72 lines
No EOL
3.4 KiB
Text
72 lines
No EOL
3.4 KiB
Text
Title: ArcServe UDP - Unquoted Service Path Privilege Escalation
|
|
CWE Class: CWE-427: Uncontrolled Search Path Element
|
|
Date: 04/09/2016
|
|
Vendor: ArcServe
|
|
Product: ArcServe UDP Standard Edition for Windows, TRIAL
|
|
Type: Backup Software
|
|
Version: 6.0.3792 Update 2 Build 516
|
|
Download URL: http://arcserve.com/free-backup-software-trial/
|
|
Tested on: Windows 7x86 EN
|
|
Release Mode: coordinated release
|
|
|
|
|
|
- 1. Product Description: -
|
|
A comprehensive solution that empowers even a one-person IT department to protect virtual and physical environments with a high degree of simplicity:
|
|
Design and manage your entire data protection strategy with a unified management console
|
|
Scale your data backup coverage as your organization grows with the push of a button
|
|
|
|
- 2. Vulnerability Details: -
|
|
ArcServe UDP for Windows installs various services.
|
|
One of them is the "Arcserve UDP Update Service (CAARCUpdateSvc)" running as SYSTEM.
|
|
This particular service has an insecurely quoted path.
|
|
Other services where correctly quoted.
|
|
An attacker with write permissions on the root-drive or directory in the search path
|
|
could place a malicious binary and elevate privileges.
|
|
|
|
- 3. PoC Details: -
|
|
There are various ways to audit for this type of vulnerability.
|
|
This proof-of-concept demonstrates both an automated and manual way.
|
|
|
|
Step 1: Identify the issue
|
|
Automatic: use the windows-privesc-check toolkit to audit the local system.
|
|
Manual: run 'sc qc CAARCUpdateSvc' and confirm it has an unquoted service path.
|
|
|
|
Output: C:\Program Files\Arcserve\Unified Data Protection\Update Manager\ARCUpdate.exe
|
|
This should be: "C:\Program Files\Arcserve\Unified Data Protection\Update Manager\ARCUpdate.exe"
|
|
|
|
Step 2: Assess if exploitation is possible
|
|
To exploit this issue assess the permissions of each folder in the path using space as a token.
|
|
|
|
If any of the directories is writable for a non-administrative user, try to exploit the issue.
|
|
|
|
Step 3 Exploitation:
|
|
Place a binary with the correct name in the vulnerable directory.
|
|
Reboot the system and validate your payload is executed with SYSTEM privileges
|
|
|
|
- 4. Vendor Mitigation: -
|
|
Create an update for the product which add quotes to the path.
|
|
|
|
While the update is being developed customers could apply a manual fix:
|
|
Open regedit, browse to HKLM\SYSTEM\CurrentControlSet\services
|
|
Add quotes to the ImagePath value of the relevant service.
|
|
|
|
- 5. End-user Mitigation: -
|
|
A patch has been released by Arcserve.
|
|
All customer should upgrade to the latest version as described in the release notes:
|
|
http://documentation.arcserve.com/Arcserve-UDP/Available/V6/ENU/Bookshelf_Files/HTML/Update3/Default.htm#Update3/upd3_Issues_Fixed.htm%3FTocPath%3D_____6
|
|
|
|
- 6. Author: -
|
|
sh4d0wman / Herman Groeneveld
|
|
herman_worldwide AT hotmail. com
|
|
|
|
- 7. Timeline: -
|
|
* 01/06/2016: Vulnerability discovery
|
|
* 18/06/2016: Request sent to info@arcserve.com for a security point-of-contact
|
|
* 21/06/2016: Received contact but no secure channel. Requested confirmation to send PoC over unsecure channel
|
|
* 22/06/2016: vendor supplied PGP key, vulnerability PoC sent
|
|
* 09/07/2016: Received information: 2 out of 3 issues have fixes pending.
|
|
Vendor requests additional mitigation techniques for the third issue.
|
|
* 13/07/2016: Sent vendor various mitigation solutions and their limitations.
|
|
* 13/08/2016: Vendor informs release is pending for all discovered issues.
|
|
* 15/08/2016: Vendor requests text for release bulletin.
|
|
* 19/08/2016: A fix has been released. |