Pronestor Health Monitoring Privilege Escalation

Pronestor Health Monitoring Privilege Escalation: Posted Jun 13, 2019; Authored by Povlteksttv; Pronestor Health Monitoring versions prior to 8.1.12.0 suffer from a local privilege escalation vulnerability due to weak file permissions.; tags | exploit, local; advisories | CVE-2018-19113; SHA-256 | 5fb108d74a47651cbd865931fade07060bf203cfadce38d2fcda5b7c3c61b908; Download | Favorite | View

Pronestor Health Monitoring Privilege Escalation

[Summary]
The Pronestor service "PNHM" (aka Health Monitoring or HealthMonitor) 
before 8.1.12.0 has "BUILTIN\Users:(I)(F)" permissions for 
the "%PROGRAMFILES(X86)%\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe" file, 
which allows local users to gain privileges via a Trojan horse PronestorHealthMonitor.exe file.

During the installation of Pronestors Outlook-Add-In (version 8.1.11.0 
and older) the installer creates a service named PNHM (Pronester 
Health Monitoring) with weak file permission running as SYSTEM.
The vulnerability allows all "Authenticated Users" to potentially 
execute arbitrary code as SYSTEM on the local system.

[Additional Information]
Tested on Windows 7.
Version: Outlook Add-In 8.1.11.0 and older
Also tested on version 5.1.6.0 with same result.
Discovered: 06-nov-2018
Reported: 07-nov-2018

Vendor: https://www.pronestor.com/
Vendor confirmed: True
Fixed: Version 8.1.12.0
Attack Type: Local Privilege Escalation
Vulnerability due to: Insecure Permissions
Discoverer: PovlTekstTV
CVE: 2018-19113
Original link: https://gist.github.com/povlteksttv/8f990e11576e1e90e8fb61acf8646d28

[Proof]
C:\Users\povltekst>sc qc PNHM

SERVICE_NAME: PNHM
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files (x86)\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Pronestor HealthMonitor
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Users\povltekst>icacls 'C:\Program Files (x86)\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe'
C:\Program Files (x86)\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe
         BUILTIN\Users:(I)(F)
         NT AUTHORITY\SYSTEM:(I)(F)
         BUILTIN\Administrators:(I)(F)

Notice: "BUILIN\Users:(I)(F)". (F) = Full access!
This means that an authenticated user can change the file

[Attack Vectors]
Replace the file "PronestorHealthMonitor.exe" with a malicious file 
also called "PronesterHealthMonitor.exe". Next time the service (PNHM) 
starts, the malicious file will get executed as SYSTEM. The service 
starts on every reboot.

[Affected Component]
PronestorHealthMonitor.exe
This exe will be executed on every reboot by a service named PNHM running as SYSTEM.

Top Authors In Last 30 Days

Red Hat 275 files
indoushka 177 files
Jay Turla 150 files
Ubuntu 77 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Gentoo 25 files
Karn Ganeshen 23 files

File Archives

Systems

AIX (430)
Apple (2,115)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,125)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,592)
HPUX (881)
iOS (390)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,327)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,893)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,867)
UNIX (9,458)
UnixWare (188)
Windows (6,772)
Other

Pronestor Health Monitoring Privilege Escalation

Pronestor Health Monitoring Privilege Escalation

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Pronestor Health Monitoring Privilege Escalation

Share This

Pronestor Health Monitoring Privilege Escalation

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems