Menu

Search for hundreds of thousands of exploits

"Pronestor Health Monitoring < 8.1.11.0 - Privilege Escalation"

Author

PovlTekstTV

Platform

windows

Release date

2019-06-13

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
[Summary]
The Pronestor service "PNHM" (aka Health Monitoring or HealthMonitor) 
before 8.1.12.0 has "BUILTIN\Users:(I)(F)" permissions for 
the "%PROGRAMFILES(X86)%\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe" file, 
which allows local users to gain privileges via a Trojan horse PronestorHealthMonitor.exe file.

During the installation of Pronestors Outlook-Add-In (version 8.1.11.0 
and older) the installer creates a service named PNHM (Pronester 
Health Monitoring) with weak file permission running as SYSTEM.
The vulnerability allows all "Authenticated Users" to potentially 
execute arbitrary code as SYSTEM on the local system.

[Additional Information]
Tested on Windows 7.
Version: Outlook Add-In 8.1.11.0 and older
Also tested on version 5.1.6.0 with same result.
Discovered: 06-nov-2018
Reported: 07-nov-2018

Vendor: https://www.pronestor.com/
Vendor confirmed: True
Fixed: Version 8.1.12.0
Attack Type: Local Privilege Escalation
Vulnerability due to: Insecure Permissions
Discoverer: PovlTekstTV
CVE: 2018-19113
Original link: https://gist.github.com/povlteksttv/8f990e11576e1e90e8fb61acf8646d28

[Proof]
C:\Users\povltekst>sc qc PNHM

SERVICE_NAME: PNHM
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files (x86)\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Pronestor HealthMonitor
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Users\povltekst>icacls 'C:\Program Files (x86)\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe'
C:\Program Files (x86)\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe
         BUILTIN\Users:(I)(F)
         NT AUTHORITY\SYSTEM:(I)(F)
         BUILTIN\Administrators:(I)(F)

Notice: "BUILIN\Users:(I)(F)". (F) = Full access!
This means that an authenticated user can change the file

[Attack Vectors]
Replace the file "PronestorHealthMonitor.exe" with a malicious file 
also called "PronesterHealthMonitor.exe". Next time the service (PNHM) 
starts, the malicious file will get executed as SYSTEM. The service 
starts on every reboot.

[Affected Component]
PronestorHealthMonitor.exe
This exe will be executed on every reboot by a service named PNHM running as SYSTEM.
Release Date Title Type Platform Author
2019-09-16 "docPrint Pro 8.0 - SEH Buffer Overflow" local windows "Connor McGarr"
2019-09-16 "AppXSvc - Privilege Escalation" local windows "Gabor Seljan"
2019-09-06 "Windows NTFS - Privileged File Access Enumeration" local windows hyp3rlinx
2019-09-13 "Folder Lock 7.7.9 - Denial of Service" dos windows Achilles
2019-09-12 "Microsoft DirectWrite - Out-of-Bounds Read in sfac_GetSbitBitmap While Processing TTF Fonts" dos windows "Google Security Research"
2019-09-12 "Microsoft DirectWrite - Invalid Read in SplicePixel While Processing OTF Fonts" dos windows "Google Security Research"
2019-09-10 "Windows 10 - UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry (Metasploit)" local windows Metasploit
2019-09-10 "Windows 10 - UAC Protection Bypass Via Windows Store (WSReset.exe) (Metasploit)" local windows Metasploit
2019-09-02 "Kaseya VSA agent 9.5 - Privilege Escalation" local windows NF
2019-09-02 "ChaosPro 3.1 - SEH Buffer Overflow" local windows "Jonathan Crosby"
2019-09-02 "ChaosPro 2.1 - SEH Buffer Overflow" local windows "Jonathan Crosby"
2019-09-02 "ChaosPro 2.0 - SEH Buffer Overflow" local windows "Jonathan Crosby"
2019-08-30 "VX Search Enterprise 10.4.16 - 'User-Agent' Denial of Service" dos windows "James Chamberlain"
2019-08-30 "Asus Precision TouchPad 11.0.0.25 - Denial of Service" dos windows "Athanasios Tserpelis"
2019-08-30 "Easy MP3 Downloader 4.7.8.8 - 'Unlock Code' Denial of Service" dos windows "Mohan Ravichandran_ Snazzy Sanoj"
2019-08-30 "SQL Server Password Changer 1.90 - Denial of Service" dos windows "Velayutham Selvaraj_ Praveen Thiyagarayam"
2019-08-28 "Outlook Password Recovery 2.10 - Denial of Service" dos windows "Velayutham Selvaraj_ Praveen Thiyagarayam"
2019-08-26 "Windows 10 - SET_REPARSE_POINT_EX Mount Point Security Feature Bypass" local windows "Google Security Research"
2019-08-26 "LSoft ListServ < 16.5-2018a - Cross-Site Scripting" webapps windows MTK
2019-08-19 "RAR Password Recovery 1.80 - 'User Name and Registration Code' Denial of Service" dos windows Achilles
2019-08-15 "Microsoft Windows Text Services Framework MSCTF - Multiple Vulnerabilities" local windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Double Free due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - free() of Uninitialized Pointer due to Malformed JBIG2Globals Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Memory Corruption due to Malformed TTF Font" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow in CoolType.dll" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed Font Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Static Buffer Overflow due to Malformed Font Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow While Processing Malformed PDF" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Use-After-Free due to Malformed JP2 Stream" dos windows "Google Security Research"
Release Date Title Type Platform Author
2019-06-13 "Pronestor Health Monitoring < 8.1.11.0 - Privilege Escalation" local windows PovlTekstTV
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46988/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/46988/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46988/41398/pronestor-health-monitoring-81110-privilege-escalation/download/", "exploit_id": "46988", "exploit_description": "\"Pronestor Health Monitoring < 8.1.11.0  - Privilege Escalation\"", "exploit_date": "2019-06-13", "exploit_author": "PovlTekstTV", "exploit_type": "local", "exploit_platform": "windows", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Wig is a web application information gathering tool, which can identify numerous Content Management Systems and other administrative applications including basic vulnerability identification.

Browse exploit APIBrowse