HP System Event Utility / Privilege Escalation Vulnerability

2020.02.12
us hyp3rlinx (US) us
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-20


CVSS Base Score: 4.6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/HP-SYSTEM-EVENT-UTILITY-LOCAL-PRIVILEGE-ESCALATION.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.hp.com [Product] HP System Event Utility The genuine HPMSGSVC.exe file is a software component of HP System Event Utility by HP Inc. HP System Event Utility enables the functioning of special function keys on select HP devices. [Vulnerability Type] Local Privilege Escalation [CVE Reference] CVE-2019-18915 [Security Issue] The HP System Event service "HPMSGSVC.exe" will load an arbitrary EXE and execute it with SYSTEM integrity. HPMSGSVC.exe runs a background process that delivers push notifications. The problem is that HP Message Service will load and execute any arbitrary executable named "Program.exe" if found in the users c:\ drive. Path: C:\Program Files (x86)\HP\HP System Event\SmrtAdptr.exe Two Handles are inherit, properties are Write/Read Name: \Device\ConDrv This results in arbitrary code execution persistence mechanism if an attacker can place an EXE in this location and can be used to escalate privileges from Admin to SYSTEM. HP has/is released/releasing a mitigation: https://support.hp.com/us-en/document/c06559359 [References] PSR-2019-0204 https://support.hp.com/us-en/document/c06559359 [Network Access] Local [Disclosure Timeline] Vendor Notification: October 7, 2019 HP PSRT "product team will address the issue in next release" : January 13, 2020 HP advisory and mitigation release : February 10, 2020 February 11, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top