Vulnerability Disclosure -Sensitive Info. Leakage: Agent Memory Dump@ Zoho R.A.P.

Status: Possibly Fixed (As on 20-Oct-2021)

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = 7.8 (High Severity)

CVE-2021–42956

Fixed version: 10.1.2132.6 (Change Log)

Impacted Component: Remote Access Plus (RAP) Server & Agent both(Desktop App)

Vulnerability Description: It was observed that the application automatically launches upon startup even for non-admin user and the privilege with which it starts is also of low privilege (same logged in user). This makes memory dump possible by logged in user, where it leaks multiple sensitive info of the application including items like password/secrets etc.

It was observed that the Remote Access Plus application allows sending commands executed via the webportal-admin to the agent process ToolsIQ.exe. This makes memory dump possible by any logged in user, where it leaks whatever sensitive info was typed by the remote admin like commands/password/secrets etc.

Impact rational: Memory dump would contain all information including DB connection string, users details, tokens, etc.

Usually in corporates IT admin would have credentials to 1 common admin account in all systems which they use for troubleshooting, they login and perform all tasks from that account. Memory dump would contain creds for such account, hence user would find cred. for account which is part of DC and which would be present across all systems of the entire enterprise. Similar way whatever IT administrative person does, that can be dumped from the process causing loss of data confidentality.

Exploitability rational: For both server and agent application local windows account login is required to dump the memory. Since the application launches as same user automatically upon logon, memory dump is easily possible. Due to improper ACL & Privilege management, the process launches as the logged in user, so memory dump can be done by non-admin also. Since the process doesn’t clears memory by running recycler automatically, anyone who has access to system can harvest memory easily.

Steps to reproduce & Supportive evidence:

For agent application:

1. As Remote access plus admin take cmd access remotely
2. Execute some commands like runas /user:name command Password
   or any other command which has sensitive info
3. Now from system where agent is deployed dump process memory for ToolsIQ.exe (using task manager or ProcessHacker2).
4. String would show up the sensitive info.

For server application anytime while it is running simply dump memory and search for sensitive info.

Application running as non-admin logged in user called ‘low’

dumping process memory

finding important items from memory dump

Recommendation:

1. Run memory recycler (password managers tackle this to a good extent) and not leaving to OS. e.g. we cannot easily dump windows creds e.g. for apps like RDP/network share etc.
2. Ownership management. To dump force user to takeownership of that file/process and have this action audited to take actions if this event happens.
3. Relaunching Process, automatically this creates new PID, so by default all data would be removed from the old process.