# Vulnerability Title: HP SimplePass Local Privilege Escalation # Advisory Release Date: 05/18/2017 # Credit: Discovered By Rehan Ahmed # Contact: knight_rehan@hotmail.com # Severity Level: Medium # Type: Local # Tested Platform: Windows 8 & 10 x64 # Vendor: HP Inc. # Vendor Site: http://www.hp.com # Download Link: http://ftp.hp.com/pub/softpaq/sp64001-64500/sp64339.exe # Vulnerable Version: HP SimplePass 8.00.49, 8.00.57, 8.01.46 # Vendor Contacted: 04/03/2017 # Vendor Response: 5/18/2017 ######################################################################################## Summary: ######################################################################################## HP SimplePass allows you to safely store logon information for your favorite websites, and use a single method of authentication for your password-protected website accounts. Choose a fingerprint, password or PIN to authenticate your identity. Your computer must have at least one password-protected Windows User Account to use HP SimplePass. https://support.hp.com/us-en/document/c03653209 ######################################################################################### Issue Details: ######################################################################################### HP SimplePass is prone to a local privilege-escalation vulnerability due to insecure file system permissions that have been granted during installation. Local adversary can exploit this issue to gain elevated privileges on affected system. HP SimplePass installs by default to "C:\Program Files\Hewlett-Packard\SimplePass" with very weak folder permissions granting any user full permission to the contents of the directory and it's subfolders. This allows ample opportunity for code execution against any other user running the application. HP SimplePass has few binaries which are typically configured as a service or startup program which makes this particularly easy to take leverage. ########################################################################################## Proof of Concept ########################################################################################## a) C:\>icacls "C:\Program Files\Hewlett-Packard\SimplePass" C:\Program Files\Hewlett-Packard\SimplePass Everyone:(F) Everyone:(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) NT AUTHORITY\Authenticated Users:(I)(M) NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) b) C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i "HP SimplePass" HP SimplePass Cachedrv Service Cachedrv server "C:\Program Files\Hewlett-Packard\SimplePass\cachesrvr.exe" Auto HP SimplePass Service omniserv C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe Auto A user can place a malicious DLL/EXE (e.g OmniServ.exe) file with one of the expected names into that directory and wait until the service is restarted. The service can not be restarted by normal users but an attacker could just reboot the system or wait for the next reboot to happen. ############################################################################################### 3) Mitigation: ############################################################################################### Change the permission for dirctory to group other than Administrator on Read/Execute. Fix: https://support.hp.com/us-en/drivers/selfservice/hp-envy-m7-n100-notebook-pc/8499292/model/8788306