Executive Summary

Summary
Title Energizer DUO USB battery charger software allows unauthorized remote system access
Informations
Name VU#154421 First vendor Publication 2010-03-05
Vendor VU-CERT Last vendor Modification 2010-04-15
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#154421

Energizer DUO USB battery charger software allows unauthorized remote system access

Overview

The software available for the Energizer DUO USB battery charger contains a backdoor that allows unauthorized remote system access.

I. Description

Energizer DUO is a USB battery charger. An optional Windows application that allows the user to view the battery charging status has been available on the Energizer website. The installer for the Energizer DUO software places the file UsbCharger.dll in the application's directory and Arucer.dll in the Windows system32 directory. When the Energizer UsbCharger software executes, it utilizes the UsbCharger.dll component for providing USB communication capabilities. UsbCharger.dll executes Arucer.dll via the Windows rundll32.exe mechanism, and it also configures Arucer.dll to execute automatically when Windows starts by creating an entry in the HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun registry key.

Arucer.dll is a backdoor that allows unauthorized remote system access via accepting connections on 7777/tcp. Note that Windows XP SP2 and later systems include a firewall by default. Upon running the Energizer UsbCharger software for the first time, a dialog similar to the following is displayed:

If the user selects "Unblock," then the system will be at risk. Also note that if the application is unblocked, this will cause Windows to add rundll32.exe to the Windows Firewall exceptions list. This means that any DLL that is executed through the rundll32.exe mechanism will be excluded from the Windows Firewall, regardless of the DLL or port used.

The backdoor capabilities include the ability to list directories, send and receive files, and execute programs. The hash information for the file is
MD5: 1070be3e60a1868d2cd62fc90d76c861
SHA1: d102b1d2538d8771be85403272e5a22a4b3f81ad

The file details for Arucer.dll are

--a-- W32i   DLL CHS         1.0.0.1 shp     28,672 05-10-2007 arucer.dll
        Language        0x0804 (Chinese (PRC))
        CharSet         0x04b0 Unicode
        OleSelfRegister Disabled
        CompanyName
        FileDescription Arucer DLL
        InternalName    Arucer
        OriginalFilenam Arucer.DLL
        ProductName     Arucer Dynamic Link Library
        ProductVersion  1, 0, 0, 1
        FileVersion     1, 0, 0, 1
        LegalCopyright  ???? (C) 2006
        LegalTrademarks

        VS_FIXEDFILEINFO:
        Signature:      feef04bd
        Struc Ver:      00010000
        FileVer:        00010000:00000001 (1.0:0.1)
        ProdVer:        00010000:00000001 (1.0:0.1)
        FlagMask:       0000003f
        Flags:          00000000
        OS:             00000004 Win32
        FileType:       00000002 Dll
        SubType:        00000000
        FileDate:       00000000:00000000

II. Impact

An attacker is able to remotely control a system, including the ability to list directories, send and receive files, and execute programs. The backdoor operates with the privileges of the logged-on user.

III. Solution

Remove the Energizer UsbCharger software

Removing the Energizer UsbCharger software will also remove the registry value that causes the backdoor to execute automatically when Windows starts. The Arucer.dll file will remain in the system32 directory, but the mechanisms for executing the code in the DLL will not be present.

Remove the Arucer.dll file

The backdoor component of the Energizer UsbCharger software can be removed by deleting the Arucer.dll file from the Windows system32 directory. Because the backdoor hosted by rundll32.exe continues to run after the software has been uninstalled, Windows may need to be restarted before this file can be removed.

Remove "Run DLL as an App" exclusion from the Windows Firewall

If the user unblocks Run DLL as an App (rundll32.exe) from the Windows Firewall, the exclusion will remain after the Energizer UsbCharger software has been uninstalled. To restore the firewall to the previous state, the "Run a DLL as an App" entry should be removed from the exclusions list.

Block or restrict network access

Blocking access to 7777/tcp can mitigate this vulnerability by preventing network connectivity to the backdoor. This may be achieved with network perimeter devices or host-based software firewalls. The Energizer UsbCharger software does not automatically add an exception to the Windows Firewall for 7777/tcp or the backdoor application. Therefore, the first time that Energizer UsbCharger is executed, the user will be prompted that "Run a DLL as an APP" has been blocked by the Windows Firewall.

The following Snort rules can be used to detect network traffic related to this backdoor:

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer Command Execution"; flow:established; content:"|C2 E5 E5 E5 9E DD A4 A3 D4 A6 D4 D3 D1 C8 A0 A7 A1 D3 C8 D1 87 D7 87 C8 A7 A6 D4 A3 C8 D3 D1 D3 D2 D1 A0 DC DD A4 D2 D4 D5 98 E5|"; classtype:trojan-activity; sid:1000004; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer DIR Listing"; flow:established; content:"|C2 E5 E5 E5 9E D5 D4 D2 D1 A1 D7 A3 A6 C8 D2 A6 A7 D3 C8 D1 84 D7 D7 C8 DD D2 A6 D2 C8 D2 A7 A7 D2 D7 A4 D6 D7 A3 D4 DC A3 98 E5|"; classtype:trojan-activity; sid:1000005; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer WRITE FILE command"; flow: established; content:"|C2 E5 E5 E5 9E DC DD A1 DC D0 DD A3 A6 C8 A1 D5 A4 D7 C8 D1 83 D4 86 C8 A7 DD D1 D4 C8 D7 D6 D7 A4 A7 D6 D0 D2 A0 D2 A6 DD 98 E5|"; classtype:trojan-activity; sid:1000006; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer READ FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A3 D3 A6 D1 D6 A0 D4 A4 C8 D4 D0 D0 D4 C8 D1 D5 D5 D5 C8 A4 D1 DD D6 C8 A6 D6 D3 D4 DC D3 DC A4 A0 A6 D1 D4 98 E5|"; classtype:trojan-activity; sid:1000007; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer NOP Command"; flow:established; content:"|C2 E5 E5 E5 9E D2 DD D6 A0 A4 A6 A7 A3 C8 A0 A3 DD A7 C8 D1 DC DD 80 C8 A4 D5 D0 DC C8 A3 D5 A7 D0 A7 A1 D4 D7 D3 D1 D4 A0 98 E5|"; classtype:trojan-activity; sid:1000008; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer FIND FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 A4 D2 A4 D7 A0 A7 D2 C8 D4 A0 D1 DC C8 D1 81 D0 83 C8 A7 D1 A1 DD C8 A1 D3 D3 D1 D0 A7 D2 D1 D1 D5 A0 D6 98 E5|"; classtype:trojan-activity; sid:1000009; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer YES Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 D7 A4 A6 D0 D5 DD DC C8 D6 DD D7 D5 C8 D1 D6 83 80 C8 DD A4 D1 A1 C8 A4 D2 D5 D7 DD A3 A4 A1 DD A6 D7 DD 98 E5|"; classtype:trojan-activity; sid:1000010; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer ADD RUN ONCE Command"; flow:established; content:"|C2 E5 E5 E5 9E D6 DD D1 A0 A7 A0 D7 A6 C8 A3 DC A0 A4 C8 D1 83 D3 87 C8 DC D1 A0 A3 C8 A6 DC A1 D7 A1 A4 D0 DD A3 A1 D4 D6 98 E5|"; classtype:trojan-activity; sid:1000011; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer DEL FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E D1 A3 D1 A3 D5 A1 DD DD C8 A0 D2 D4 D0 C8 D1 87 D4 83 C8 A7 D6 D4 D4 C8 D3 D4 A0 D0 D6 D5 A6 D7 A6 DD A3 A6 98 E5|"; classtype:trojan-activity; sid:1000012; rev:2;

Systems Affected

VendorStatusDate NotifiedDate Updated
Energizer, Inc.Vulnerable2010-03-022010-03-05

References


http://www.marketwatch.com/story/energizer-announces-duo-charger-and-usb-charger-software-problem-2010-03-05
http://www.symantec.com/connect/blogs/trojan-found-usb-battery-charger-software
http://www.energizerrecharge.eu/en/range/chargers/usb
http://www.threatexpert.com/report.aspx?md5=3f4f10b927677e45a495d0cdd4390aaf
http://www.energizer.com/usbcharger/

Credit

Thanks to Ed Schaller for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

Date Public:2010-03-05
Date First Published:2010-03-05
Date Last Updated:2010-04-15
CERT Advisory: 
CVE-ID(s):CVE-2010-0103
NVD-ID(s):CVE-2010-0103
US-CERT Technical Alerts: 
Metric:2.09
Document Revision:45

Original Source

Url : http://www.kb.cert.org/vuls/id/154421

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-94 Failure to Control Generation of Code ('Code Injection')

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

OpenVAS Exploits

Date Description
2010-03-18 Name : Energizer DUO USB Battery Charger Software Backdoor
File : nvt/gb_energizer_duo_usb_unauth_access_vuln.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
62782 Energizer DUO USB Battery Charger Software Arucer.dll Trojaned Distribution

Snort® IPS/IDS

Date Description
2014-01-10 Arucer backdoor traffic - NOP command attempt
RuleID : 25015 - Revision : 3 - Type : MALWARE-BACKDOOR
2014-01-10 Arucer backdoor traffic - write file attempt
RuleID : 16488 - Revision : 5 - Type : MALWARE-BACKDOOR
2014-01-10 Arucer backdoor traffic - yes command attempt
RuleID : 16487 - Revision : 5 - Type : MALWARE-BACKDOOR
2014-01-10 Arucer backdoor traffic - command execution attempt
RuleID : 16486 - Revision : 6 - Type : MALWARE-BACKDOOR

Nessus® Vulnerability Scanner

Date Description
2010-03-08 Name : The remote Windows host has a backdoor.
File : arugizer_backdoor.nasl - Type : ACT_GATHER_INFO
2010-03-08 Name : The remote Windows host has a backdoor.
File : energizer_duo_arugizer_backdoor.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2020-05-23 13:17:15
  • Multiple Updates
2016-03-12 13:25:10
  • Multiple Updates
2016-03-12 09:23:41
  • Multiple Updates
2014-02-17 12:07:33
  • Multiple Updates