Vulners
Lucene search
Pronestor Health Monitoring Privilege Escalation
| Reporter | Title | Published | Views | Family All 6 |
|---|---|---|---|---|
 | Pronestor Health Monitoring 8.1.11.0 - Privilege Escalation Vulnerability | 13 Jun 201900:00 | – | zdt |
 | CVE-2018-19113 | 1 Apr 201920:09 | – | cve |
 | CVE-2018-19113 | 1 Apr 201920:09 | – | cvelist |
 | EUVD-2018-10826 | 7 Oct 202500:30 | – | euvd |
 | CVE-2018-19113 | 1 Apr 201921:29 | – | nvd |
 | Code injection | 1 Apr 201921:29 | – | prion |
`[Summary]
The Pronestor service "PNHM" (aka Health Monitoring or HealthMonitor)
before 8.1.12.0 has "BUILTIN\Users:(I)(F)" permissions for
the "%PROGRAMFILES(X86)%\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe" file,
which allows local users to gain privileges via a Trojan horse PronestorHealthMonitor.exe file.
During the installation of Pronestors Outlook-Add-In (version 8.1.11.0
and older) the installer creates a service named PNHM (Pronester
Health Monitoring) with weak file permission running as SYSTEM.
The vulnerability allows all "Authenticated Users" to potentially
execute arbitrary code as SYSTEM on the local system.
[Additional Information]
Tested on Windows 7.
Version: Outlook Add-In 8.1.11.0 and older
Also tested on version 5.1.6.0 with same result.
Discovered: 06-nov-2018
Reported: 07-nov-2018
Vendor: https://www.pronestor.com/
Vendor confirmed: True
Fixed: Version 8.1.12.0
Attack Type: Local Privilege Escalation
Vulnerability due to: Insecure Permissions
Discoverer: PovlTekstTV
CVE: 2018-19113
Original link: https://gist.github.com/povlteksttv/8f990e11576e1e90e8fb61acf8646d28
[Proof]
C:\Users\povltekst>sc qc PNHM
SERVICE_NAME: PNHM
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files (x86)\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Pronestor HealthMonitor
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\povltekst>icacls 'C:\Program Files (x86)\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe'
C:\Program Files (x86)\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe
BUILTIN\Users:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
Notice: "BUILIN\Users:(I)(F)". (F) = Full access!
This means that an authenticated user can change the file
[Attack Vectors]
Replace the file "PronestorHealthMonitor.exe" with a malicious file
also called "PronesterHealthMonitor.exe". Next time the service (PNHM)
starts, the malicious file will get executed as SYSTEM. The service
starts on every reboot.
[Affected Component]
PronestorHealthMonitor.exe
This exe will be executed on every reboot by a service named PNHM running as SYSTEM.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Jun 2019 00:00Current
0.5Low risk
Vulners AI Score0.5
EPSS0.00098