Advisory RunAsSpc 3.7.0.0 Insufficiently Protected Credentials (CVE-2019-10239)

Robotronic RunAsSpc, eine Windows-Anwendung zur Ausführung vordefinierter Programme unter anderem Benutzerkontext, verarbeitet Zugangsdaten so, dass ein lokaler Angreifer im gleichen Benutzerkontext diese im Klartext mitlesen kann.

(A detailed security advisory, written in English, can be found below.)

Robotronic RunAsSpc ist eine Windows-Anwendung, mit der vordefinierte Programme unter einem anderen Benutzerkontext ausgeführt werden können. Dabei werden das auszuführende Programm sowie die Zugangsdaten des Benutzers, unter dessen Kontext das Programm ausgeführt werden soll, in einer verschlüsselten Datei gespeichert. Beim Aufruf von runasspc.exe wird dieses Programm dann gestartet, ohne dass Zugangsdaten eingegeben werden müssen.

RunAsSpc 3.7.0.0 verarbeitet die gespeicherten Zugangsdaten in einer Art und Weise, die es einem lokalen Angreifer im gleichen Benutzerkontext ermöglicht, diese Zugangsdaten im Klartext abzugreifen.

Detailed security advisory:
Advisory ID: TO-2019-001
Product: RunAsSpc
Vendor: Robotronic
Tested Version: 3.7.0.0
Vulnerability Type: Incorrect Access Control
CVSS Risk: 8.4 (High)
CVSSv3: AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Solution Status: Upgrade to alternative application
CVE Reference: CVE-2019-10239
CWE Reference: CWE-522 (Insufficiently Protected Credentials)
Author of Advisory: Tobias Gyoerfi, Thinking Objects GmbH

========================================================================

Overview:

Robotronic RunAsSpc is a Windows application that allows to run a
predefined callee application under a different user account without the
need to enter credentials of this user.

RunAsSpc 3.7.0.0 protects stored credentials insufficiently,
which allows locally authenticated attackers (under the same user
context) to obtain clear text credentials of the stored account. 

========================================================================

Vulnerability Details:

RunAsSpc stores the predefined callee executable name and user
credentials in an encrypted configuration file (crypt.spc). When the
configuration file is opened using runasspc.exe, these settings are
decrypted and passed to the Windows API function
CreateProcessWithLogonW in plain text.

As runasspc.exe is run with medium integrity level by default,
an attacker application (running with medium integrity level as well)
is able to access process memory and monitor calls to
CreateProcessWithLogonW with the corresponding plain text
user credential parameters.

Furthermore, an additional privilege escalation vulnerability emerges if
the stored user credentials belong to a higher-privileged user account.

========================================================================

Proof of Concept (PoC):

This vulnerability can be exploited by injecting a DLL into runasspc.exe
which hooks CreateProcessWithLogonW and logs the processed credentials.

========================================================================

Solution:

The vendor provides the alternative application RunAsRob which is not
susceptible to this vulnerability.

========================================================================

Disclosure Timeline:

2019-02-20: Vulnerability discovered
2019-02-28: Vulnerability reported to vendor
2019-03-07: Vulnerability confirmed by vendor
2019-03-27: CVE reserved
2019-04-09: Vulnerability disclosed

========================================================================

References:

* Product website:
  http://robotronic.de/runasspc.html
* Security advisory:
  https: //blog.to.com/advisory-runasspc-cve-2019-10239/

========================================================================

Credits:

This vulnerability was discovered by Tobias Gyoerfi, Thinking Objects
GmbH. Thanks to Dimitri Lesy and David Rieger for encouragement and
tooling support during the research process.

========================================================================

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on to.com.

========================================================================

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

CAPTCHA *