eCatcher Advisory Summary
An insecure filesystem permissions vulnerability was identified in eCatcher version 6.6.4 and earlier. To exploit this vulnerability, an attacker must have a user account on the same machine as the victim and have access to the machine during an active VPN connection.
Medium Risk Level Impact
Weak filesystem permissions could allow malicious users to access files that could lead to sensitive information disclosure, modification of configuration files, or disruption of normal system operation.
Affected Vendor
Product Vendor |
Product Name |
Affected Version |
Ewon by HMS Networks |
eCatcher |
Version 6.6.4 and earlier |
Product Description:
According to the official product description, eCatcher is a “remote access software that allows remote management of devices within a highly secure environment”. The project’s official website is https://www.ewon.biz/technical-support/pages/talk2m/talk2m-tools/talk2m-ecatcher. The latest version of the application is 6.7.3, released on July 7, 2021.
Vulnerabilities List:
One vulnerability was identified within the eCatcher Desktop application.
INSECURE FILESYSTEM PERMISSIONSThe vulnerabilities are described in the sections below.
Solution
Update to version 6.7.3
VULNERABILITIES
INSECURE FILESYSTEM PERMISSIONS
CVE ID |
Security Risk |
Impact |
Access Vector |
| CVE-2021-33214 | Medium | Escalation of privileges |
Local |
Files and directories for the eCatcher Talk2MVpnService service have permissions that do not properly enforce access controls. For example, sensitive configuration files are marked as world-writable. Since this service runs under the NT Authority\SYSTEM user, these excessive permissions could lead to privilege escalation on the server.
The directory permissions for the temp directory used by the Talk2MVpnService service were enumerated as follows:
PS C:\Users\pn> icacls "C:\Program Files (x86)\eCatcher-Talk2M\Talk2mVpnService\temp"
C:\Program Files (x86)\eCatcher-Talk2M\Talk2mVpnService\temp
BUILTIN\Users:(F)
BUILTIN\Users:(OI)(CI)(IO)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)FIGURE 1 - Full directory access to all users of the system
As highlighted above, all users have full read/write rights over the directory. Since this directory is used to temporarily write OpenVPN configuration files, a user or malware on the system that replaces it successfully could perform privilege escalation when the privileged openvpn process reads it. The Talk2MVpnService service recreates this configuration file each time the VPN connection is initiated and prepends the filename with a random UUID, making it unpredictable. Hence, the attack window for exploitation was approximately 15 ms, which made the working exploit unreliable.
Credits
- Priyank Nigam, Senior Security Consultant, Bishop Fox
Timeline
- 04/19/2021: Initial discovery
- 04/30/2021: Contact with vendor
- 05/12/2021: Vendor acknowledged vulnerabilities
- 07/07/2021: Vendor released patched version 6.7.3
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.
