what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Bomgar Remote Support Local Privilege Escalation

Bomgar Remote Support Local Privilege Escalation
Posted Oct 26, 2017
Authored by Mitch Kucia, Robert Wessen | Site vsecurity.com

Bomgar Remote Support suffers from a local privilege escalation vulnerability. Versions affected include 15.2.x before 15.2.3, 16.1.x before 16.1.5, and 16.2.x before 16.2.4.

tags | advisory, remote, local
advisories | CVE-2017-5996
SHA-256 | 628baf055f0972c1c6fa79f1adf972440b7c5ee8c14fec41ee37efb1bf1f599e

Bomgar Remote Support Local Privilege Escalation

Change Mirror Download

A A A A A A A A A A A A A A A A A A Virtual Security Research, LLC.
A A A A A A A A A A A A A A A A A A A A A https://www.vsecurity.com/
A A A A A A A A A A A A A A A A A A A A A A A A A Security Advisory


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Advisory Name: Bomgar Remote Support - Local Privilege Escalation
A Release Date: 2017-10-26
A Application: Bomgar Remote Support
A A A A Versions: 15.2.x before 15.2.3
A A A A A A A A A A A A A A 16.1.x before 16.1.5
A A A A A A A A A A A A A A 16.2.x before 16.2.4
A A A A Severity: High/Medium
A A A A A A Author: Robert Wessen <rwessen (a) vsecurity . com>
A A A A A A Author: Mitch Kucia <mkucia (a) vsecurity . com>
Vendor Status: Update Released [2]
CVE Candidate: CVE-2017-5996
A A A Reference: https://www.vsecurity.com/download/advisories/20171026-1.txt

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


Product Description
~-----------------~
From Bomgar's website [1]: "The fastest, most secure way for experts to access
and support the systems that need them."


Vulnerability Overview
~--------------------~
In mid-January, VSR identified a privilege escalation vulnerability in Bomgar
Remote Support application which can be used to escalate from any unprivileged
user to nt authority/system on Microsoft Windows 7 systems. The vulnerability
originates from an nt authority/system service being executed from a folder
with excessive permissions. The exploit requires a remote support agent to log
into the affected system.


Vulnerability Details
~-------------------~
The Bomgar Remote Support agent enables remote support personnel to establish
screen sharing, access command shell, and perform system administration tasks
on machines with the agent installed. The agent, by default, creates a service
as the Windows LocalSystem account and creates a folder at
C:\ProgramData\bomgar-ssc-0xhhhhhhhh (where each h is a hex character). The
agent is also executed from this folder, so the folder is included in the
Windows dynamic library loader search path. The default permissions on the
C:\ProgramData folder allow all users, even unprivileged ones, to append and
write files. These permissions are inherited by sub-directories unless
explicitly overridden. These permissions are not changed during the
installation of the agent, so a DLL planting/hijack is possible.

A Trojan horse with the same name as one of the requested, but not present
libraries can be placed inside the C:\ProgramData\bomgar-ssc-0xhhhhhhhh folder
since this folder is writeable by all users. When a remote support person
attempts to connect to the host, the malicious library will be loaded and code
can executed as nt authority/system.


Versions Affected
~---------------~
The issue was originally discovered in version 16.1.1, although it likely
exists since at least version 14. All testing was performed exclusively on
Windows 7, however the vulnerability is suspected to be present on all
supported Windows platforms.


Vendor Response
~-------------~
The following timeline details Bomgar's response to the reported issue:

2017-02-05A A A VSR contacted Bomgar via several public email addresses to file a
A A A A A A A A A A A A A security report.

2017-02-06A A A Bomgar replied, VSR provided additional details on the
A A A A A A A A A A A A A vulnerability and Bomgar began internal triage.

2017-02-13A A A Bomgar confirmed reproduction and indicated a hotfix will be
A A A A A A A A A A A A A available to select customers on 2017-02-17. Patch for all
A A A A A A A A A A A A A customers will be available at a later date.

2017-03-28A A A Bomgar releases patch in Remote Support versions 15.2.3 [2],
A A A A A A A A A A A A A 16.1.5 [3], and 16.2.4 [4].

2017-10-26A A A VSR advisory released.


Recommendation
~------------~
Upgrade all client installs to the latest version of Bomgar Remote Support
software as soon as possible.


Common Vulnerabilities and Exposures (CVE) Information
~----------------------------------------------------~
The Common Vulnerabilities and Exposures (CVE) project has assigned
the number CVE-2017-5996 to this issue. This is a candidate for
inclusion in the CVE list (https://cve.mitre.org), which standardizes
names for security problems.


Acknowledgments
~--------------~
Thanks to the Bomgar development team for a prompt response, confirmation, and
patch.


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

References:

1. https://www.bomgar.com/

2. https://www.bomgar.com/support/changelog/remote-support-15-2-3

3. https://www.bomgar.com/support/changelog/remote-support-16-1-5

4. https://www.bomgar.com/support/changelog/remote-support-1624


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

This advisory is distributed for educational purposes only with the sincere
hope that it will help promote public safety.A This advisory comes with
absolutely NO WARRANTY; not even the implied warranty of merchantability or
fitness for a particular purpose.A Neither Virtual Security Research, LLC nor
the author accepts any liability for any direct, indirect, or consequential
loss or damage arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible
disclosure practices:
A https://www.vsecurity.com/company/disclosure

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
A A A A Copyright 2017 Virtual Security Research, LLC.A All rights reserved.


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close