| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 Mar 2020 04:55:15 +0400 From: Eldar Marcussen <wireghoul@...il.com> To: fulldisclosure@...lists.org Subject: [FD] HP ThinPro - Application filter bypass HP ThinPro - Application filter bypass =============================================================================== Identifiers ------------------------------------------------- * CVE-2019-16286 CVSSv3 score ------------------------------------------------- 6.1 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) Vendor ------------------------------------------------- HP - [https://www.hp.com](https://www.hp.com) Product ------------------------------------------------- Deliver secure desktop virtualization that’s as comfortable for IT as it is for end users with the stunningly redesigned HP ThinPro. It has a bold new user interface and workflow refinements that make it a breeze to configure, manage, and use right out of the box. Affected versions ------------------------------------------------- - HP ThinPro Linux 7.1 - HP ThinPro Linux 7.0 - HP ThinPro Linux 6.2.1 - HP ThinPro Linux 6.2 Credit ------------------------------------------------- Eldar Marcussen - xen1thLabs - Software Labs Vulnerability summary ------------------------------------------------- The HP ThinPro allows administrators to determine what applications users can run, however attackers can bypass these restrictions to spawn restricted applications and run arbitrary commands on the device. Technical details ------------------------------------------------ There are several paths to exploit this, but the most common path is to find exploit it directly from a `Web Browser` connection, or find a clickable link that will spawn firefox from one of the other connections. Once in firefox the attacker can access preferences to configure which application handles certain filetypes and use this to spawn another application. The list of possible applications is restricted, but it is possible to spawn `/usr/bin/hptc-kiosk` which supports creating custom connections which can run arbitrary commands. Proof of concept ------------------------------------------------- The following evidence is provided to illustrate the existence and exploitation: 1. In a `Web Browser` connection open Firefox's `Preferences` 2. Select the `Applications` section 3. Locate the `Portable Document Format (PDF)` content type and select `Use other` from the drop down menu 4. Navigate to `/usr/bin/hptc-kiosk` and press Open 5. Verify that the PDF handler is set to `Use hptc-kiosk` 6. Open a new tab and type the following in the address bar `data:application/pdf,pwnt!` and press enter 7. Observe that a `Connection manager` window now opens 8. Click on the `+` icon in the bottom right 9. Select `Custom` 10. Enter `xterm` in the textbox for command to run and click Finish 11. Select the newly created connection 12. Click the `->` icon in the bottom left corner 13. Observe xterm spawning Solution ------------------------------------------------- Contact vendor for a solution Timeline ------------------------------------------------- Date | Status ------------|----------------------------- 19-AUG-2019 | Reported to vendor 22-NOV-2019 | Patch available 24-MAR-2020 | Public disclosure _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists