lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFz4UQ8VmgMSoZ7Sy3oLCC8_ReY-+xTZp4B7NO5-ZDaCNqq8Pw@mail.gmail.com> Date: Tue, 24 Mar 2020 04:55:58 +0400 From: Eldar Marcussen <wireghoul@...il.com> To: fulldisclosure@...lists.org Subject: [FD] HP ThinPro - Privilege escalation HP ThinPro - Privilege escalation =============================================================================== Identifiers ------------------------------------------------- * CVE-2019-16287 CVSSv3 score ------------------------------------------------- 6.1 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) Vendor ------------------------------------------------- HP - [https://www.hp.com](https://www.hp.com) Product ------------------------------------------------- Deliver secure desktop virtualization that’s as comfortable for IT as it is for end users with the stunningly redesigned HP ThinPro. It has a bold new user interface and workflow refinements that make it a breeze to configure, manage, and use right out of the box. Affected versions ------------------------------------------------- - HP ThinPro Linux 7.1 - HP ThinPro Linux 7.0 - HP ThinPro Linux 6.2.1 - HP ThinPro Linux 6.2 Credit ------------------------------------------------- Eldar Marcussen - xen1thLabs - Software Labs Vulnerability summary ------------------------------------------------- The ThinPro platform relies on the presence of a file to determine if it is operating in Administrative or User mode. An unauthenticated attacker can leverage functionality in privileged processes to create this file which enables adminstrative access to the device. Technical details ------------------------------------------------ An attacker can use features of applications that are running with privileges by default to create the administrative flag file `/var/run/hptc-admin` which enables the administrative options in the user interface. The attacker can then simply start a a terminal session with root privileges from the start menu. Proof of concept ------------------------------------------------- The following evidence is provided to illustrate the existence and exploitation: 1. From the start menu select Control panel 2. Open the Hardware section 3. CLick on printers 4. In the new printers window press F1 5. Click Forward 6. Select `Not listed` and then click Forward 7. Click Forward 8. Select `Not listed` and then click Forward 9. Click forward 10. Click save 11. Replace `troubleshoot.txt` with `/var/run/hptc-admin` as the file name 12. Click save 13. Observe the red desktop border indicating adminstrative operation mode 14. From the start menu, select Tools -> X terminal 15. Observe X terminal spawning with root privileges Solution ------------------------------------------------- Contact vendor for a solution Timeline ------------------------------------------------- Date | Status ------------|----------------------------- 19-AUG-2019 | Reported to vendor 22-NOV-2019 | Patch available 24-MAR-2020 | Public disclosure _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists