Dr.NimBUS.exe - privilege vulnerability  

Dr.NimBUS.exe is a local thick client application running on the UIM HUB server offering Nimsoft administration functionalities to authorised users. 

During the authentication process on execution, the application checks the Windows-logged-in user's privileges in the "security.cfg" file. If the user exists in the configuration file, the next step for the application is to execute the binary with the privileges identified within the user's <acl> tag in the config file.

If the user is not configured with an "NimBUS" execution role, then the app exits with a "privileges too low" error.

Due to insufficient access controls, testers were able to bypass the authorisation process and execute the binary with Superuser privileges by proxying apps traffic and injecting the Superuser role during execution. 

DETAILS:
Although a test user account had no privileges to Launch the Dr.NimBUS application I was able to bypass the authorisation controls as below:

 
Attack steps:
From the configuration file (security.cfg) I identified the “SuperUser” Nimbus role.

I launched the application and I used the EchoMirage tool to proxy the localhost communication between the different Nimbus components.

I updated my user profile role during execution from “default” to “SuperUser”  (Figure 2) and the Dr.NimBUS executed successfully (Figure3) with SuperUser privileges.

Release : UIM 20.4

Component : UIM - HUB

Product Vulnerability

This issue is resolved starting UIM 20.4CU5 --> DX Unified Infrastructure Management - Cumulative Updates & Patches

Oct 18 2023  - Marco Ippati - Updated Resolution as fixe is realeased. Republished.