| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFz4UQ9-UXFzDVXS=35YiHG1on+mQdXQETmd_0D3NyGZTagP+Q@mail.gmail.com> Date: Tue, 24 Mar 2020 04:54:38 +0400 From: Eldar Marcussen <wireghoul@...il.com> To: fulldisclosure@...lists.org Subject: [FD] HP ThinPro - Information disclosure HP ThinPro - Information disclosure =============================================================================== Identifiers ------------------------------------------------- * CVE-2019-16285 CVSSv3 score ------------------------------------------------- 6.1 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) Vendor ------------------------------------------------- HP - [https://www.hp.com](https://www.hp.com) Product ------------------------------------------------- Deliver secure desktop virtualization that’s as comfortable for IT as it is for end users with the stunningly redesigned HP ThinPro. It has a bold new user interface and workflow refinements that make it a breeze to configure, manage, and use right out of the box. Affected versions ------------------------------------------------- - HP ThinPro Linux 7.1 - HP ThinPro Linux 7.0 - HP ThinPro Linux 6.2.1 - HP ThinPro Linux 6.2 Credit ------------------------------------------------- Eldar Marcussen - xen1thLabs - Software Labs Vulnerability summary ------------------------------------------------- If the thin client is configured with `local user must login` then an unauthenticated attacker with physical access to the thin client can extract sensitive information onto a USB drive. This information could then lead to the attacker gaining administrative access to this device and others on the network. Technical details ------------------------------------------------ An attacker can use the `generate diagnostic` feature under the `system logs` tab of the `system information` window to generate a tar ball containing sensitive files, such as the `/root` directory including `.bash_history`, the `registry.xml` file from `/writeable/tmp` and `shadow-` from `/etc`. These files can be found under their relative path under the `files/` directory in the generated `Diagnostic.tgz` Proof of concept ------------------------------------------------- The following evidence is provided to illustrate the existence and exploitation: 1. Insert USB drive 2. At the login screen press the wrench icon on the login window 3. Press the `i` icon 4. Select the `System Logs` tab 5. Select `Trace` in the dropdown for the Debug level 6. Click the `Diagnostic` button to generate the `Diagnostic.tgz` file 7. Save file to drive 8. On a different computer extract the file 9. Observe the presence and content of the following files: * `files/etc/shadow-` * `files/writeable/tmp/registry.xml` * `files/root/.bash_history` Solution ------------------------------------------------- Contact vendor for a solution Timeline ------------------------------------------------- Date | Status ------------|----------------------------- 19-AUG-2019 | Reported to vendor 22-NOV-2019 | Patch available 24-MAR-2020 | Public disclosure _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists