Headline
CVE-2019-17202: Responsible Disclosure — Improsec | improving security
FastTrack Admin By Request 6.1.0.0 supports group policies that are supposed to allow only a select range of users to elevate to Administrator privilege at will. If a user does not have direct access to the elevation feature through group policies, they are prompted to enter a PIN code in a challenge-response manner upon attempting to elevate privileges. The challenge’s response uses a simple algorithm that can be easily emulated via data (customer ID and device name) available to all users, and thus any user can elevate to Administrator privilege.
Improsec’s goal is to help improve security in widely used IT systems, including hard- and software products, operating systems, (web) applications, firmware, APIs etc.
The work is carried out to the extent that it will not compromise trust nor confidentiality between Improsec and our customers.
When we identify security issues or vulnerabilities in IT systems, security researchers at Improsec follow the Responsible Disclosure policy below.
In the following document you find our Responsible Disclosure Policy (UK).
Responsible disclosure findings
Multiple vulnerabilities in SonicWall SMA 100
During a customer engagement we identified multiple vulnerabilities in SonicWall’s Mobile Access web interface (SMA) allowing unauthenticated user enumeration and unauthenticated read/delete access to several endpoints of the management API
Issue #1
CVE-2021-20049
CVE-2021-20050
Privilege escalation vulnerability in NinjaRMM Agent introduced in EXEMSI MSI Wrapper
We found a vulnerability in EXEMSI MSI Wrapper, which affected multiple third-party software vendors. Read more about our finding and the responsible disclosure here:
Issue #1
CVE-2021-26273
CVE-2021-26274
Privilege escalation in Microsoft Windows 7/8.1/10, Windows Server 2008/2012/2016/2019
We found a vulnerability in Windows 7/8.1/10/Server 2008/2012/2016/2019, which affected a range of different third-party products. Read more about our finding and the responsible disclosure here:
Issue #1
- CVE-2021-1661
Privilege escalation vulnerability in Lenovo System Update
We found a vulnerability in Lenovo System Update that allows any user to redirect the application flow in unintended ways, which allows low privileged users to access high privileged functions. Read more about our finding and the responsible disclosure here:
Issue #1
- CVE-2020-8342
Unpatched privilege escalation vulnerability in Intel Driver & Support Assistant
We have found a trivial privilege escalation vulnerability in Intel Driver & Support Assistant. Read more about our finding and the responsible disclosure here:
Issue #1
- CVE-2020-13386
Local Privilege Escalation in SmartDraw 2020
We have performed an analysis of SmartDraw 2020, and found a local privilege escalation vulnerability using the built-in update functionality of the product as well as the general folder permissions set on the installation path of the product. Read more about our finding and the responsible disclosure thereof here:
Issue #1
- CVE-2020-13386
Privilege Escalation vulnerability in Splashtop Streamer
We have found bugs in installed software Splashtop Streamer while doing vulnerability research. Read more about our finding here:
Issue #1
- CVE-2020-12431
Remote Code Execution by reverse engineering an Askey Wifi-Extender
We have performed an analysis of the Askey WiFi-extender in close collaboration with TDC. Read more about our finding here:
Issue #1
- CVE-2020-8614
Local privilege escalation via Pronestor HealthMonitor
During a Windows security analysis, we found a privilege escalation vulnerability in the Pronestor HealthMonitor service (part of the “Outlook add-in for Pronestor” product). Read more about our finding here:
Issue #1
- CVE-2019-17390
Multiple vulnerabilities in EasyInstall RMM and deployment software
We have performed an analysis of EasyInstall RMM and deployment software and have found six privilege escalation vulnerabilities:
Issue #1
CVE-2019-19893
CVE-2019-19894
CVE-2019-19895
CVE-2019-19896
CVE-2019-19897
CVE-2019-19898
Local privilege escalation in FastTrack AdminByRequest
We have performed an analysis of the product “AdminByRequest” (version 6.1.0.0) by FastTrack Software and have found two local privilege escalation vulnerabilities, allowing a regular user to become local administrator. The first CVE allows a local user to communicate directly with the underlying service Audckq32.exe by a named pipe to force elevation to admin, and the second CVE allows a user to become local administrator by reversing the proprietary PIN-code algorithm:
CVE-2019-17201
CVE-2019-17202
Privilege escalation in Lenovo Dynamic Power Reduction Utility
We have performed an analysis of Lenovo Dynamic Power Reduction Utility and have found a privilege escalation vulnerability. Read more about our finding here:
Issue #1
- CVE-2019-6149
Privilege escalations in CapMon Access Manager
We have performed an analysis of Access Manager by CapMon, and found interesting security vulnerabilities by means of direct communication with their privilege managing service. Read more about our findings and the responsible disclosures thereof here:
Issue #1
CVE-2018-18252
CVE-2018-18253
CVE-2018-18254
CVE-2018-18255
CVE-2018-18256
Privilege escalations in Heimdal Security
We have performed an analysis of Heimdal Security and found interesting security vulnerabilities by means of DLL hijacking and executable overwriting. Read more about our findings and the responsible disclosures thereof here:
Issue #1
- CVE-2018-5349
Issue #2
- CVE-2018-5731
Client side remote code execution in IBM notes
We have performed an analysis of IBM Notes and found interesting security vulnerabilities by means of DLL hijacking. Read more about our findings and the responsible disclosure thereof here:
Issue #1
- CVE-2018-1435
Privilege escalation in IBM Notes Diagnostics
We have performed an analysis of IBM Notes Diagnostics and found interesting security vulnerabilities by means of DLL and internal file hijacking. Read more about our findings and the responsible disclosure thereof here:
Issue #1
- CVE-2017-1714
Issue #2
- CVE-2017-1720
Issues #3-5
CVE-2018-1409
CVE-2018-1410
CVE-2018-1411
Issue #6
- CVE-2018-1437
Privilege escalation in IBM Notes Smart Update Service
We have performed an analysis of IBM Notes Smart Update Service, and found an interesting security vulnerability by means of DLL hijacking. Read more about our finding and the responsible disclosure thereof here:
Issue #1
- CVE-2017-1711
Local information disclosure vulnerability in IBM Tivoli Storage Manager and IBM Spectrum Protect
We have performed an analysis of IBM Tivoli Storage Manager and have found a local information disclosure vulnerability. Read more about our finding here:
Issue #1
- CVE-2016-8939
Related news
A vulnerability has been reported in the windows installer (MSI) built with InstallScript custom action. This vulnerability may allow privilege escalation when invoked ‘repair’ of the MSI which has an InstallScript custom action.
Dell EMC Unisphere for PowerMax versions before 9.1.0.27, Dell EMC Unisphere for PowerMax Virtual Appliance versions before 9.1.0.27, and PowerMax OS Release 5978 contain an improper certificate validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to carry out a man-in-the-middle attack by supplying a crafted certificate and intercepting the victim's traffic to view or modify a victim’s data in transit.
An Improper Access Control Vulnerability in the SMA100 series leads to multiple restricted management APIs being accessible without a user login, potentially exposing configuration meta-data.