![]() ![]()
Due to the simplicity of this bug, we are not planning to release the code. Marco Ortisi has created an automated PoC. Affected versions of Plantronics HUB include the latest available in the moment we write (3.21). We started from a DoS and ended up to achieve EoP. ![]() The oplock is finally released by pressing ENTER inside the SetOpLock window and a privileged command prompt opens in a blink of an eye:Īdditionally the file “ nfig” has been deleted from the filesystem, as part of the normal data processing path of the application. Now “ evil.msi” can be manually renamed as “ WMIProviderInstaller.msi”. Then the file “ nfig” is created inside “ C:\ProgramData\Plantronics\Spokes3G” with the value “ ” pointing to the filesystem location where “ WMIProviderInstaller.msi” has been stored to. It is finally packed as an MSI binary.Īt this point an exclusive oplock is set for “ msiexec.exe”: Here “ evil.msi” is a simple C compiled file that when executed opens a “ cmd.exe” prompt via “ system()“. …and copied both of them inside the same directory, as shown below: Ok, our initial stance in the target system where Plantronics HUB application has been installed is the following. The idea is to replace “ WMIProviderInstaller.msi” after its signature has been validated with an arbitrary binary, before msiexec executes it. Such a behaviour can be reliably exploited 100% using an exclusive oplock through the “ SetOplock” utility of the Google symboliclink testing toolkit. What does that mean? It means there is a TOCTOU vulnerability here. Passing the validity check, the “ WMIProviderInstaller” MSI package is installed by means of “ msiexec.exe”. There is nothing special with such a resource, except it is just one of the binaries released by the vendor itself, downloadable from the Poly website and which embeds a signature Plantronics HUB recognizes as valid. Indeed we confirmed that if the binary contains a valid signature, eventually it is executed with the rights of “ NT_AUTHORITY\SYSTEM”.Īs evincible from the procmon screenshot above, the “ ” we have specified inside “ nfig” is pointing to the file “ WMIProviderInstaller.msi”. So, it is not possible anymore to provide an arbitrary resource to execute. Since CVE-2019-15742 a check has been introduced on Plantronics HUB aimed to verify that “ ” is a valid signed file. With “ ” being the name of the currently logged-in unprivileged user and “ ”… well, you guessed it! Of course it resides inside “ c:\windows\system32”, so a user couldn’t erase it under normal conditions.įirst let’s verify the file is actually there:Ĭ:\Users\redteam\Desktop> dir c:\windows\system32\license.rtf Let’s assume an unprivileged user wants to delete the file “ c:\windows\system32\license.rtf”. Arbitrary File delete: exploitation steps This condition allows to delete arbitrary files. As the content of the folder “ C:\ProgramData\Plantronics\Spokes3G\” can be modified by any unprivileged user in the system, it is possible to create a symlink between “ C:\ProgramData\Plantronics\Spokes3G\nfig” and an arbitrary file located somewhere else in the filesystem, by means of the utility “ CreateSymlink.exe” (part of google symboliclink testing tools). If the file is found, some processing happens. The service continuously polls the filesystem for a file named “ C:\ProgramData\Plantronics\Spokes3G\nfig”. It is part of Plantronics HUB and runs as “ NT_AUTHORITY\SYSTEM”. Their software, Plantronics HUB, allows the end users to customize the settings and view the status of the audio devices plugged in a system.Īfter its installation a new service called “ SpokesUpdateService.exe” shows up in the system. Poly (annual revenue 1,2 USD billion) is the company behind the Plantronics brand producing audio devices for the segments business and consumer. One of such applications was Plantronics HUB. Amongst the various applications, there were some whose installation could be started by an unprivileged user but, at the end of this process, showed at least one component running in privileged mode. ![]() #PLANTRONICS HUB FOR WINDOWS SOFTWARE#However, after a quick check, we noticed that all software distributed through SCCM came with the latest versions available. #PLANTRONICS HUB FOR WINDOWS INSTALL#Like most of the other systems in the network, in this compromised machine a low privileged user could install software on-demand via Microsoft System Center Configuration Manager. After wandering around the LAN for a while, we got stuck inside a machine where we could see a domain admin who had an open session there (Bloodhound’s power), but our low privileges did not allow to dump the LSASS’s memory to retrieve the credentials and play our usual (in these cases) impersonation tricks. #PLANTRONICS HUB FOR WINDOWS WINDOWS#During a recent Red Team operation we have been asked to attempt the takeover of a domain controller server in a Windows network. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |