lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 20 May 2017 01:39:36 +0000
From: Rehan Ahmed <knight_rehan@...mail.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>,
 "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
 "bugs@...uritytracker.com" <bugs@...uritytracker.com>
Subject: [FD] HP SimplePass Local Privilege Escalation


# Vulnerability Title: HP SimplePass Local Privilege Escalation
# Advisory Release Date: 05/18/2017
# Credit: Discovered By Rehan Ahmed
# Contact: knight_rehan@...mail.com
# Severity Level: Medium
# Type: Local
# Tested Platform: Windows 8 & 10 x64
# Vendor: HP Inc.
# Vendor Site: http://www.hp.com
# Download Link: http://ftp.hp.com/pub/softpaq/sp64001-64500/sp64339.exe
# Vulnerable Version: HP SimplePass 8.00.49, 8.00.57, 8.01.46 
# Vendor Contacted: 04/03/2017
# Vendor Response: 5/18/2017

########################################################################################
Summary:
########################################################################################
HP SimplePass allows you to safely store logon information for your favorite websites, and use a single method of authentication for your password-protected website accounts. Choose a fingerprint, password or PIN to authenticate your identity. Your computer must have at least one password-protected Windows User Account to use HP SimplePass.

https://support.hp.com/us-en/document/c03653209

#########################################################################################
Issue Details:
#########################################################################################

HP SimplePass is prone to a local privilege-escalation vulnerability due to insecure file system permissions that have been granted during installation. Local adversary can exploit this issue to gain elevated privileges on affected system.
HP SimplePass installs by default to "C:\Program Files\Hewlett-Packard\SimplePass" with very weak folder permissions granting any user full permission to the contents of the directory and it's subfolders. This allows ample opportunity for code execution against any other user running the application. HP SimplePass has few binaries which are typically configured as a service or startup program which makes this particularly easy to take leverage.
 
########################################################################################## 
Proof of Concept
##########################################################################################
a) C:\>icacls "C:\Program Files\Hewlett-Packard\SimplePass"

C:\Program Files\Hewlett-Packard\SimplePass Everyone:(F)
                                            Everyone:(OI)(CI)(IO)(F)
                                            BUILTIN\Administrators:(I)(F)
                                            BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                            NT AUTHORITY\SYSTEM:(I)(F)
                                            NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                            NT AUTHORITY\Authenticated Users:(I)(M)
                                            NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
                                            BUILTIN\Users:(I)(RX)
                                            BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
  

b) C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i "HP SimplePass"

HP SimplePass Cachedrv Service   Cachedrv server   "C:\Program Files\Hewlett-Packard\SimplePass\cachesrvr.exe"       Auto
HP SimplePass Service            omniserv           C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe         Auto

A user can place a malicious DLL/EXE (e.g OmniServ.exe) file with one of the expected names into that directory and wait until the service is restarted. The service can not be restarted by normal users but an attacker could just reboot the system or wait for the next reboot to happen.

###############################################################################################
3) Mitigation:
############################################################################################### 

Change the permission for dirctory to group other than Administrator on Read/Execute.
Fix: https://support.hp.com/us-en/drivers/selfservice/hp-envy-m7-n100-notebook-pc/8499292/model/8788306



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists