[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] HP SimplePass Local Privilege Escalation

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>, "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>, "bugs@xxxxxxxxxxxxxxxxxxx" <bugs@xxxxxxxxxxxxxxxxxxx>
Subject: [FD] HP SimplePass Local Privilege Escalation
From: Rehan Ahmed <knight_rehan@xxxxxxxxxxx>
Date: Sat, 20 May 2017 01:39:36 +0000

# Vulnerability Title: HP SimplePass Local Privilege Escalation
# Advisory Release Date: 05/18/2017
# Credit: Discovered By Rehan Ahmed
# Contact: knight_rehan@xxxxxxxxxxx
# Severity Level: Medium
# Type: Local
# Tested Platform: Windows 8 & 10 x64
# Vendor: HP Inc.
# Vendor Site: http://www.hp.com
# Download Link: http://ftp.hp.com/pub/softpaq/sp64001-64500/sp64339.exe
# Vulnerable Version: HP SimplePass 8.00.49, 8.00.57, 8.01.46 
# Vendor Contacted: 04/03/2017
# Vendor Response: 5/18/2017

########################################################################################
Summary:
########################################################################################
HP SimplePass allows you to safely store logon information for your favorite 
websites, and use a single method of authentication for your password-protected 
website accounts. Choose a fingerprint, password or PIN to authenticate your 
identity. Your computer must have at least one password-protected Windows User 
Account to use HP SimplePass.

https://support.hp.com/us-en/document/c03653209

#########################################################################################
Issue Details:
#########################################################################################

HP SimplePass is prone to a local privilege-escalation vulnerability due to 
insecure file system permissions that have been granted during installation. 
Local adversary can exploit this issue to gain elevated privileges on affected 
system.
HP SimplePass installs by default to "C:\Program 
Files\Hewlett-Packard\SimplePass" with very weak folder permissions granting 
any user full permission to the contents of the directory and it's subfolders. 
This allows ample opportunity for code execution against any other user running 
the application. HP SimplePass has few binaries which are typically configured 
as a service or startup program which makes this particularly easy to take 
leverage.
 
##########################################################################################
 
Proof of Concept
##########################################################################################
a) C:\>icacls "C:\Program Files\Hewlett-Packard\SimplePass"

C:\Program Files\Hewlett-Packard\SimplePass Everyone:(F)
                                            Everyone:(OI)(CI)(IO)(F)
                                            BUILTIN\Administrators:(I)(F)
                                            
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                            NT AUTHORITY\SYSTEM:(I)(F)
                                            NT 
AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                            NT AUTHORITY\Authenticated 
Users:(I)(M)
                                            NT AUTHORITY\Authenticated 
Users:(I)(OI)(CI)(IO)(M)
                                            BUILTIN\Users:(I)(RX)
                                            BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
  

b) C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" 
| findstr /i "HP SimplePass"

HP SimplePass Cachedrv Service   Cachedrv server   "C:\Program 
Files\Hewlett-Packard\SimplePass\cachesrvr.exe"       Auto
HP SimplePass Service            omniserv           C:\Program 
Files\Hewlett-Packard\SimplePass\OmniServ.exe         Auto

A user can place a malicious DLL/EXE (e.g OmniServ.exe) file with one of the 
expected names into that directory and wait until the service is restarted. The 
service can not be restarted by normal users but an attacker could just reboot 
the system or wait for the next reboot to happen.

###############################################################################################
3) Mitigation:
###############################################################################################
 

Change the permission for dirctory to group other than Administrator on 
Read/Execute.
Fix: 
https://support.hp.com/us-en/drivers/selfservice/hp-envy-m7-n100-notebook-pc/8499292/model/8788306



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: Re: [FD] [oss-security] Multiple crashes in OpenEXR
Next by Date: [FD] Out of bound memory access in PJSIP multipart parser crashes Asterisk
Previous by thread: [FD] CVE-2017-7620 Mantis Bug Tracker 1.3.10 / v2.3.0 CSRF Permalink Injection
Next by thread: [FD] Out of bound memory access in PJSIP multipart parser crashes Asterisk
Index(es):
- Date
- Thread