[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element
- To: <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element
- From: Micah Wiseley <micah@xxxxxxxxxxxxx>
- Date: Wed, 19 Jun 2019 05:04:38 -0700 (PDT)
Full Disclosure
I. VULNERABILITY
-------------------------
Uncontrolled search path element vulnerability in PC-Doctor Toolbox prior
to version 7.3 allows local users to gain privileges and conduct DLL
hijacking attacks via a trojan horse DLL located in an unsecured directory
which has been added to the PATH environment variable.
II. CVE REFERENCE
-------------------------
CVE-2019-12280
III. VENDOR
-------------------------
PC-Doctor, Inc.
IV. Affected Products
-------------------------
PC-Doctor Toolbox for Windows
Also re-branded as:
CORSAIR ONE Diagnostics
CORSAIR Diagnostics
Staples EasyTech Diagnostics
Tobii I-Series Diagnostic Tool
Tobii Dynavox Diagnostic Tool
V. TIMELINE
-------------------------
May 03, 2019 Vulnerability reported to PC-Doctor, Inc.
May 04, 2019 Vulnerability confirmed by PC-Doctor, Inc.
May 17, 2019 PC-Doctor, Inc. identified additional attack vectors in third
party dependencies.
June 11, 2019 PC-Doctor Toolbox for Windows 7.3 released to OEM customers
for testing.
June 12, 2019 PC-Doctor Toolbox for Windows 7.3 released to retail
end-users.
June 19, 2019 Disclosure published.
VI. CREDIT
-------------------------
Peleg Hadar from SafeBreach, Inc.
VII. SOLUTION
-------------------------
Upgrade to version 7.3 of PC-Doctor Toolbox (or re-branded products)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/