Exploits / Vulnerability Discovered : 2019-06-17 |
Type : dos |
Platform : windows
This exploit / vulnerability Hc10 hc.server service 10.14 remote invalid pointer write is for educational purposes only and if it is used you will do on your own risk!
HC10 is a unified hosting automation control panel for web hosts and Cloud based service providers to manage both Windows & Linux servers
simultaneously as part of a single cluster. HC works on an N-tier user model.
[Vulnerability Type]
Remote Invalid Pointer Write
[CVE Reference]
CVE-2019-12323
[Security Issue]
The HC.Server service in Hosting Controller HC10 10.14 allows an Invalid Pointer Write DoS if attackers can reach the service on port 8794.
In addition this can potentially be leveraged for post exploit persistence with SYSTEM privileges, if physical access or malware is involved.
If a physical attacker or malware can set its own program for the service failure recovery options, it can be used to maintain persistence.
Afterwards, it can be triggered by sending a malicious request to DoS the service, which in turn can start the attackers recovery program.
The attackers program can then try restarting the affected service to try an stay unnoticed by calling "sc start HCServerService".
Services failure flag recovery options for "enabling actions for stops or errors" and can be set in the services "Recovery" properties tab
or on the command line. Authentication is not required to reach the vulnerable service, this was tested successfully on Windows 7/10.
SERVICE_NAME: HCServerService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:\Program Files\Hosting Controller\Provisioning\HC.Server.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HC Server Service
DEPENDENCIES : HCProvisioningService
SERVICE_START_NAME : LocalSystem
[Exploit/POC]
1) Configure the HCServiceService recovery failure options to an arbitrary program.
2) Trigger the remote invalid pointer write to gain persistence with SYSTEM privileges.
from socket import *
IP = raw_input("[+] HC Server Service IP ")
PORT = 8794
print "Triggering HC10 Server Service Xploit"
print "hyp3rlinx"
[Network Access]
Remote
[Severity]
Medium
[Disclosure Timeline]
Vendor Notification: May 14, 2019
No reply
Second notification: May 21, 2019
Vendor "will change the implementation soon in any of forthcoming installer." : May 22, 2019
mitre assign CVE: May 27, 2019
Vendor : "New installer to be released June 13, 2019"
June 16, 2019 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
Hc10 hc.server service 10.14 remote invalid pointer write