-trial/
Tested on: Windows 7x86 EN
Release Mode: coordinated release
- 1. Product Description: -
A comprehensive solution that empowers even a one-person IT department to protect virtual and physical environments with a high degree of simplicity:
Design and manage your entire data protection strategy with a unified management console
Scale your data backup coverage as your organization grows with the push of a button
- 2. Vulnerability Details: -
ArcServe UDP for Windows provides a download manager to obtain the installation files.
The download manager retrieves a ZIP file which will be automatically extracted.
Once extracted setup.exe is automatically executed which in turns executes MasterSetup.exe
During execution all of these executables fail to load various DLLs to the following conditions:
A - loads DLLs without using a hard-coded path
B - loads DLLs which do not exist on this Windows version
Various of these DLLS are not on the list of known DLLs:
HKMLSYSTEMCurrentControlSetControlSession ManagerKnownDLLs
Therefore the copy in %WINDIR%system32 is not automatically used.
These conditions can be used to trick the executables into loading untrusted code.
Custom DLL files must be planted in the same directory (e.g. Downloads or an SMB share).
The untrusted code will be executed under elevated privileges.
Executable Details:
Executable name: ASDownloadManager.exe
SHA1 hash: cf6edcb2e4bc4c1cadea38a6cbf7c7ab4eb2b831
Executable name: Setup.exe
SHA1 hash: 02c440df057d32b9fcbde28f4aa55bb1d771f878
Executable name: MasterSetup.exe
SHA1 hash: 1f767a51ece261980fe003e6db41ca5d6be06f16
File description: Arcserve Unified Data Protection
File version: 6.0.3792.0
Product version: r6.0
- 3. PoC Details: -
Step 1: Identify the issue
Dynamic: Run SysInternals procmon.exe with the correct filters.
Static: Load into IDA Pro with correct filters.
Step 2: Create a test DLL
These can be created by hand or with msfvenom, part of the Metasploit Framework.
The payload could be anything e.g. a MessageBox or execution of calc.exe or cmd.exe
Once created they should be renamed to either of the following names (partial listing):
For the download manager:
rasadhlp.dll
CRYPTBASE.dll
dwmapi.dll
For Setup.exe:
CRYPTBASE.dll
dwmapi.dll
For MasterSetup.exe:
CRYPTBASE.dll
netutils.dll
api-ms-win-downlevel-shlwapi-l2-1-0.dll
api-ms-win-downlevel-advapi32-l2-1-0.dll
d2d1.dll
PROPSYS.dll
Step 3: Exploitation
Create a limited user account on the local machine.
Place the DLL together with the executable in the same directory e.g. Downloads.
Run the executable.
Enter administrative credentials for elevation.
Observe DLL code execution.
Tested with a payload which creates a new local administrative user. Success.
- 4. Vendor Mitigation: -
See the following link for various mitigation solutions:
http://seclists.org/bugtraq/2015/Dec/112
Decide with your engineers which methods could be used.
Ensure methods used provided sufficient mitigation.
- 5. End-user Mitigation: -
A patch has been released by Arcserve.
All customer should upgrade to the latest version as described in the release notes:
http://documentation.arcserve.com/Arcserve-UDP/Available/V6/ENU/Bookshelf_Files/HTML/Update3/Default.htm#Update3/upd3_Issues_Fixed.htm%3FTocPath%3D_____6
- 6. Author: -
sh4d0wman / Herman Groeneveld
herman_worldwide AT hotmail. com
- 7. Timeline: -
* 01/06/2016: Vulnerability discovery
* 18/06/2016: Request sent to info@arcserve.com for a security point-of-contact
* 21/06/2016: Received contact but no secure channel. Requested confirmation to send PoC over unsecure channel
* 22/06/2016: vendor supplied PGP key, vulnerability PoC sent
* 09/07/2016: Received information: 2 out of 3 issues have fixes pending.
Vendor requests additional mitigation techniques for the third issue.
* 13/07/2016: Sent vendor various mitigation solutions and their limitations.
* 13/08/2016: Vendor informs release is pending for all discovered issues.
* 15/08/2016: Vendor requests text for release bulletin.
* 19/08/2016: A fix has been released.