Technical Advisory – Bomgar Remote Support – Local Privilege Escalation
Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Bomgar Remote Support - Local Privilege Escalation Release Date: 2017-10-26 Application: Bomgar Remote Support Versions: 15.2.x before 15.2.3 16.1.x before 16.1.5 16.2.x before 16.2.4 Severity: High/Medium Author: Robert Wessen
Author: Mitch Kucia Vendor Status: Update Released  CVE Candidate: CVE-2017-5996 Reference: https://www.vsecurity.com/download/advisories/20171026-1.txt =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Product Description ~-----------------~ From Bomgar's website : "The fastest, most secure way for experts to access and support the systems that need them." Vulnerability Overview ~--------------------~ In mid-January, VSR identified a privilege escalation vulnerability in Bomgar Remote Support application which can be used to escalate from any unprivileged user to nt authority/system on Microsoft Windows 7 systems. The vulnerability originates from an nt authority/system service being executed from a folder with excessive permissions. The exploit requires a remote support agent to log into the affected system. Vulnerability Details ~-------------------~ The Bomgar Remote Support agent enables remote support personnel to establish screen sharing, access command shell, and perform system administration tasks on machines with the agent installed. The agent, by default, creates a service as the Windows LocalSystem account and creates a folder at C:ProgramDatabomgar-ssc-0xhhhhhhhh (where each h is a hex character). The agent is also executed from this folder, so the folder is included in the Windows dynamic library loader search path. The default permissions on the C:ProgramData folder allow all users, even unprivileged ones, to append and write files. These permissions are inherited by sub-directories unless explicitly overridden. These permissions are not changed during the installation of the agent, so a DLL planting/hijack is possible. A Trojan horse with the same name as one of the requested, but not present libraries can be placed inside the C:ProgramDatabomgar-ssc-0xhhhhhhhh folder since this folder is writeable by all users. When a remote support person attempts to connect to the host, the malicious library will be loaded and code can executed as nt authority/system. Versions Affected ~---------------~ The issue was originally discovered in version 16.1.1, although it likely exists since at least version 14. All testing was performed exclusively on Windows 7, however the vulnerability is suspected to be present on all supported Windows platforms. Vendor Response ~-------------~ The following timeline details Bomgar's response to the reported issue: 2017-02-05 VSR contacted Bomgar via several public email addresses to file a security report. 2017-02-06 Bomgar replied, VSR provided additional details on the vulnerability and Bomgar began internal triage. 2017-02-13 Bomgar confirmed reproduction and indicated a hotfix will be available to select customers on 2017-02-17. Patch for all customers will be available at a later date. 2017-03-28 Bomgar releases patch in Remote Support versions 15.2.3 , 16.1.5 , and 16.2.4 . 2017-10-26 VSR advisory released. Recommendation ~------------~ Upgrade all client installs to the latest version of Bomgar Remote Support software as soon as possible. Common Vulnerabilities and Exposures (CVE) Information ~----------------------------------------------------~ The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2017-5996 to this issue. This is a candidate for inclusion in the CVE list (https://cve.mitre.org), which standardizes names for security problems. Acknowledgments ~--------------~ Thanks to the Bomgar development team for a prompt response, confirmation, and patch. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= References: 1. https://www.bomgar.com/ 2. https://www.bomgar.com/support/changelog/remote-support-15-2-3 3. https://www.bomgar.com/support/changelog/remote-support-16-1-5 4. https://www.bomgar.com/support/changelog/remote-support-1624 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This advisory is distributed for educational purposes only with the sincere hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Neither Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. See the VSR disclosure policy for more information on our responsible disclosure practices: https://www.vsecurity.com/company/disclosure =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Copyright 2017 Virtual Security Research, LLC. All rights reserved.
Editor's note: This work was originally published by VSR on their website at https://www.vsecurity.com/resources/advisories.html. VSR is now a part of NCC Group, so we have migrated this content to research.nccgroup.com. The advisory text as above has been copy-pasted to this blog for historical reference.