A vulnerability residing in the “Domain Time II” network time solution can be exploited in Man-on-the-Side (MotS) attacks, cyber-security firm GRIMM warned on Tuesday.
Developed by Greyware Automation Products, Inc., Domain Time II is a time synchronization software designed to help enterprises ensure accurate time across their networks. The suite of tools provides testing, administration, and auditing capabilities.
Domain Time II consists of client and server programs, and both use the same executable to check for updates, namely dttray.exe. The programs can be set to check for updates at startup, but also allow for manual checks.
What GRIMM’s researchers discovered was that, regardless of the update method used, dttray.exe checks the update server by sending a UDP query. If the server response is a URL, the software notifies the user of an update’s availability.
Should the user accept the dialog, a browser window is opened to navigate to the provided URL, where the user is instructed to download and apply an update.
The security researchers explain that an MotS attacker capable of intercepting the UDP query and delivering their own URL to the software may be able to prompt the user into downloading and executing an attacker-supplied payload.
“Any executable downloaded and run in this way would execute with user privileges, though it could request elevation of privileges the same way the legitimate installer does,” the researchers say.
To demonstrate how an attacker could abuse the weakness in the update process to deliver malware, the researchers created a script that listens on the network for upgrade traffic (DNS requests for update.greyware.com), and which can respond to the appropriate requests.
The proof-of-concept (PoC) features a Hypertext Transfer Protocol (HTTP) impersonation mode, to also respond to HTTP requests, and direct users to a website that resembles the one supplied through the correct URL, but using HTTP instead of HTTPS.
“Since the MotS vulnerability exploited by this PoC is a race (between the attack server and the legitimate DNS server), the PoC is not guaranteed to succeed every time. Additionally, the use of the HTTP impersonation mode introduces a second race that must be won for the PoC to be successful,” the researchers note.
The provided PoC, GRIMM’s researchers explain, was tested and verified against Domain Time II versions 4.1.b.20070308, 5.1.b.20100731, and 5.2.b.20210103. Thus, the vulnerability is believed to have been present in the application for well over a decade.
With Domain Time II server installed on a domain controller within an Active Directory forest and the update component running from such a machine, an attacker able to perform a MotS attack could essentially have malware executed with administrative privileges on the server.
“Since the Domain Time II server can track and update versions of the client software across the network, compromising the server could lead to attackers being able to spread laterally across a network to workstations, database servers, or source code repositories,” GRIMM notes.
Greyware was informed of the vulnerability on March 30, 2021, and a patch was released the very next day, as Domain Time II version 5.2.b.20210331.