Trident Media Guard, the company entrusted by the French government to monitor file-sharing networks for copyright infringement, recently had some of their tools leaked onto the Internet following a security breach. Now researchers have published an analysis, with claims that an auto-update feature makes TMG’s servers vulnerable to remote code injection and execution.
As detailed in our earlier reports, anti-piracy company Trident Media Guard (TMG) recently failed to secure some of their systems. Blogger and security researcher Olivier Laurelli, aka Bluetouff, originally reported the breach which included a wide open virtual ‘test’ machine containing various tools. These, of course, spilled into the wild.
From the various files made available, some were easily viewable with a standard text editor, others – such as an executable called server_interface.exe – were more tricky. Thanks to a admittedly fairly hostile Full Disclosure security report we now have a clearer idea of what the package is capable of.
Penned by ‘CULT OF THE DEAD HADOPI’, the report refers to TMG as “Too Many Gremlins” along with reports not to expose them to bright lights. In it the server_interface.exe code is described as a Delphi service to which anyone can connect and start sending commands, no authentication (username/password) required. Perhaps even more worrying is a script which accepts auto-updates.
“An attacker can use the ‘Auto Update’ feature (\x82) to force the server to download updates from an evil FTP server he controls. Of course, a downloaded file is executed
just after the download,” write the researchers.
“Hence, anyone who wants to raise an army against Too Many Gremlins, look for an open port on TCP 8500,” they add.
The implication here is that if this software was present on all TMG servers, in addition to being able to turn them on and off at will a hacker could take them over with custom code of his own choosing, potentially creating “an army” which could be used to attack TMG or indeed, anyone else.
Commenting on the research, Bluetouff told TorrentFreak that the discovery of the vulnerabilities mean that the French 3 strikes program might already have been compromised.
“If TMG is vulnerable to injectioning on the system used to provide IP addresses to the HADOPI, the whole process is fu**** up,” he explained.
“Someone could for example inject the Culture Ministry’s IP range, or worse, gain access between TMG and HADOPI’s VPN by stealing certificates… then gain access to a huge amount of personal data,” he added.
“For instance we don’t know if this new ‘test server’ leak can compromise the LAN(S) of TMG with this exploit. Opacity is even for HADOPI. That’s why they went to audit TMG’s infrastructure with the CNIL [French Data Protection Office].”
“Anyway, this new episode shows that HADOPI was right to close their access,” he concludes.
That closure of access is a reference to Hadopi severing their Internet links to TMG once they found out about the leak and resorting to shifting IP addresses around by DVD and the postal system instead. That is hardly efficient and undoubtedly TMG will be working hard to get back into the 21st century.