Skip to content
/ Stolen-CVE-2022 Public

Arbitrary File Delete Elevation of Privilege Vulnerablity: Occurs when HP Support Assistant performs an Operating System Check task

4 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

sp3arm4n/Stolen-CVE-2022

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
CommonUtils
CommonUtils
 
 
CreateMountPoint
CreateMountPoint
 
 
.gitignore
.gitignore
 
 
HPOSCheck_PoC.sln
HPOSCheck_PoC.sln
 
 
README.md
README.md
 
 

Repository files navigation

Arbitrary File Delete Elevation of Privilege in HP Support Assistant

Vulnerability Information
Platform Windows 10 20H2 (OS Build 19042.1387)
Vendor HP (Hewlett-Packard)
Application HP Support Assistant
Vulnerability Version <9.11.106.0
Function Operating System Check
Date of Discovery 2021-12-01

Description

It logs and automatically deletes diagnostic data when performing operating system scans in HP Support Assistant running with normal User privileges. At this time, if the path is manipulated through NTFS Mount Point/Directory Junction among Windows Symbolic Links, it can be abused to delete arbitrary files with SYSTEM privileges.

Exploitation

When HP Support Assistant is launched, the HPSAAppLauncher process runs as a child process of the AppHelperCap service. The AppHelperCap service is a basic service provided in HP notebooks and operates with SYSTEM privileges. Also, if the functions provided by HP Support Assistant are performed, a new process is launched as a child process of the HPSAAppLauncher process. HP Support Assistant provides a number of features. If you go to Fix and Diagnostics in Device Support, the operating system check function exists, and when you do that, a new process called HPOSCheck runs with SYSTEM privileges.

Process Hacker: Check process permissions

image

During the operating system check by the HPOSCheck process, diagnostic data for BITS, Windows Update, Device Center, Maintenance, and Device are created in the following paths with SYSTEM privileges, respectively.

C:\Program Files (x86)\HP\HP Support Framework\Resources\HPOSCheck\Resources\xml\BITS
C:\Program Files (x86)\HP\HP Support Framework\Resources\HPOSCheck\Resources\xml\WindowsUpdate
C:\Program Files (x86)\HP\HP Support Framework\Resources\HPOSCheck\Resources\xml\DeviceCenter
C:\Program Files (x86)\HP\HP Support Framework\Resources\HPOSCheck\Resources\xml\Maintenance
C:\Program Files (x86)\HP\HP Support Framework\Resources\HPOSCheck\Resources\xml\Device

The generated data is deleted immediately by automatically calling the DeleteFileW function, and at the same time, the diagnostic data saved for each area in the "C:\Windows\Temp\SDIAG_Random GUID\result" path are integrated and saved. Afterwards, when the operating system check is finished, the "SDIAG_Random GUID" directory created in the path is deleted calling the DeleteFileW function with SYSTEM privilege.

_TCHAR tempPath[1024] = L"C:\\Windows\\Temp";

WIN32_FIND_DATA data;

HANDLE hFind = FindFirstFile(L"C:\\Windows\\Temp\\SDIAG_*", &data);
if (hFind == INVALID_HANDLE_VALUE)
{
	printf("[!] Cannot Find sdiag Directory\n");
	return 1;
}

_TCHAR* sdiagDir = L"Error";

while (FindNextFile(hFind, &data) != 0)
{
	if (wcscmp(data.cFileName, L".") == 0 || wcscmp(data.cFileName, L"..") == 0)
		continue;
	else sdiagDir = data.cFileName;
}

The path where the "SDIAG_Random GUID" directory is created has high privileges, so general users cannot access it. However, one of the HP Support Assistant features, Performance Optimization, can be used to delete files in that path. If the "C:\Windows\Temp" path is empty by optimizing the performance while the operating system check is in progress, the operating system check can still have the handle. At this time, if you make a directory junction to the "result" directory with an arbitrary path, you can follow the link and delete the files in the target path with SYSTEM privilege.

CreateDirectory(sdiagPath, nullptr);
CreateDirectory(fullpath, nullptr);

if (CreateDirectory(fullpath, nullptr) || (GetLastError() == ERROR_ALREADY_EXISTS))
{
	if (!ReparsePoint::CreateMountPoint(fullpath, argv[1], argc > 2 ? argv[2] : L""))
	{
	printf("[!] Error creating mount point - %ls\n", GetErrorMessage().c_str());
		return 1;
	}
}
else
{
	printf("[!] Error creating directory - %ls\n", GetErrorMessage().c_str());
}

Conclusion

  1. After verifying user information, start HP Support Assistant.
  2. Go to Device Support, then select Fixes and Diagnostics.
  3. Run an operating system check.
  4. Perform PoC in the format of HPOSCheck_PoC.exe [target dir].
  5. When the message "Start Optimize performance without additional options and press ENTER" appears, run performance optimization and press ENTER.
  6. When the PoC ends with the phrase "Now Close the operating system check window!!!", the operating system check ends.

Proof of Concept

image

Demo

Video Label

Reference

Why Stolen: Mailboxes received from HP after reporting vulnerabilities

📩 Hello, HP. HP Support Assistant

Jin, Mingzhou (CCC Dalian Korea) mingzhou.jin@hp.com
2022. 01. 18. PM 12:05

Hello.
Case number : 5078475116
Regarding HP Support Assistant, the HP team will confirm and respond to you.

HP Support Assistant has been fully vetted by HP Cybersecurity and has responded with no flags and no issues.

Please note.

thank you
Myung Joo Kim regards
Mingzhou, Jin
CCC Dalian Korea
mingzhou.jin@hp.com
Hewlett-Packard Company
PPS CSS CDCD PS Korea Operation Support Team

About

Arbitrary File Delete Elevation of Privilege Vulnerablity: Occurs when HP Support Assistant performs an Operating System Check task

Topics

windows-10 junction elevation-of-privilege

Resources

Readme
Activity

Stars

4 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases 1

exploit Latest
Oct 20, 2023

Packages

No packages published

Languages