An unauthenticated attacker with physical access to a computer with NetSetMan Pro before 5.0 installed, that has the pre-logon profile switch button within the Windows logon screen enabled, is able to drop to an administrative shell and execute arbitrary commands as SYSTEM via the "save log to file" feature. To accomplish this, the attacker can navigate to cmd.exe.
{"id": "CVE-2021-34546", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-34546", "description": "An unauthenticated attacker with physical access to a computer with NetSetMan Pro before 5.0 installed, that has the pre-logon profile switch button within the Windows logon screen enabled, is able to drop to an administrative shell and execute arbitrary commands as SYSTEM via the \"save log to file\" feature. To accomplish this, the attacker can navigate to cmd.exe.", "published": "2021-06-10T16:15:00", "modified": "2021-06-22T00:52:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 7.2}, "severity": "HIGH", "exploitabilityScore": 3.9, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 0.9, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34546", "reporter": "cve@mitre.org", "references": ["https://www.secuvera.de/advisories/secuvera-SA-2021-01.txt", "https://www.netsetman.com", "https://www.secuvera.de", "http://seclists.org/fulldisclosure/2021/Jun/17", "http://packetstormsecurity.com/files/163097/NetSetManPro-4.7.2-Privilege-Escalation.html"], "cvelist": ["CVE-2021-34546"], "immutableFields": [], "lastseen": "2022-03-23T18:43:22", "viewCount": 58, "enchantments": {"dependencies": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:163097"]}, {"type": "zdt", "idList": ["1337DAY-ID-36398"]}], "rev": 4}, "score": {"value": 5.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:163097"]}, {"type": "zdt", "idList": ["1337DAY-ID-36398"]}]}, "exploitation": null, "vulnersScore": 5.3}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": [], "cpe23": [], "cwe": ["CWE-287"], "affectedSoftware": [{"cpeName": "netsetman:netsetman", "version": "5.0", "operator": "lt", "name": "netsetman"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:netsetman:netsetman:5.0:*:*:*:pro:*:*:*", "versionEndExcluding": "5.0", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://www.secuvera.de/advisories/secuvera-SA-2021-01.txt", "name": "https://www.secuvera.de/advisories/secuvera-SA-2021-01.txt", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.netsetman.com", "name": "https://www.netsetman.com", "refsource": "MISC", "tags": ["Vendor Advisory"]}, {"url": "https://www.secuvera.de", "name": "https://www.secuvera.de", "refsource": "MISC", "tags": ["Third Party Advisory"]}, {"url": "http://seclists.org/fulldisclosure/2021/Jun/17", "name": "20210611 secuvera-SA-2021-01: Privilege Escalation in NetSetMan Pro 4.7.2", "refsource": "FULLDISC", "tags": ["Exploit", "Mailing List", "Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/163097/NetSetManPro-4.7.2-Privilege-Escalation.html", "name": "http://packetstormsecurity.com/files/163097/NetSetManPro-4.7.2-Privilege-Escalation.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}
{"zdt": [{"lastseen": "2021-12-27T05:38:17", "description": "", "cvss3": {"exploitabilityScore": 0.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 6.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-11T00:00:00", "type": "zdt", "title": "NetSetMan Pro 4.7.2 Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34546"], "modified": "2021-06-11T00:00:00", "id": "1337DAY-ID-36398", "href": "https://0day.today/exploit/description/36398", "sourceData": "NetSetManPro 4.7.2 Privilege Escalation Exploit\n\nAffected Products\n NetSetManPro 4.7.2 (other/older releases have not been tested)\n\nReferences\n https://www.secuvera.de/advisories/secuvera-SA-2021-01.txt (used for \nupdates)\n CVE-2021-34546 \n(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34546)\n\nSummary:\n \"NetSetMan is a network settings manager software for easily \nswitching between\n your preconfigured profiles.\"\n\n The save file dialogue within the action log window after switching a \nprofile\n using the pre-logon profile switching (if intentionaly enabled) leads \nto\n arbitrary command execution as system authority user enabling an \nunauthenticated\n attacker to log on.\n\nEffect:\n An unauthenticated attacker with physical access to a computer with \nNetSetMan Pro\n 4.7.2 installed, that has the pre-logon profile switch activated (not \nenabled by\n default) as button withinthe windows logon screen, is able to drop to \nan admin-\n istrative shell and execute arbitrary commands as system user by the \nuse of the\n \"save log to file\" feature within NetSetMan Pro.\n\nExample:\n On a client computer running Microsoft Windows 10 and NetSetMan Pro \nan Icon can\n appear on the Windows lock-screen if configured. The following steps \nmust be per-\n formed in order to gain an administrative shell:\n 1. Boot the client system\n 2. Click on the NetSetMan Pro Icon.\n 3. Choose an user defined (empty) setting.\n 4. Click on the \"save\" button in the appearing Window within the \n\"Log\" section\n (save icon)\n 5. Click on \"File-Type\" and Choose \"*.*\"\n 6. Navigate to path \"C:\\Windows\\System32\\\"\n 7. Right-Click on on \"cmd.exe\" and choose \"Run as administrator...\".\n 8. The appearing command prompt has administrative rights.\n\n To be able to bypass authentication a local user with administrative \nrights can\n be added using the following commands:\n a. net user Pentest Password123! /add\n b. net localgroup Administrators Pentest /add\n\nSolution:\n Update to Version 5.0 or newer (5.0.6 was tested by the researcher).\n\nDisclosure Timeline:\n 2021/05/17 vendor initially contacted, submitted all details.\n 2021/05/17 vendor replied suggesting vulnerability already fixed\n in newer versions prior researcher contact\n 2021/06/02 verified vendor suggested fix using version 5.0.6;\n updated advisory and contacted vendor again; vendor\n suggested edits\n 2021/06/09 updated advisory and requested CVE identifier\n 2021/06/10 public disclosure\n", "sourceHref": "https://0day.today/exploit/36398", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-06-11T16:40:06", "description": "", "cvss3": {}, "published": "2021-06-11T00:00:00", "type": "packetstorm", "title": "NetSetManPro 4.7.2 Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-34546"], "modified": "2021-06-11T00:00:00", "id": "PACKETSTORM:163097", "href": "https://packetstormsecurity.com/files/163097/NetSetManPro-4.7.2-Privilege-Escalation.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA256 \n \nAffected Products \nNetSetManPro 4.7.2 (other/older releases have not been tested) \n \nReferences \nhttps://www.secuvera.de/advisories/secuvera-SA-2021-01.txt (used for \nupdates) \nCVE-2021-34546 \n(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34546) \n \nSummary: \n\"NetSetMan is a network settings manager software for easily \nswitching between \nyour preconfigured profiles.\" \n \nThe save file dialogue within the action log window after switching a \nprofile \nusing the pre-logon profile switching (if intentionaly enabled) leads \nto \narbitrary command execution as system authority user enabling an \nunauthenticated \nattacker to log on. \n \nEffect: \nAn unauthenticated attacker with physical access to a computer with \nNetSetMan Pro \n4.7.2 installed, that has the pre-logon profile switch activated (not \nenabled by \ndefault) as button withinthe windows logon screen, is able to drop to \nan admin- \nistrative shell and execute arbitrary commands as system user by the \nuse of the \n\"save log to file\" feature within NetSetMan Pro. \n \nExample: \nOn a client computer running Microsoft Windows 10 and NetSetMan Pro \nan Icon can \nappear on the Windows lock-screen if configured. The following steps \nmust be per- \nformed in order to gain an administrative shell: \n1. Boot the client system \n2. Click on the NetSetMan Pro Icon. \n3. Choose an user defined (empty) setting. \n4. Click on the \"save\" button in the appearing Window within the \n\"Log\" section \n(save icon) \n5. Click on \"File-Type\" and Choose \"*.*\" \n6. Navigate to path \"C:\\Windows\\System32\\\" \n7. Right-Click on on \"cmd.exe\" and choose \"Run as administrator...\". \n8. The appearing command prompt has administrative rights. \n \nTo be able to bypass authentication a local user with administrative \nrights can \nbe added using the following commands: \na. net user Pentest Password123! /add \nb. net localgroup Administrators Pentest /add \n \nSolution: \nUpdate to Version 5.0 or newer (5.0.6 was tested by the researcher). \n \nDisclosure Timeline: \n2021/05/17 vendor initially contacted, submitted all details. \n2021/05/17 vendor replied suggesting vulnerability already fixed \nin newer versions prior researcher contact \n2021/06/02 verified vendor suggested fix using version 5.0.6; \nupdated advisory and contacted vendor again; vendor \nsuggested edits \n2021/06/09 updated advisory and requested CVE identifier \n2021/06/10 public disclosure \n \nCredits: \nSimon Bieber \nsbieber@secuvera.de \nsecuvera GmbH \nhttps://www.secuvera.de \n \nDisclaimer: \nAll information is provided without warranty. The intent is to \nprovide information to secure infrastructure and/or systems, not \nto be able to attack or damage. Therefore secuvera shall \nnot be liable for any direct or indirect damages that might be \ncaused by using this information. \n \nThis message is signed with my PGP key (Short Key ID 661263A5) \nYou can download it here: \nhttps://www.secuvera.de/download/simon-bieber-short-key-id-661263a5/ \n-----BEGIN PGP SIGNATURE----- \n \niQIzBAEBCAAdFiEE6mgEBCu3JYBqmGrgDIJc8mYSY6UFAmDDFocACgkQDIJc8mYS \nY6V1YBAAivvBI79oAYKrkkELU1drnEtIloRggLF6FQ4BlBgZ1DMfLQLcbACVT2LY \nro9SBpU/s6AOaZ98jETA/nS57MD+70ncEevP6hm3DzxV1mHtS4rjTU6hkcFfC8tq \nrqeXRz4t1oWhPQd+AB2TOvpUIRtVn4zomNs9e3YkYRhRBixqZgrLz/c0mQjKIW/u \n+hf0v5RYYSwA8q9LyhN6QUmm0UCVg06o55l8+eyc6V1JeMekdX7ais99Ki/FNmYw \nz66aP4FrPx+RpCVsl0sCpMiZWIhNtUVq37uNJCaE55K6li241RVDLmzZtNFThx8F \nmaqdUa1wdEJ3AY8Ays/s2HWg4EkTyA1Key25NvSUVNUvYwqDgE/TzXK/rqVpIvIs \n+dTiEJ1Q8aBlRL61UF6ddz2fliVj85q/4tQCJ/Nk062pkpI2bfhsgeEnwwkXQrTp \nYqln1z0R4THpWsiUQ0q3VeFFDU33T8Lch1wpURNtR1V1O+Zz4T4W+UX5Q3uIfprF \n04TwIQIGssXFlE2RNAHrO08dct0cFpe4luF5Y8WWh4DiNitpydJfOk9G/Itfm/53 \ng9Ci5UKFB4+YvGrqMz+StypOWO3syrEzYJf2Sv/Xh1wInPDUboQ8gFev9Gzc3LG5 \n8pcflcVN2lGGYuxH3f4KdR5LmgFdYWcPDvY76B9tNWw0bPHUzU8= \n=7Aiz \n-----END PGP SIGNATURE----- \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/163097/secuvera-SA-2021-01.txt", "cvss": {"score": 0.0, "vector": "NONE"}}]}
CVE-2021-34546
