HP ThinPro - Privilege escalation =============================================================================== Identifiers ------------------------------------------------- * CVE-2019-16287 CVSSv3 score ------------------------------------------------- 6.1 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) Vendor ------------------------------------------------- HP - [https://www.hp.com](https://www.hp.com) Product ------------------------------------------------- Deliver secure desktop virtualization that’s as comfortable for IT as it is for end users with the stunningly redesigned HP ThinPro. It has a bold new user interface and workflow refinements that make it a breeze to configure, manage, and use right out of the box. Affected versions ------------------------------------------------- - HP ThinPro Linux 7.1 - HP ThinPro Linux 7.0 - HP ThinPro Linux 6.2.1 - HP ThinPro Linux 6.2 Credit ------------------------------------------------- Eldar Marcussen - xen1thLabs - Software Labs Vulnerability summary ------------------------------------------------- The ThinPro platform relies on the presence of a file to determine if it is operating in Administrative or User mode. An unauthenticated attacker can leverage functionality in privileged processes to create this file which enables adminstrative access to the device. Technical details ------------------------------------------------ An attacker can use features of applications that are running with privileges by default to create the administrative flag file `/var/run/hptc-admin` which enables the administrative options in the user interface. The attacker can then simply start a a terminal session with root privileges from the start menu. Proof of concept ------------------------------------------------- The following evidence is provided to illustrate the existence and exploitation: 1. From the start menu select Control panel 2. Open the Hardware section 3. CLick on printers 4. In the new printers window press F1 5. Click Forward 6. Select `Not listed` and then click Forward 7. Click Forward 8. Select `Not listed` and then click Forward 9. Click forward 10. Click save 11. Replace `troubleshoot.txt` with `/var/run/hptc-admin` as the file name 12. Click save 13. Observe the red desktop border indicating adminstrative operation mode 14. From the start menu, select Tools -> X terminal 15. Observe X terminal spawning with root privileges Solution ------------------------------------------------- Contact vendor for a solution Timeline ------------------------------------------------- Date | Status ------------|----------------------------- 19-AUG-2019 | Reported to vendor 22-NOV-2019 | Patch available 24-MAR-2020 | Public disclosure