Menu

Search for hundreds of thousands of exploits

"HP System Event Utility - Local Privilege Escalation"

Author

Exploit author

hyp3rlinx

Platform

Exploit platform

windows

Release date

Exploit published date

2020-02-12

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# Exploit Title: HP System Event Utility - Local Privilege Escalation
# Author: hyp3rlinx
# Date: 2020-02-11
# Vendor: www.hp.com
# Link: https://hp-system-event-utility.en.lo4d.com/download
# CVE: CVE-2019-18915



[+] Credits: John Page (aka hyp3rlinx)		
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/HP-SYSTEM-EVENT-UTILITY-LOCAL-PRIVILEGE-ESCALATION.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec


[Vendor]
www.hp.com


[Product]
HP System Event Utility


The genuine HPMSGSVC.exe file is a software component of HP System Event Utility by HP Inc.
HP System Event Utility enables the functioning of special function keys on select HP devices.


[Vulnerability Type]
Local Privilege Escalation



[CVE Reference]
CVE-2019-18915



[Security Issue]
The HP System Event service "HPMSGSVC.exe" will load an arbitrary EXE and execute it with SYSTEM integrity.
HPMSGSVC.exe runs a background process that delivers push notifications.

The problem is that HP Message Service will load and execute any arbitrary executable named "Program.exe"
if found in the users c:\ drive.

Path: C:\Program Files (x86)\HP\HP System Event\SmrtAdptr.exe

Two Handles are inherit, properties are Write/Read
Name: \Device\ConDrv

This results in arbitrary code execution persistence mechanism if an attacker can place an EXE in this location
and can be used to escalate privileges from Admin to SYSTEM.

HP has/is released/releasing a mitigation: https://support.hp.com/us-en/document/c06559359


[References]
PSR-2019-0204
https://support.hp.com/us-en/document/c06559359



[Network Access]
Local


[Disclosure Timeline]
Vendor Notification:  October 7, 2019
HP PSRT "product team will address the issue in next release" : January 13, 2020
HP advisory and mitigation release : February 10, 2020
February 11, 2020 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx
Release DateTitleTypePlatformAuthor
2020-02-14"EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path"localwindows"Roberto Piña"
2020-02-14"HomeGuard Pro 9.3.1 - Insecure Folder Permissions"localwindowsboku
2020-02-14"SprintWork 2.3.1 - Local Privilege Escalation"localwindowsboku
2020-02-14"phpMyChat Plus 1.98 - 'pmc_username' SQL Injection"webappsphpJ3rryBl4nks
2020-02-13"Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting"webappsphp"Mehran Feizi"
2020-02-13"Wordpress Plugin tutor.1.5.3 - Local File Inclusion"webappsphp"Mehran Feizi"
2020-02-13"Wordpress Plugin wordfence.7.4.5 - Local File Disclosure"webappsphp"Mehran Feizi"
2020-02-13"Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload"webappsphp"Mehran Feizi"
2020-02-13"WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion"webappsphp"Mehran Feizi"
2020-02-13"OpenTFTP 1.66 - Local Privilege Escalation"localwindowsboku
2020-02-13"PANDORAFMS 7.0 - Authenticated Remote Code Execution"webappsphp"Engin Demirbilek"
2020-02-12"HP System Event Utility - Local Privilege Escalation"localwindowshyp3rlinx
2020-02-12"MyVideoConverter Pro 3.14 - 'Movie' Buffer Overflow"localwindowsZwX
2020-02-12"MyVideoConverter Pro 3.14 - 'TVSeries' Buffer Overflow"localwindowsZwX
2020-02-12"MyVideoConverter Pro 3.14 - 'Output Folder' Buffer Overflow"localwindowsZwX
2020-02-11"CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting"webappscgiLuca.Chiou
2020-02-11"Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting"webappsphp"Sayak Naskar"
2020-02-11"WordPress InfiniteWP - Client Authentication Bypass (Metasploit)"webappsphpMetasploit
2020-02-11"freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path"localwindowsboku
2020-02-11"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution"remotefreebsd"Marco Ivaldi"
2020-02-11"Disk Savvy Enterprise 12.3.18 - Unquoted Service Path"localwindowsboku
2020-02-11"Disk Sorter Enterprise 12.4.16 - 'Disk Sorter Enterprise' Unquoted Service Path"localwindowsboku
2020-02-11"Wedding Slideshow Studio 1.36 - 'Name' Buffer Overflow"localwindowsZwX
2020-02-11"Sync Breeze Enterprise 12.4.18 - 'Sync Breeze Enterprise' Unquoted Service Path"localwindowsboku
2020-02-11"DVD Photo Slideshow Professional 8.07 - 'Name' Buffer Overflow"localwindowsZwX
2020-02-11"DVD Photo Slideshow Professional 8.07 - 'Key' Buffer Overflow"localwindowsZwX
2020-02-11"FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path"localwindowsboku
2020-02-11"Torrent iPod Video Converter 1.51 - Stack Overflow"localwindowsboku
2020-02-10"LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting"webappsphp"Jinson Varghese Behanan"
2020-02-10"Wedding Slideshow Studio 1.36 - 'Key' Buffer Overflow"localwindowsZwX
Release DateTitleTypePlatformAuthor
2020-02-14"SprintWork 2.3.1 - Local Privilege Escalation"localwindowsboku
2020-02-14"EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path"localwindows"Roberto Piña"
2020-02-14"HomeGuard Pro 9.3.1 - Insecure Folder Permissions"localwindowsboku
2020-02-13"OpenTFTP 1.66 - Local Privilege Escalation"localwindowsboku
2020-02-12"MyVideoConverter Pro 3.14 - 'TVSeries' Buffer Overflow"localwindowsZwX
2020-02-12"HP System Event Utility - Local Privilege Escalation"localwindowshyp3rlinx
2020-02-12"MyVideoConverter Pro 3.14 - 'Movie' Buffer Overflow"localwindowsZwX
2020-02-12"MyVideoConverter Pro 3.14 - 'Output Folder' Buffer Overflow"localwindowsZwX
2020-02-11"Wedding Slideshow Studio 1.36 - 'Name' Buffer Overflow"localwindowsZwX
2020-02-11"Disk Sorter Enterprise 12.4.16 - 'Disk Sorter Enterprise' Unquoted Service Path"localwindowsboku
2020-02-11"Disk Savvy Enterprise 12.3.18 - Unquoted Service Path"localwindowsboku
2020-02-11"DVD Photo Slideshow Professional 8.07 - 'Name' Buffer Overflow"localwindowsZwX
2020-02-11"FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path"localwindowsboku
2020-02-11"freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path"localwindowsboku
2020-02-11"DVD Photo Slideshow Professional 8.07 - 'Key' Buffer Overflow"localwindowsZwX
2020-02-11"Torrent iPod Video Converter 1.51 - Stack Overflow"localwindowsboku
2020-02-11"Sync Breeze Enterprise 12.4.18 - 'Sync Breeze Enterprise' Unquoted Service Path"localwindowsboku
2020-02-10"Wedding Slideshow Studio 1.36 - 'Key' Buffer Overflow"localwindowsZwX
2020-02-10"Dota 2 7.23f - Denial of Service (PoC)"doswindows"Bogdan Kurinnoy"
2020-02-10"Ricoh Driver - Privilege Escalation (Metasploit)"localwindowsMetasploit
2020-02-07"Windscribe - WindscribeService Named Pipe Privilege Escalation (Metasploit)"localwindowsMetasploit
2020-02-06"AbsoluteTelnet 11.12 - 'license name' Denial of Service (PoC)"doswindowschuyreds
2020-02-06"AbsoluteTelnet 11.12 - 'SSH2/username' Denial of Service (PoC)"doswindowschuyreds
2020-02-06"ELAN Smart-Pad 11.10.15.1 - 'ETDService' Unquoted Service Path"localwindowsZwX
2020-02-06"TapinRadio 2.12.3 - 'username' Denial of Service (PoC)"doswindowschuyreds
2020-02-06"TapinRadio 2.12.3 - 'address' Denial of Service (PoC)"doswindowschuyreds
2020-02-06"RarmaRadio 2.72.4 - 'username' Denial of Service (PoC)"doswindowschuyreds
2020-02-06"RarmaRadio 2.72.4 - 'server' Denial of Service (PoC)"doswindowschuyreds
2020-02-06"AbsoluteTelnet 11.12 - _license name_ Denial of Service (PoC)"doswindowschuyreds
2020-01-29"XMLBlueprint 16.191112 - XML External Entity Injection"localwindows"Javier Olmedo"
Release DateTitleTypePlatformAuthor
2020-02-12"HP System Event Utility - Local Privilege Escalation"localwindowshyp3rlinx
2020-01-21"NEOWISE CARBONFTP 1.4 - Weak Password Encryption"localwindowshyp3rlinx
2020-01-17"Trend Micro Maximum Security 2019 - Arbitrary Code Execution"localwindowshyp3rlinx
2020-01-17"Trend Micro Maximum Security 2019 - Privilege Escalation"localwindowshyp3rlinx
2020-01-06"Microsoft Outlook VCF cards - Denial of Service (PoC)"doswindowshyp3rlinx
2020-01-01"Microsoft Windows .Group File - Code Execution"localwindowshyp3rlinx
2019-12-03"Microsoft Windows Media Center 2002 - XML External Entity MotW Bypass"localxmlhyp3rlinx
2019-12-02"Max Secure Anti Virus Plus 19.0.4.020 - Insecure File Permissions"localwindowshyp3rlinx
2019-12-02"Visual Studio 2008 - XML External Entity Injection"localxmlhyp3rlinx
2019-12-02"Microsoft Excel 2016 1901 - XML External Entity Injection"localxmlhyp3rlinx
2019-11-13"ScanGuard Antivirus 2020 - Insecure Folder Permissions"localwindowshyp3rlinx
2019-10-21"Trend Micro Anti-Threat Toolkit 1.62.0.1218 - Remote Code Execution"localwindowshyp3rlinx
2019-09-06"Windows NTFS - Privileged File Access Enumeration"localwindowshyp3rlinx
2019-08-14"Windows PowerShell - Unsanitized Filename Command Execution"doswindowshyp3rlinx
2019-07-24"Trend Micro Deep Discovery Inspector IDS - Security Bypass"remotemultiplehyp3rlinx
2019-07-17"MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow"remotewindowshyp3rlinx
2019-07-16"Microsoft Compiled HTML Help / Uncompiled .chm File - XML External Entity Injection"doswindowshyp3rlinx
2019-06-17"HC10 HC.Server Service 10.14 - Remote Invalid Pointer Write"doswindowshyp3rlinx
2019-05-03"Windows PowerShell ISE - Remote Code Execution"localwindowshyp3rlinx
2019-04-12"Microsoft Internet Explorer 11 - XML External Entity Injection"localwindowshyp3rlinx
2019-03-13"Microsoft Windows - .reg File / Dialog Box Message Spoofing"doswindowshyp3rlinx
2019-01-23"Microsoft Windows CONTACT - HTML Injection / Remote Code Execution"localwindowshyp3rlinx
2019-01-17"Microsoft Windows CONTACT - Remote Code Execution"localwindowshyp3rlinx
2019-01-15"Microsoft Windows VCF - Remote Code Execution"localwindowshyp3rlinx
2018-12-04"NEC Univerge Sv9100 WebPro - 6.00 - Predictable Session ID / Clear Text Password Storage"webappshardwarehyp3rlinx
2018-11-13"Cisco Immunet < 6.2.0 / Cisco AMP For Endpoints 6.2.0 - Denial of Service"doswindowshyp3rlinx
2018-11-12"D-LINK Central WifiManager CWM-100 - Server-Side Request Forgery"webappshardwarehyp3rlinx
2018-10-23"ServersCheck Monitoring Software 14.3.3 - 'id' SQL Injection"webappswindowshyp3rlinx
2018-10-23"ServersCheck Monitoring Software 14.3.3 - Arbitrary File Write"remotewindowshyp3rlinx
2018-10-15"NoMachine < 5.3.27 - Remote Code Execution"remotewindowshyp3rlinx
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48057/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse