Soul Cry - Hacking LiteManager Infrastructure
Foreword
This text is, first of all, a warning for system administrators and ordinary users. Suddenly for me, it turned out that the relatively well-known program for remote administration "LiteManager" (hereinafter LM) in itself, without modifications and any changes, is a backdoor for any computer where it is installed. That is, if LM is installed on the PC and the connection by ID is used (without IP address), then, with a very high, almost 100%, probability, this PC can be accessed illegally by a completely unauthorized user, with minimal effort, without possessing any special hacking skills. Description of the “hacking” technology and a working example with source code below.
I am a programmer in a small company, our software is not connected with network technologies, however, sometimes employees need remote access to working PCs. For various reasons, the choice fell on the LM, which is free for 30 employees. In addition to direct connections to the local network (a la Radmin), LM allowing to work without a remote computer by ID, through the company's server (xa-xa) or custom server IP-addresses that can expand anyone , subject to the availability of external IP addresses (at first glance, it looks like TeamViewer, but this is only at first).
How is the network of LM NOIP servers
And so we found that periodically, to some machines, remote access via LM is carried out by some unidentified person. Those who had access passwords physically could not connect remotely at that moment. In general, the situation repeated more than once or twice, even after changing the passwords. LM was removed from all machines and I started to study the situation, starting, of course, with how the connections by ID are arranged. LM borrowed the name from a well-known international company and named their module LM NOIP server (also called a “router”).
Connection by ID, in programs of this kind, allows communication even if the remote (and / or local) computer is located behind NAT. You specify the ID and password of the remote computer, press OK and get complete control over the machine. At the same time, both the administrator’s computer (hereinafter referred to as the Viewer) and the remote PC (hereinafter referred to as the Server, yes, in LM terminology exactly this way, do not confuse it with the LM NOIP server, i.e. the router) use only outgoing connections to the router.
And here the fun begins. Below is a description from the official site.

From the official site
Got the point? To use a personal NOIP router and the free version, you need to open this router for everyone . It would seem that this is bad? To answer this question, we will deal with the general scheme of NOIP LM routers.
They have one, the so-called “Main server”, which coordinates the rest of the open routers, through which it drives all the traffic, including and commercial users. This is monitored by any TCP connection monitoring program - first a request to the main server, then work through random (or not random, depending on the settings).

LM Server Diagram
The advantage is that to work by ID it is not necessary to deploy a personal NOIP server, by the way, we did not install our server. Everything works out of the box due to the availability of already available free open NOIP routers, of which there are already several dozen, their list is available directly from Viewer. The program itself selects a server (it may be different each time) and the traffic goes through it. Thus, obviously, the Company decided to create a kind of torrent tracker, saving on traffic and servers.
Global vulnerability
But, as practice has shown, this idea is beautiful only in the form of an idea. In fact, through completely random servers owned by random people, traffic is proxied, including passwords for accessing remote PCs, of course, and not a new series of Star Wars, as is the case with a torrent.
Yes, of course, the traffic is encrypted.

From the official site
RSA 2048, AES 256, all things. Only the Server <=> Viewer channel is encrypted, although even if the Serve <=> NOIP and Viewer <=> NOIP channels were encrypted, nothing would change dramatically. However, there is no server authentication in the program at all! Yes, even if such a check were, from the practice of working with RDP, I can responsibly declare that few people pay attention to the warning that it is not possible to verify the authenticity of the remote computer.

RDP Warning
But, I repeat, even such a check is not there. And here comes the abbreviation MITM. Attack "man in the middle." Almost immediately, it became clear that the search for the hole was completed.
Even after a quick study of Wireshark's traffic and viewing the program modules under the debugger, it became clear that this is it.
To implement MITM, you need, in some way, access to the infrastructure / equipment / communication channel, it needs social engineering and other tricks, this is a single product that does not pose much harm to the masses. In general, this is done by professional hacking specialists, which I am not.
But LM provides, I apologize for another exclamation point, this infrastructure to anyone, and, as they like to repeat on their site, it's free! Install an open LM router and listen to all the traffic that goes through it. A kind of fishing ID and password access to remote machines. It remains only to intercept the traffic and decrypt it.
As a result, we have a global, architectural vulnerability of the entire LM infrastructure. Was this done intentionally or due to the lack of basic knowledge in the field of network security? The question is open.
Traffic interception
This article is accompanied by a fully working example of a program with source code that can intercept almost all IDs and passwords of connections passing through an LMNOIP router. The only requirement is an external IP address.

LMSoulCry.exe
LMSoulCry needs to be put on the network in front of the LM NOIP router.
The LM NOIP router is designed in such a way that upon startup, it accesses the Global LM server, apparently for registration. The global server, in turn, is trying to establish a reverse TCP connection to this router. If this succeeds, then the router can be switched to free mode and used, i.e. It is open to all.
We need to make sure that our LMSoulCry accepts incoming TCP connections (it, in turn, will redirect them to the LM router). And the LM router will send outgoing connections on its own directly to the Global server, without our participation.
Here is a typical setup diagram. Your PC has an external IP address. We install a virtual machine to run LM NOIP router on it. We connect it through the built-in NAT adapter (it is in VMWare) to your main PC. We configure the Internet in a virtual machine (often, nothing needs to be configured, everything works by itself). We start on a physical computer, with an external IP, LMSoulCry.exe and specify the internal address of the virtual machine in it . Next, turn on LMSoulCry and start the LM NOIP router (which is on the virtual machine). Random users will not be long in coming.
If the external IP address is not on your PC, but on the router, then you just need to specify port-forwarding in the settings of this router itself.
If there is no external IP address, then in practice you won’t check anything.
MITM implementation
As for the implementation of MITM, everything is banal there. LM uses the MS Crypto API, which further simplifies the task of key substitution. The source code of LMSoulCry is generously provided with comments; I don’t see any reason to transfer it to the article.
Probably, this example will cause a condescending smile among professional crackers, but it is valuable in that way, even an average programmer or student who, at least in general terms, is aware of how to use the debugger can understand and implement it. In the example, there are no patches or API hooks.
This example, also, can be easily expanded to intercept anything from what LM passes through. Since the traffic is practically not protected by NOIP.
Here, as they say, we must not speak, but show.
Soul cry, lyrics and conclusions
After the discovery of this vulnerability, a letter was sent to the LM developers. To which no answer was received.

Responsible
Perhaps they will answer you. Try your luck.
I’m not sure that the developers of the project called “LiteManager” will be deservedly responsible for substituting thousands of unsuspecting users (both free and commercial, which is important), including me, throughout already seven years old. After all, it has not been written anywhere that the program is in no way protected and, having installed it on a PC, you are guaranteed to open the door for anyone who wants it, the lock does not work.
But I have confidence that professional hackers have been aware of this “architectural feature” of this software for a very long time and have been using it for their own purposes for a long time.
Да, во многих продуктах используется подобная схема для обхода NAT, но во всех этих программах, сервера (роутеры) принадлежат либо самой Компании, выпускающей продукт, либо располагаются на стороне заказчика и контролируются только им. То есть нет никакой третьей стороны, всегда понятно с кого спрашивать, в случае проблем.
Да, я могу понять и простить Компанию, когда с ее серверов утекают персональные данные. Когда находят какую-то редкую уязвимость и хитро эксплуатируют ее. Но, когда уже более 5 лет предлагается, извините за выражение, лохотрон, причем массовый, — тут нет прощения и понимания. Надеюсь, хотя бы эта статья возымеет силу.
Всем пользователям настоятельно рекомендую немедленно удалить LiteManager, антивирусам рекомендую пометить сам LM и его сайт, как вредоносные.
I strongly recommend “keep your eyes open” to everyone who has passed the trouble, and also remember the statement about free cheese and a mousetrap.
→ Github