Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Vulnerability in ‘Domain Time II’ Could Lead to Server, Network Compromise

A vulnerability residing in the “Domain Time II” network time solution can be exploited in Man-on-the-Side (MotS) attacks, cyber-security firm GRIMM warned on Tuesday.

A vulnerability residing in the “Domain Time II” network time solution can be exploited in Man-on-the-Side (MotS) attacks, cyber-security firm GRIMM warned on Tuesday.

Developed by Greyware Automation Products, Inc., Domain Time II is a time synchronization software designed to help enterprises ensure accurate time across their networks. The suite of tools provides testing, administration, and auditing capabilities.

Domain Time II consists of client and server programs, and both use the same executable to check for updates, namely dttray.exe. The programs can be set to check for updates at startup, but also allow for manual checks.

What GRIMM’s researchers discovered was that, regardless of the update method used, dttray.exe checks the update server by sending a UDP query. If the server response is a URL, the software notifies the user of an update’s availability.

Should the user accept the dialog, a browser window is opened to navigate to the provided URL, where the user is instructed to download and apply an update.

The security researchers explain that an MotS attacker capable of intercepting the UDP query and delivering their own URL to the software may be able to prompt the user into downloading and executing an attacker-supplied payload.

“Any executable downloaded and run in this way would execute with user privileges, though it could request elevation of privileges the same way the legitimate installer does,” the researchers say.

To demonstrate how an attacker could abuse the weakness in the update process to deliver malware, the researchers created a script that listens on the network for upgrade traffic (DNS requests for update.greyware.com), and which can respond to the appropriate requests.

Advertisement. Scroll to continue reading.

The proof-of-concept (PoC) features a Hypertext Transfer Protocol (HTTP) impersonation mode, to also respond to HTTP requests, and direct users to a website that resembles the one supplied through the correct URL, but using HTTP instead of HTTPS.

“Since the MotS vulnerability exploited by this PoC is a race (between the attack server and the legitimate DNS server), the PoC is not guaranteed to succeed every time. Additionally, the use of the HTTP impersonation mode introduces a second race that must be won for the PoC to be successful,” the researchers note.

The provided PoC, GRIMM’s researchers explain, was tested and verified against Domain Time II versions 4.1.b.20070308, 5.1.b.20100731, and 5.2.b.20210103. Thus, the vulnerability is believed to have been present in the application for well over a decade.

With Domain Time II server installed on a domain controller within an Active Directory forest and the update component running from such a machine, an attacker able to perform a MotS attack could essentially have malware executed with administrative privileges on the server.

“Since the Domain Time II server can track and update versions of the client software across the network, compromising the server could lead to attackers being able to spread laterally across a network to workstations, database servers, or source code repositories,” GRIMM notes.

Greyware was informed of the vulnerability on March 30, 2021, and a patch was released the very next day, as Domain Time II version 5.2.b.20210331.

Related: Vulnerability in ‘netmask’ npm Package Affects 280,000 Projects

Related: Vulnerability in VMware vSphere Replication Can Facilitate Attacks on Enterprises

Related: Vulnerability Exposes F5 BIG-IP Systems to Remote DoS Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.