Researchers at the GRIMM security firm reported the finding of a critical vulnerability in the network management and auditing solution Domain Time II that could be exploited to deploy an attack variant known as Man-on-the-Side (MotS).
On this attack variant, experts mention that it is very similar to the Man-in-The-Middle (MiTM) attack, although instead of controlling a full network node the MotS attack allows access to only one communication channel. However, this is more than enough to read the traffic.
According to the report, Domain Time II consists of client and server programs that use the same executable (dttray.exe) for update lookup: “The executable verifies the update server by sending a UDP query regardless of the update method used by the administrator. If the server response is a URL, the software will notify if an update is available.”
If administrators accept this dialog box, a browser window opens for the provided URL, instructing the user to download and install the update. At this point, threat actors could intercept the UDP query and deliver their own URL to the software for the user to download and install a malicious payload: “Any executable implemented in this way would run with user privileges, although you could request elevation of privileges in the same way that the legitimate installer does,” the report states.
Experts developed a script to demonstrate how a malicious hacker could abuse this flaw in the upgrade process. This script listens on the update traffic network and can respond to certain types of requests. Proof of Concept (PoC) also describes a method for impersonating Hypertext Transfer Protocol (HTTP), to also respond to HTTP requests and direct users to a legitimate-looking website that actually uses HTTP instead of HTTPS.
The proof of concept provided by specialists was verified using the following versions of Domain Time II:
Because the flaw is in versions released a considerable time ago, experts believe it has been around for about ten years.
With the Domain Time II server installed on a domain controller within an Active Directory environment and the update component running locally, an attacker capable of performing a MotS attack could run malware with administrative privileges on the server with relative ease.
Experts conclude by mentioning that a potential server compromise could lead threat actors to perform side attacks on all environments connected to the starting point, as the Domain Time II server is able to track and update versions of client software over the network.