[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] HP SimplePass Local Privilege Escalation
From: Rehan Ahmed <knight_rehan () hotmail ! com>
Date: 2017-05-20 1:39:36
Message-ID: CY1PR11MB0683F3ACC3A233164313F5FBF7FA0 () CY1PR11MB0683 ! namprd11 ! prod ! outlook ! com
[Download RAW message or body]
# Vulnerability Title: HP SimplePass Local Privilege Escalation
# Advisory Release Date: 05/18/2017
# Credit: Discovered By Rehan Ahmed
# Contact: knight_rehan@hotmail.com
# Severity Level: Medium
# Type: Local
# Tested Platform: Windows 8 & 10 x64
# Vendor: HP Inc.
# Vendor Site: http://www.hp.com
# Download Link: http://ftp.hp.com/pub/softpaq/sp64001-64500/sp64339.exe
# Vulnerable Version: HP SimplePass 8.00.49, 8.00.57, 8.01.46 =
# Vendor Contacted: 04/03/2017
# Vendor Response: 5/18/2017
###########################################################################=
#############
Summary:
###########################################################################=
#############
HP SimplePass allows you to safely store logon information for your favorit=
e websites, and use a single method of authentication for your password-pro=
tected website accounts. Choose a fingerprint, password or PIN to authentic=
ate your identity. Your computer must have at least one password-protected =
Windows User Account to use HP SimplePass.
https://support.hp.com/us-en/document/c03653209
###########################################################################=
##############
Issue Details:
###########################################################################=
##############
HP SimplePass is prone to a local privilege-escalation vulnerability due to=
insecure file system permissions that have been granted during installatio=
n. Local adversary can exploit this issue to gain elevated privileges on af=
fected system.
HP SimplePass installs by default to "C:\Program Files\Hewlett-Packard\Simp=
lePass" with very weak folder permissions granting any user full permission=
to the contents of the directory and it's subfolders. This allows ample op=
portunity for code execution against any other user running the application=
. HP SimplePass has few binaries which are typically configured as a servic=
e or startup program which makes this particularly easy to take leverage.
=A0
###########################################################################=
############### =
Proof of Concept
###########################################################################=
###############
a) C:\>icacls "C:\Program Files\Hewlett-Packard\SimplePass"
C:\Program Files\Hewlett-Packard\SimplePass Everyone:(F)
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Everyone:(OI)(CI)(IO=
)(F)
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 BUILTIN\Administrato=
rs:(I)(F)
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 BUILTIN\Administrato=
rs:(I)(OI)(CI)(IO)(F)
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 NT AUTHORITY\SYSTEM:=
(I)(F)
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 NT AUTHORITY\SYSTEM:=
(I)(OI)(CI)(IO)(F)
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 NT AUTHORITY\Authent=
icated Users:(I)(M)
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 NT AUTHORITY\Authent=
icated Users:(I)(OI)(CI)(IO)(M)
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 BUILTIN\Users:(I)(RX)
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 BUILTIN\Users:(I)(OI=
)(CI)(IO)(GR,GE)
=A0 =
b) C:\>wmic service get name,displayname,pathname,startmode |findstr /i "au=
to" | findstr /i "HP SimplePass"
HP SimplePass Cachedrv Service=A0=A0 Cachedrv server=A0=A0 "C:\Program File=
s\Hewlett-Packard\SimplePass\cachesrvr.exe"=A0=A0=A0=A0=A0=A0 Auto
HP SimplePass Service=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 omniserv=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0 C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe=
=A0=A0=A0=A0=A0=A0=A0=A0 Auto
A user can place a malicious DLL/EXE (e.g OmniServ.exe) file with one of th=
e expected names into that directory and wait until the service is restarte=
d. The service can not be restarted by normal users but an attacker could j=
ust reboot the system or wait for the next reboot to happen.
###########################################################################=
####################
3) Mitigation:
###########################################################################=
#################### =
Change the permission for dirctory to group other than Administrator on Rea=
d/Execute.
Fix: https://support.hp.com/us-en/drivers/selfservice/hp-envy-m7-n100-noteb=
ook-pc/8499292/model/8788306
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic