lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 24 Mar 2020 04:54:38 +0400
From: Eldar Marcussen <>
Subject: [FD] HP ThinPro - Information disclosure

HP ThinPro - Information disclosure

* CVE-2019-16285

CVSSv3 score
6.1 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

HP - [](

Deliver secure desktop virtualization that’s as comfortable for IT as it is
for end users with the stunningly redesigned HP ThinPro. It has a bold new
user interface and workflow refinements that make it a breeze to configure,
manage, and use right out of the box.

Affected versions
 - HP ThinPro Linux 7.1
 - HP ThinPro Linux 7.0
 - HP ThinPro Linux 6.2.1
 - HP ThinPro Linux 6.2

Eldar Marcussen - xen1thLabs - Software Labs

Vulnerability summary
If the thin client is configured with `local user must login` then an
unauthenticated attacker with physical access to the thin client can
extract sensitive information onto a USB drive. This information could then
lead to the attacker gaining administrative access to this device and
others on the network.

Technical details
An attacker can use the `generate diagnostic` feature under the `system
logs` tab of the `system information` window to generate a tar ball
sensitive files, such as the `/root` directory including `.bash_history`,
the `registry.xml` file from `/writeable/tmp` and `shadow-` from `/etc`.
These files can be found under their relative path under the `files/`
directory in the generated `Diagnostic.tgz`

Proof of concept
The following evidence is provided to illustrate the existence and

1. Insert USB drive
2. At the login screen press the wrench icon on the login window
3. Press the `i` icon
4. Select the `System Logs` tab
5. Select `Trace` in the dropdown for the Debug level
6. Click the `Diagnostic` button to generate the `Diagnostic.tgz` file
7. Save file to drive
8. On a different computer extract the file
9. Observe the presence and content of the following files:
  * `files/etc/shadow-`
  * `files/writeable/tmp/registry.xml`
  * `files/root/.bash_history`

Contact vendor for a solution

Date        | Status
19-AUG-2019 | Reported to vendor
22-NOV-2019 | Patch available
24-MAR-2020 | Public disclosure

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists