exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Fortra Digital Guardian Agent Uninstaller Cross Site Scripting / UninstallKey Cached

Fortra Digital Guardian Agent Uninstaller Cross Site Scripting / UninstallKey Cached
Posted Nov 28, 2023
Authored by Johannes Kruchem, Daniel Hirschberger, Bernhard Grundling | Site sec-consult.com

The uninstaller in Fortra Digital Guardian Agent versions prior to 7.9.4 suffers from a cross site scripting vulnerability. Additionally, the Agent Uninstaller handles sensitive data insecurely and caches the Uninstall key in memory. This key can be used to stop or uninstall the application. This allows a locally authenticated attacker with administrative privileges to disable the application temporarily or even remove the application from the system completely.

tags | exploit, xss
advisories | CVE-2023-6253
SHA-256 | d393eda92218fb28d4719259401d1db3e0731edb5b930170f2f951494d02fbc7

Fortra Digital Guardian Agent Uninstaller Cross Site Scripting / UninstallKey Cached

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20231123-0 >
=======================================================================
title: Uninstall Key Caching
product: Fortra Digital Guardian Agent Uninstaller
(Data Loss Prevention)
vulnerable version: Agent: <7.9.4
fixed version: Agent: 7.9.4
CVE number: CVE-2023-6253
impact: High
homepage: https://www.fortra.com/product-lines/digital-guardian
found: 2023-05-16
by: J. Kruchem (Office Vienna)
B. Gr√ľndling (Office Vienna)
D. Hirschberger (Office Bochum)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult, an Eviden business
Europe | Asia

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Digital Guardian is proud to be part of Fortra’s comprehensive cybersecurity
portfolio. Fortra simplifies today’s complex cybersecurity landscape by bringing
complementary products together to solve problems in innovative ways. These
integrated, scalable solutions address the fast-changing challenges you face in
safeguarding your organization. With the help of the powerful protection from
Digital Guardian and others, Fortra is your relentless ally, here for you every
step of the way throughout your cybersecurity journey."

Source: https://www.digitalguardian.com/


Business recommendation:
------------------------
SEC Consult recommends users of this platform to install the latest update.

Furthermore, an in-depth security analysis performed by security professionals is
highly advised, as the software may be affected from other security issues.


Vulnerability overview/description:
-----------------------------------
1) Stored Cross-Site Scripting
The "PDF templates" feature is vulnerable against stored cross-site scripting
because it allows inserting arbitrary HTML. Therefore, an administrator can
create a malicious template which contains JavaScript and can send a link to
this template to authenticated users.

According to the vendor, this feature works as intended and the associated risk
is low, hence it will not be fixed.


2) UninstallKey Cached in Memory / Installer File (CVE-2023-6253)
The Agent Uninstaller handles sensitive data insecurely and caches the Uninstall
key in memory. This key can be used to stop or uninstall the application.
This allows a locally authenticated attacker with administrative privileges
to disable the application temporarily or even remove the application from the
system completely.


Proof of concept:
-----------------
1) Stored Cross-Site Scripting
According to the vendor, this feature works as intended and the associated risk
is low, hence it will not be fixed.

When editing PDF templates in the Digital Guardian Management Console (DGMC)
JavaScript code can be injected. By clicking on "preview" the XSS code gets
triggered.

The "PDF templates" feature can be found in the System -> Configuration menu.
Here, a new template can be uploaded, or an existing one can be edited. To
exploit the issue, malicious JavaScript can be added to a template:

<xss_insert.png>

Afterwards, the XSS is executed when the template is previewed with the
corresponding button:

<xss_trigger.png>

The attacker can also send the direct link to the template to the victim:
https://DG_HOST/DigitalGuardian/PopUps/PDFTemplatePreview.aspx?name=XSS.htm

If a victim opens the link while authenticated, the JavaScript code will
be executed.


2) UninstallKey Cached in Memory / Installer File (CVE-2023-6253)
When executing the installer of the DG Agent (.msi) the uninstall key is
pre-configured and can be read out (e.g. via Debugging).

First, the LocalPackage registry hive was identified, which reveals the MSI
installation package located in the Windows directory:

<registry.png>

The file can be executed without local administrator privileges. When executed
and clicked "Next", the Uninstall Key is prefilled as can be seen in the
following figure:

<installer.png>

Note: For demonstration purposes and simplification of the proof of concept, the
provided administrative access to the management console was used to append a
unique string to the uninstall key so it can be found in the memory more
efficiently. An attacker can also find the key without this modification. For
this purpose, the string "sectest" was appended.

WinDbg can be used to extract this key. WinDbg can simply be attached to the
process. Afterwards, the execution is paused in WinDbg and the following command
is used to search for the unique string:
> s -u 0 L?FFFFFFFFFFFFFFFF "sectest"

The following figure shows the output of this command (since a very large memory
space is searched, "Break" can be used to stop WinDbg from searching).

<windbg_1.png>

The memory space before "sectest" needs to be viewed to show the uninstall key.
The command db 000001c6`165b63a8 can be used to show the memory, as can be seen
in the following figure:

<windbg_2.png>

Thus, the original uninstall key is "dlpuninstall".

Furthermore, it can be used with the Terminator.exe found in the following path:
"C:\Program Files\[...]\DLP"

Running the application and supplying the key via an elevated command prompt,
it terminates all agent processes:

<terminator.png>

This binary can also be used to brute-force the correct Uninstall key, by
repeatedly calling it with possible Uninstall key candidates:
\.Terminator.exe <key candidate>


Vulnerable / tested versions:
-----------------------------
The following version has been tested:
* Management Console: 8.5.0.0317
* Agent: 7.8.5.0048

The vendor confirmed that all current and previous versions are affected.


Vendor contact timeline:
------------------------
2023-06-12: Contacting vendor through email (info@fortra.com);
asking for security contact, no response.
2023-06-26: Contacting vendor through same email again, no response.
2023-07-28: Contacting vendor through a more direct email-channel, no response.
2023-09-14: Sent another email to various email addresses found on the
website. Their "security.txt" file only points to inaccessible
pages (403 Access denied or 404 for the PGP key).
2023-09-14: Vendor response (Fortra support contact): forwarded our email to
Digital Guardian support team.
Support team and product security team reply.
2023-09-15: Asked for email encryption, received PGP key.
2023-09-18: Sending encrypted security advisory.
2023-09-19: Confirmation of receipt, team is working on verification and
development.
2023-10-11: Asking for status update.
Vendor response: XSS could be replicated but functionality works
as intended and won't be fixed because of limited exposure.
Issue 2 could not be verified yet, but engineering has acknowledged
it as addressable. Fix is planned for Q4. All current and previous
versions are affected.
2023-10-12: Asking for CVE number and if further input regarding vulnerability 2
is needed, no response.
2023-10-17: Received ticket notification that next maintenance update version
7.9.4 should be available for customer testing in the near future.
2023-11-09: Received ticket notification that version 7.9.4 is now GA for all
customers.
2023-11-13: Sending advisory draft to vendor, asking for CVE number for issue 2
again, scheduling advisory release for next week.
2023-11-17: Vendor response, no CVE number yet, we will request one ourselves.
2023-11-23: Public release of security advisory.



Solution:
---------
The vendor provides an updated Agent version 7.9.4 which can be downloaded
at the vendor's support page:
https://www.digitalguardian.com/services/support

Access controls to the management console along with monitoring and preventive
controls are recommended compensating controls for issue 1 according to the vendor.


Workaround:
-----------
To prevent disclosure of the uninstall key (issue 2) change it immediately after
deploying the DG agent on the system.


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult? Send us your application
https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF J. Kruchem, B. Gr√ľndling, D. Hirschberger / @2023
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close