Vulners
Lucene search
NetSetMan Pro 4.7.2 Privilege Escalation Exploit
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2021-34546 | 13 Jun 202101:42 | – | circl |
 | NetSetMan Pro 授权问题漏洞 | 10 Jun 202100:00 | – | cnnvd |
 | CVE-2021-34546 | 10 Jun 202115:04 | – | cve |
 | CVE-2021-34546 | 10 Jun 202115:04 | – | cvelist |
 | EUVD-2021-21198 | 7 Oct 202500:30 | – | euvd |
 | CVE-2021-34546 | 10 Jun 202116:15 | – | nvd |
 | CVE-2021-34546 | 10 Jun 202116:15 | – | osv |
 | NetSetManPro 4.7.2 Privilege Escalation | 11 Jun 202100:00 | – | packetstorm |
 | Design/Logic Flaw | 10 Jun 202116:15 | – | prion |
 | CVE-2021-34546 | 22 May 202518:36 | – | redhatcve |
10
NetSetManPro 4.7.2 Privilege Escalation Exploit
Affected Products
NetSetManPro 4.7.2 (other/older releases have not been tested)
References
https://www.secuvera.de/advisories/secuvera-SA-2021-01.txt (used for
updates)
CVE-2021-34546
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34546)
Summary:
"NetSetMan is a network settings manager software for easily
switching between
your preconfigured profiles."
The save file dialogue within the action log window after switching a
profile
using the pre-logon profile switching (if intentionaly enabled) leads
to
arbitrary command execution as system authority user enabling an
unauthenticated
attacker to log on.
Effect:
An unauthenticated attacker with physical access to a computer with
NetSetMan Pro
4.7.2 installed, that has the pre-logon profile switch activated (not
enabled by
default) as button withinthe windows logon screen, is able to drop to
an admin-
istrative shell and execute arbitrary commands as system user by the
use of the
"save log to file" feature within NetSetMan Pro.
Example:
On a client computer running Microsoft Windows 10 and NetSetMan Pro
an Icon can
appear on the Windows lock-screen if configured. The following steps
must be per-
formed in order to gain an administrative shell:
1. Boot the client system
2. Click on the NetSetMan Pro Icon.
3. Choose an user defined (empty) setting.
4. Click on the "save" button in the appearing Window within the
"Log" section
(save icon)
5. Click on "File-Type" and Choose "*.*"
6. Navigate to path "C:\Windows\System32\"
7. Right-Click on on "cmd.exe" and choose "Run as administrator...".
8. The appearing command prompt has administrative rights.
To be able to bypass authentication a local user with administrative
rights can
be added using the following commands:
a. net user Pentest Password123! /add
b. net localgroup Administrators Pentest /add
Solution:
Update to Version 5.0 or newer (5.0.6 was tested by the researcher).
Disclosure Timeline:
2021/05/17 vendor initially contacted, submitted all details.
2021/05/17 vendor replied suggesting vulnerability already fixed
in newer versions prior researcher contact
2021/06/02 verified vendor suggested fix using version 5.0.6;
updated advisory and contacted vendor again; vendor
suggested edits
2021/06/09 updated advisory and requested CVE identifier
2021/06/10 public disclosure
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Jun 2021 00:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 27.2
CVSS 3.16.8
EPSS0.00733