exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

NetSetManPro 4.7.2 Privilege Escalation

NetSetManPro 4.7.2 Privilege Escalation
Posted Jun 11, 2021
Authored by Simon Bieber

NetSetManPro version 4.7.2 suffers from a privilege escalation vulnerability.

tags | exploit
advisories | CVE-2021-34546
SHA-256 | e8a3f23fc7f163c05873cbfb945bc19268910c026e3331a239742efa41af0936

NetSetManPro 4.7.2 Privilege Escalation

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Affected Products
NetSetManPro 4.7.2 (other/older releases have not been tested)

References
https://www.secuvera.de/advisories/secuvera-SA-2021-01.txt (used for
updates)
CVE-2021-34546
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34546)

Summary:
"NetSetMan is a network settings manager software for easily
switching between
your preconfigured profiles."

The save file dialogue within the action log window after switching a
profile
using the pre-logon profile switching (if intentionaly enabled) leads
to
arbitrary command execution as system authority user enabling an
unauthenticated
attacker to log on.

Effect:
An unauthenticated attacker with physical access to a computer with
NetSetMan Pro
4.7.2 installed, that has the pre-logon profile switch activated (not
enabled by
default) as button withinthe windows logon screen, is able to drop to
an admin-
istrative shell and execute arbitrary commands as system user by the
use of the
"save log to file" feature within NetSetMan Pro.

Example:
On a client computer running Microsoft Windows 10 and NetSetMan Pro
an Icon can
appear on the Windows lock-screen if configured. The following steps
must be per-
formed in order to gain an administrative shell:
1. Boot the client system
2. Click on the NetSetMan Pro Icon.
3. Choose an user defined (empty) setting.
4. Click on the "save" button in the appearing Window within the
"Log" section
(save icon)
5. Click on "File-Type" and Choose "*.*"
6. Navigate to path "C:\Windows\System32\"
7. Right-Click on on "cmd.exe" and choose "Run as administrator...".
8. The appearing command prompt has administrative rights.

To be able to bypass authentication a local user with administrative
rights can
be added using the following commands:
a. net user Pentest Password123! /add
b. net localgroup Administrators Pentest /add

Solution:
Update to Version 5.0 or newer (5.0.6 was tested by the researcher).

Disclosure Timeline:
2021/05/17 vendor initially contacted, submitted all details.
2021/05/17 vendor replied suggesting vulnerability already fixed
in newer versions prior researcher contact
2021/06/02 verified vendor suggested fix using version 5.0.6;
updated advisory and contacted vendor again; vendor
suggested edits
2021/06/09 updated advisory and requested CVE identifier
2021/06/10 public disclosure

Credits:
Simon Bieber
sbieber@secuvera.de
secuvera GmbH
https://www.secuvera.de

Disclaimer:
All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
to be able to attack or damage. Therefore secuvera shall
not be liable for any direct or indirect damages that might be
caused by using this information.

This message is signed with my PGP key (Short Key ID 661263A5)
You can download it here:
https://www.secuvera.de/download/simon-bieber-short-key-id-661263a5/
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE6mgEBCu3JYBqmGrgDIJc8mYSY6UFAmDDFocACgkQDIJc8mYS
Y6V1YBAAivvBI79oAYKrkkELU1drnEtIloRggLF6FQ4BlBgZ1DMfLQLcbACVT2LY
ro9SBpU/s6AOaZ98jETA/nS57MD+70ncEevP6hm3DzxV1mHtS4rjTU6hkcFfC8tq
rqeXRz4t1oWhPQd+AB2TOvpUIRtVn4zomNs9e3YkYRhRBixqZgrLz/c0mQjKIW/u
+hf0v5RYYSwA8q9LyhN6QUmm0UCVg06o55l8+eyc6V1JeMekdX7ais99Ki/FNmYw
z66aP4FrPx+RpCVsl0sCpMiZWIhNtUVq37uNJCaE55K6li241RVDLmzZtNFThx8F
maqdUa1wdEJ3AY8Ays/s2HWg4EkTyA1Key25NvSUVNUvYwqDgE/TzXK/rqVpIvIs
+dTiEJ1Q8aBlRL61UF6ddz2fliVj85q/4tQCJ/Nk062pkpI2bfhsgeEnwwkXQrTp
Yqln1z0R4THpWsiUQ0q3VeFFDU33T8Lch1wpURNtR1V1O+Zz4T4W+UX5Q3uIfprF
04TwIQIGssXFlE2RNAHrO08dct0cFpe4luF5Y8WWh4DiNitpydJfOk9G/Itfm/53
g9Ci5UKFB4+YvGrqMz+StypOWO3syrEzYJf2Sv/Xh1wInPDUboQ8gFev9Gzc3LG5
8pcflcVN2lGGYuxH3f4KdR5LmgFdYWcPDvY76B9tNWw0bPHUzU8=
=7Aiz
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close