“Update Manager” v1.2.1.0 (and possibly earlier), a software component from otris software AG used by multiple otris applications, e.g. otris Privacy, to facilitate updating otris products; allows attackers, to escalate their privileges on Windows systems to SYSTEM (highest permissions on Windows), by exploiting a vulnerability in the aforementioned software.

The software component is installed as a Windows service, and is executed with the rights of SYSTEM. The nature of the software requires elevated privileges in order to install updates and/or add/remove programs.

The affected software component accepts local connections via .NET named pipes and remote connections over HTTP port 9000 via WsHTTPBinding.

While I was examining the way “Update Manager” handles local connections over .NET named pipes I have discovered a vulnerability, which would allow a local attacker (or an attacker logged on remotely to the target machine) to escalate his privileges on the affected Windows machine to those of SYSTEM.

The vulnerability can be exploited by connecting to the vulnerable component “Update Manager” via .NET named pipes on the same target machine and issuing direct calls to available functions on the exposed interface, which are processed by the vulnerable component without any form of prior authentication.

In order to achieve local privilege escalation, different approaches exist.

In hardened corporate environments, where executing MSI files is not allowed due to enforced policy restrictions, an attacker can opt for overwriting the executables of any privileged Windows services or privileged Scheduled Task on paths not protected by Windows File Protection (WFP). For instance, attackers can opt to overwrite an executable located under (incl. sub folders) “C:\Program Files” or “C:\Program Files (x86)”. These paths are not protected by WFP and would facilitate the attack.

ZIP Slip to the rescue

When exploiting the vulnerability by opting to overwriting an executable of a privileged Windows service or scheduled task, attackers need to overcome an obstacle. The “saveUpdateFiles” function in the “UpdateProcessorClient” interface extracts attacker-controllable ZIP files to attacker-controllable paths. However, the “ProductId” (an attacker-controllable GUID) in the “ProductDefinition” is padded to the path where the ZIP file’s content are extracted.

For example, an attacker who wish to overwrite the file “C:\Target\Executable.exe”, would find that the overwritten path becomes “C:\Target\01234567-1234-5678-1234-0123456789123\Executable.exe”, (where “01234567-1234-5678-1234-0123456789123” is an exemplary GUID), and that renders the attack useless. Nevertheless, attackers can facilitate the ZIP Slip Vulnerability and prepare a malicious ZIP file with ZIP entries called “..”, which are used as part of the filename when preparing the path.

When the extraction path is prepared, the overwritten path becomes “C:\Target\01234567-1234-5678-1234-0123456789123\..\Executable.exe”. This was tested successfully against the “extractZipFile” function responsible for extracting ZIP files.

Magnificent bugs and where to find them

The vulnerability was found and exploited against production systems with active EDR and anti-virus software; during a penetration test 🙂

Exploitation of this vulnerability remotely over WsHTTPBinding is not excluded and should be further investigated 😉

TL;DR

The local privilege escalation vulnerability affecting otris Update Manager has been assigned CVE-2021-40376 and has a CVSS3.0 score of 8.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Official details can be found on the following link: https://www.tuv.com/landingpage/en/vulnerability-disclosure/

Disclosure Timeline

20.08.2021 Initial notification per email (<info @ otris.de>) to locate the suitable contact person
27.08.2021 No response. Forward of initial notification to (<support @ otris.de>)
27.08.2021 Contact data of responsible person are provided
01.09.2021 Details shared with the contact person
13.09.2021 otris Software AG suggest a fix per email. Asks for expert review. No binaries provided
15.09.2021 Based on pure provided information, expert concludes that the suggested solution is not sufficient
06.10.2021 otris Software AG shares further information and mentions removal of vulnerable component in newer versions of affected software. With the suggested fix, the vulnerability will be considered by otris Software AG as fixed
01.12.2021 90 days after responsible disclosure are over. TÜV Rheinland i-sec GmbH decides to grant an additional 60 days considering the vacation/holidays season to enable end-users to patch their systems
31.01.2022 Preparation for publish

 

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.