Aerosol Posted May 4, 2015 Report Posted May 4, 2015 Security vulnerabilities in the Client Management Software FrontRangeDSM can be leveraged in attacks against corporate networks.Client management is a very important taskin modern enterprise IT environments asall computer systems, whether client orserver, should be managed throughout their entiresystem life cycle.There are many client management softwaresolutions from different vendors that support ITmanagers and IT administrators in client managementtasks like:• inventory• patch management• software deployment• license managementAs a matter of principle, in order to perform thesefunctions, client management software requireshigh privileges, usually administrative rights, onthe managed client and server systems. Therefore,client management software is an interesting targetfor attackers as vulnerabilities in this kind ofsoftware may be leveraged for privilege escalationattacks within corporate networks.During a penetration test of client and serversystems of a corporate network, the SySS GmbHcould find multiple security vulnerabilities in theclient management software FrontRange Desktop& Server Management (DSM) v7.2.1.2020 [1]that could be successfully exploited in a privilegeescalation attack resulting in administrative privilegesfor the entire Windows domain.Security AssessmentDuring a security assessment of a client systemmanaged with FrontRange DSM, the SySS GmbHfound out that the client management solutionFrontRange DSM stores and uses sensitive usercredentials for required user accounts in an insecuremanner which enables an attacker or malwarewith file system access to a managed client,for example with the privileges of a limited Windowsdomain user account, to recover the cleartextpasswords.The recovered passwords can be used for privilegeescalation attacks and for gaining unauthorizedaccess to other client and/or server systemswithin the corporate network as at least oneFrontRange DSM user account needs local administrativeprivileges on managed systems.FrontRange DSM stores passwords for differentuser accounts encrypted in two configuration filesnamed NiCfgLcl.ncp and NiCfgSrv.ncp.These configuration files contain encrypted passwordinformation for different required FrontRangeDSM user accounts (see [2]), for example:• DSM Runtime Service• DSM Distribution ServicePrivilege Escalation via Client Management SoftwareSySS GmbH | April 2015• Business Logic Server (BLS)Authentication• Database accountThe actual number of required FrontRange DSMuser accounts depends on the chosen securitylevel during the software installation as Figure 1illustrates.A limited Windows domain user has read accessto these configuration files that are usually storedin the following locations:• %PROGRAMFILES(X86)\NetInst\NiCfgLcl.ncp (local on a managedclient)• %PROGRAMFILES(X86)\NetInst\NiCfgSrv.ncp (local on a managedclient)• \\<FRONTRANGE SERVER>\DSM$\NiCfgLcl.ncp (remote on a DSM networkshare)• \\<FRONTRANGE SERVER>\DSM$\NiCfgSrv.ncp (remote on a DSM networkshare)An analysis of the used encryption method bythe SySS GmbH showed, that the passwords areencoded and encrypted using a hard-coded secret(cryptographic key) contained within theFrontRange DSM executable file NiInst32.exe.Furthermore, the SySS GmbH found out that theprocess NiInst32.exe, that is executed in thecontext of a low-privileged user, decrypts anduses some of the user credentials contained in theFrontRange DSM configuration files. Thus, an attackeror malware running in the same low-privilegeduser context can analyze and control theprocess NiInst32.exe and in this way gain accessto decrypted cleartext passwords.For instance, such an online attack targeting therunning process NiInst32.exe can be performedusing an application-level debugger likeOllyDbg [3] from the perspective of a limitedWindows user.Figure 2 exemplarily shows the successful extractionof the decrypted cleartext password ofthe FrontRange DSM user account DSM DistributionService. In order to gain acRead more: https://www.exploit-db.com/docs/36872.pdf Quote
