Jump to content
Aerosol

Privilege Escalation via Client Management Software

Recommended Posts

Posted

Security vulnerabilities in the Client Management Software FrontRange
DSM can be leveraged in attacks against corporate networks.
Client management is a very important task
in modern enterprise IT environments as
all computer systems, whether client or
server, should be managed throughout their entire
system life cycle.
There are many client management software
solutions from different vendors that support IT
managers and IT administrators in client management
tasks like:
• inventory
• patch management
• software deployment
• license management
As a matter of principle, in order to perform these
functions, client management software requires
high privileges, usually administrative rights, on
the managed client and server systems. Therefore,
client management software is an interesting target
for attackers as vulnerabilities in this kind of
software may be leveraged for privilege escalation
attacks within corporate networks.
During a penetration test of client and server
systems of a corporate network, the SySS GmbH
could find multiple security vulnerabilities in the
client management software FrontRange Desktop
& Server Management (DSM) v7.2.1.2020 [1]
that could be successfully exploited in a privilege
escalation attack resulting in administrative privileges
for the entire Windows domain.
Security Assessment
During a security assessment of a client system
managed with FrontRange DSM, the SySS GmbH
found out that the client management solution
FrontRange DSM stores and uses sensitive user
credentials for required user accounts in an insecure
manner which enables an attacker or malware
with file system access to a managed client,
for example with the privileges of a limited Windows
domain user account, to recover the cleartext
passwords.
The recovered passwords can be used for privilege
escalation attacks and for gaining unauthorized
access to other client and/or server systems
within the corporate network as at least one
FrontRange DSM user account needs local administrative
privileges on managed systems.
FrontRange DSM stores passwords for different
user accounts encrypted in two configuration files
named NiCfgLcl.ncp and NiCfgSrv.ncp.
These configuration files contain encrypted password
information for different required FrontRange
DSM user accounts (see [2]), for example:
• DSM Runtime Service
• DSM Distribution Service

Privilege Escalation via Client Management Software
SySS GmbH | April 2015
• Business Logic Server (BLS)
Authentication
• Database account
The actual number of required FrontRange DSM
user accounts depends on the chosen security
level during the software installation as Figure 1
illustrates.
A limited Windows domain user has read access
to these configuration files that are usually stored
in the following locations:
• %PROGRAMFILES(X86)\NetInst\
NiCfgLcl.ncp (local on a managed
client)
• %PROGRAMFILES(X86)\NetInst\
NiCfgSrv.ncp (local on a managed
client)
• \\<FRONTRANGE SERVER>\DSM$\
NiCfgLcl.ncp (remote on a DSM network
share)
• \\<FRONTRANGE SERVER>\DSM$\
NiCfgSrv.ncp (remote on a DSM network
share)
An analysis of the used encryption method by
the SySS GmbH showed, that the passwords are
encoded and encrypted using a hard-coded secret
(cryptographic key) contained within the
FrontRange DSM executable file NiInst32.
exe.
Furthermore, the SySS GmbH found out that the
process NiInst32.exe, that is executed in the
context of a low-privileged user, decrypts and
uses some of the user credentials contained in the
FrontRange DSM configuration files. Thus, an attacker
or malware running in the same low-privileged
user context can analyze and control the
process NiInst32.exe and in this way gain access
to decrypted cleartext passwords.
For instance, such an online attack targeting the
running process NiInst32.exe can be performed
using an application-level debugger like
OllyDbg [3] from the perspective of a limited
Windows user.
Figure 2 exemplarily shows the successful extraction
of the decrypted cleartext password of
the FrontRange DSM user account DSM Distribution
Service. In order to gain ac

Read more: https://www.exploit-db.com/docs/36872.pdf

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...