[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

HP TouchSmart Calendar 4.1.4245 - Insecure File Permissions Privilege Escalation Vulnerability

Author
hyp3rlinx
Risk
[
Security Risk High
]
0day-ID
0day-ID-26148
Category
local exploits
Date add
27-10-2016
Platform
windows
[+] Credits: John Page aka hyp3rlinx
 
 
 
Vendor:
==========
www.hp.com
 
 
 
Product:
===========================================
Hewlett Packard TouchSmart Calendar Service
File version : 4.1.4245
 
HP TouchSmart Calendar is a shared calendar where you can manage your family’s schedule. You can also view scheduled events for today
and tomorrow, e-mail calendar events with Google mail, and print your schedule.
 
 
 
Vulnerability Type:
=====================
Privilege Escalation
 
 
 
CVE Reference:
==============
N/A
 
 
 
Vulnerability Details:
=====================
 
HP Calendar Service uses weak insecure permissions settings on its files/directory as the “Everyone” group has full access on it.
Allowing low privileged users to execute arbitrary code in the security context of ANY other users with elevated privileges
on the affected system.
 
Any user (even guest) will be able to replace, modify or change the file. This would allow an attacker the ability to inject code
or replace the "HPTouchSmartSyncCalReminderApp.exe" executable and have it run in the context of the system.
 
 
Proof... 
 
c:\Windows\System32>sc query "HP Support Assistant Service"
 
SERVICE_NAME: HP Support Assistant Service
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
 
c:\>cacls "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service"
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service Everyone:(OI)(CI)F
                                                                   NT AUTHORITY\SYSTEM:(OI)(CI)F
 
 
 
Disclosure Timeline:
======================================
Vendor Notification:  October 14, 2016
Vendor response: Product past warranty support
October 26, 2016 : Public Disclosure

#  0day.today [2024-12-25]  #