Advisory RunAsSpc 3.7.0.0 Insufficiently Protected Credentials (CVE-2019-10239)
Robotronic RunAsSpc, eine Windows-Anwendung zur Ausführung vordefinierter Programme unter anderem Benutzerkontext, verarbeitet Zugangsdaten so, dass ein lokaler Angreifer im gleichen Benutzerkontext diese im Klartext mitlesen kann.
(A detailed security advisory, written in English, can be found below.)
Robotronic RunAsSpc ist eine Windows-Anwendung, mit der vordefinierte Programme unter einem anderen Benutzerkontext ausgeführt werden können. Dabei werden das auszuführende Programm sowie die Zugangsdaten des Benutzers, unter dessen Kontext das Programm ausgeführt werden soll, in einer verschlüsselten Datei gespeichert. Beim Aufruf von runasspc.exe wird dieses Programm dann gestartet, ohne dass Zugangsdaten eingegeben werden müssen.
RunAsSpc 3.7.0.0 verarbeitet die gespeicherten Zugangsdaten in einer Art und Weise, die es einem lokalen Angreifer im gleichen Benutzerkontext ermöglicht, diese Zugangsdaten im Klartext abzugreifen.
Detailed security advisory:
Advisory ID: TO-2019-001 Product: RunAsSpc Vendor: Robotronic Tested Version: 3.7.0.0 Vulnerability Type: Incorrect Access Control CVSS Risk: 8.4 (High) CVSSv3: AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N Solution Status: Upgrade to alternative application CVE Reference: CVE-2019-10239 CWE Reference: CWE-522 (Insufficiently Protected Credentials) Author of Advisory: Tobias Gyoerfi, Thinking Objects GmbH ======================================================================== Overview: Robotronic RunAsSpc is a Windows application that allows to run a predefined callee application under a different user account without the need to enter credentials of this user. RunAsSpc 3.7.0.0 protects stored credentials insufficiently, which allows locally authenticated attackers (under the same user context) to obtain clear text credentials of the stored account. ======================================================================== Vulnerability Details: RunAsSpc stores the predefined callee executable name and user credentials in an encrypted configuration file (crypt.spc). When the configuration file is opened using runasspc.exe, these settings are decrypted and passed to the Windows API function CreateProcessWithLogonW in plain text. As runasspc.exe is run with medium integrity level by default, an attacker application (running with medium integrity level as well) is able to access process memory and monitor calls to CreateProcessWithLogonW with the corresponding plain text user credential parameters. Furthermore, an additional privilege escalation vulnerability emerges if the stored user credentials belong to a higher-privileged user account. ======================================================================== Proof of Concept (PoC): This vulnerability can be exploited by injecting a DLL into runasspc.exe which hooks CreateProcessWithLogonW and logs the processed credentials. ======================================================================== Solution: The vendor provides the alternative application RunAsRob which is not susceptible to this vulnerability. ======================================================================== Disclosure Timeline: 2019-02-20: Vulnerability discovered 2019-02-28: Vulnerability reported to vendor 2019-03-07: Vulnerability confirmed by vendor 2019-03-27: CVE reserved 2019-04-09: Vulnerability disclosed ======================================================================== References: * Product website: http://robotronic.de/runasspc.html * Security advisory: https: //blog.to.com/advisory-runasspc-cve-2019-10239/ ======================================================================== Credits: This vulnerability was discovered by Tobias Gyoerfi, Thinking Objects GmbH. Thanks to Dimitri Lesy and David Rieger for encouragement and tooling support during the research process. ======================================================================== Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on to.com. ======================================================================== Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en
