Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Vulnerability in ‘Domain Time II’ Could Lead to Server, Network Compromise

A vulnerability residing in the “Domain Time II” network time solution can be exploited in Man-on-the-Side (MotS) attacks, cyber-security firm GRIMM warned on Tuesday.

A vulnerability residing in the “Domain Time II” network time solution can be exploited in Man-on-the-Side (MotS) attacks, cyber-security firm GRIMM warned on Tuesday.

Developed by Greyware Automation Products, Inc., Domain Time II is a time synchronization software designed to help enterprises ensure accurate time across their networks. The suite of tools provides testing, administration, and auditing capabilities.

Domain Time II consists of client and server programs, and both use the same executable to check for updates, namely dttray.exe. The programs can be set to check for updates at startup, but also allow for manual checks.

What GRIMM’s researchers discovered was that, regardless of the update method used, dttray.exe checks the update server by sending a UDP query. If the server response is a URL, the software notifies the user of an update’s availability.

Should the user accept the dialog, a browser window is opened to navigate to the provided URL, where the user is instructed to download and apply an update.

The security researchers explain that an MotS attacker capable of intercepting the UDP query and delivering their own URL to the software may be able to prompt the user into downloading and executing an attacker-supplied payload.

“Any executable downloaded and run in this way would execute with user privileges, though it could request elevation of privileges the same way the legitimate installer does,” the researchers say.

To demonstrate how an attacker could abuse the weakness in the update process to deliver malware, the researchers created a script that listens on the network for upgrade traffic (DNS requests for, and which can respond to the appropriate requests.

The proof-of-concept (PoC) features a Hypertext Transfer Protocol (HTTP) impersonation mode, to also respond to HTTP requests, and direct users to a website that resembles the one supplied through the correct URL, but using HTTP instead of HTTPS.

“Since the MotS vulnerability exploited by this PoC is a race (between the attack server and the legitimate DNS server), the PoC is not guaranteed to succeed every time. Additionally, the use of the HTTP impersonation mode introduces a second race that must be won for the PoC to be successful,” the researchers note.

The provided PoC, GRIMM’s researchers explain, was tested and verified against Domain Time II versions 4.1.b.20070308, 5.1.b.20100731, and 5.2.b.20210103. Thus, the vulnerability is believed to have been present in the application for well over a decade.

With Domain Time II server installed on a domain controller within an Active Directory forest and the update component running from such a machine, an attacker able to perform a MotS attack could essentially have malware executed with administrative privileges on the server.

“Since the Domain Time II server can track and update versions of the client software across the network, compromising the server could lead to attackers being able to spread laterally across a network to workstations, database servers, or source code repositories,” GRIMM notes.

Greyware was informed of the vulnerability on March 30, 2021, and a patch was released the very next day, as Domain Time II version 5.2.b.20210331.

Related: Vulnerability in ‘netmask’ npm Package Affects 280,000 Projects

Related: Vulnerability in VMware vSphere Replication Can Facilitate Attacks on Enterprises

Related: Vulnerability Exposes F5 BIG-IP Systems to Remote DoS Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet