| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 Mar 2020 04:57:04 +0400 From: Eldar Marcussen <wireghoul@...il.com> To: fulldisclosure@...lists.org Subject: [FD] HP ThinPro - Privileged command injection HP ThinPro - Privileged command injection =============================================================================== Identifiers ------------------------------------------------- * CVE-2019-18910 CVSSv3 score ------------------------------------------------- 7.6 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L) Vendor ------------------------------------------------- HP - [https://www.hp.com](https://www.hp.com) Product ------------------------------------------------- Deliver secure desktop virtualization that’s as comfortable for IT as it is for end users with the stunningly redesigned HP ThinPro. It has a bold new user interface and workflow refinements that make it a breeze to configure, manage, and use right out of the box. Affected versions ------------------------------------------------- - HP ThinPro Linux 7.1 - HP ThinPro Linux 7.0 - HP ThinPro Linux 6.2.1 - HP ThinPro Linux 6.2 Credit ------------------------------------------------- Eldar Marcussen - xen1thLabs - Software Labs Vulnerability summary ------------------------------------------------- The VPN software does not safely handle user supplied input, it is therefore possible for an attacker to inject arbitrary commands that will be executed with root privileges on the device. Technical details ------------------------------------------------ The `Gateway` connection setting for PPTP VPN connections is not safely handled, a local user can use the `hptc-network-mgr` application to inject commands into the VPN connection process and have these commands executed with root privileges on the device. Proof of concept ------------------------------------------------- The following evidence is provided to illustrate the existence and exploitation: 1. Launch `hptc-network-mgr` 2. Select the VPN tab 3. Set connection type to `PPTP` 4. Enter the following values: * Gateway: `;xterm;echo` * NT Domain: pwnt * User name: pwnt * User password: pwnt 5. Click OK 6. Click on the network icon on the statusbar 7. Click `Connect VPN` 8. Observe that a xterm spawns as root Solution ------------------------------------------------- Contact vendor for a solution Timeline ------------------------------------------------- Date | Status ------------|----------------------------- 19-AUG-2019 | Reported to vendor 22-NOV-2019 | Patch available 24-MAR-2020 | Public disclosure _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists