NetSetMan Pro 4.7.2 Privilege Escalation Exploit

NetSetManPro 4.7.2 Privilege Escalation Exploit

Affected Products
    NetSetManPro 4.7.2 (other/older releases have not been tested)

References
    https://www.secuvera.de/advisories/secuvera-SA-2021-01.txt (used for 
updates)
    CVE-2021-34546 
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34546)

Summary:
    "NetSetMan is a network settings manager software for easily 
switching between
    your preconfigured profiles."

    The save file dialogue within the action log window after switching a 
profile
    using the pre-logon profile switching (if intentionaly enabled) leads 
to
    arbitrary command execution as system authority user enabling an 
unauthenticated
    attacker to log on.

Effect:
    An unauthenticated attacker with physical access to a computer with 
NetSetMan Pro
    4.7.2 installed, that has the pre-logon profile switch activated (not 
enabled by
    default) as button withinthe windows logon screen, is able to drop to 
an admin-
    istrative shell and execute arbitrary commands as system user by the 
use of the
    "save log to file" feature within NetSetMan Pro.

Example:
    On a client computer running Microsoft Windows 10 and NetSetMan Pro 
an Icon can
    appear on the Windows lock-screen if configured. The following steps 
must be per-
    formed in order to gain an administrative shell:
    1. Boot the client system
    2. Click on the NetSetMan Pro Icon.
    3. Choose an user defined (empty) setting.
    4. Click on the "save" button in the appearing Window within the 
"Log" section
       (save icon)
    5. Click on "File-Type" and Choose "*.*"
    6. Navigate to path "C:\Windows\System32\"
    7. Right-Click on on "cmd.exe" and choose "Run as administrator...".
    8. The appearing command prompt has administrative rights.

    To be able to bypass authentication a local user with administrative 
rights can
    be added using the following commands:
    a. net user Pentest Password123! /add
    b. net localgroup Administrators Pentest /add

Solution:
    Update to Version 5.0 or newer (5.0.6 was tested by the researcher).

Disclosure Timeline:
    2021/05/17 vendor initially contacted, submitted all details.
    2021/05/17 vendor replied suggesting vulnerability already fixed
               in newer versions prior researcher contact
    2021/06/02 verified vendor suggested fix using version 5.0.6;
               updated advisory and contacted vendor again; vendor
               suggested edits
    2021/06/09 updated advisory and requested CVE identifier
    2021/06/10 public disclosure