HP ThinPro 6.x / 7.x Filter Bypass

2020-03-25T00:00:00
ID PACKETSTORM:156898
Type packetstorm
Reporter Eldar Marcussen
Modified 2020-03-25T00:00:00

Description

                                        
                                            `HP ThinPro - Application filter bypass  
===============================================================================  
  
Identifiers  
-------------------------------------------------  
* CVE-2019-16286  
  
CVSSv3 score  
-------------------------------------------------  
6.1 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)  
  
Vendor  
-------------------------------------------------  
HP - [https://www.hp.com](https://www.hp.com)  
  
Product  
-------------------------------------------------  
Deliver secure desktop virtualization that’s as comfortable for IT as it is  
for end users with the stunningly redesigned HP ThinPro. It has a bold new  
user interface and workflow refinements that make it a breeze to configure,  
manage, and use right out of the box.  
  
Affected versions  
-------------------------------------------------  
- HP ThinPro Linux 7.1  
- HP ThinPro Linux 7.0  
- HP ThinPro Linux 6.2.1  
- HP ThinPro Linux 6.2  
  
Credit  
-------------------------------------------------  
Eldar Marcussen - xen1thLabs - Software Labs  
  
Vulnerability summary  
-------------------------------------------------  
The HP ThinPro allows administrators to determine what applications users  
can run, however attackers can bypass these restrictions to spawn  
restricted applications and run arbitrary commands on the device.  
  
Technical details  
------------------------------------------------  
There are several paths to exploit this, but the most common path is to  
find exploit it directly from a `Web Browser` connection, or find a  
clickable link that will spawn firefox from one of the other connections.  
Once in firefox the attacker can access preferences to configure which  
application handles certain filetypes and use this to spawn another  
application. The list of possible applications is restricted, but it is  
possible to spawn `/usr/bin/hptc-kiosk` which supports creating custom  
connections which can run arbitrary commands.  
  
Proof of concept  
-------------------------------------------------  
The following evidence is provided to illustrate the existence and  
exploitation:  
  
1. In a `Web Browser` connection open Firefox's `Preferences`  
2. Select the `Applications` section  
3. Locate the `Portable Document Format (PDF)` content type and select `Use  
other` from the drop down menu  
4. Navigate to `/usr/bin/hptc-kiosk` and press Open  
5. Verify that the PDF handler is set to `Use hptc-kiosk`  
6. Open a new tab and type the following in the address bar  
`data:application/pdf,pwnt!`  
and press enter  
7. Observe that a `Connection manager` window now opens  
8. Click on the `+` icon in the bottom right  
9. Select `Custom`  
10. Enter `xterm` in the textbox for command to run and click Finish  
11. Select the newly created connection  
12. Click the `->` icon in the bottom left corner  
13. Observe xterm spawning  
  
Solution  
-------------------------------------------------  
Contact vendor for a solution  
  
Timeline  
-------------------------------------------------  
Date | Status  
------------|-----------------------------  
19-AUG-2019 | Reported to vendor  
22-NOV-2019 | Patch available  
24-MAR-2020 | Public disclosure  
  
  
`