Sense of Security – Security Advisory – SOS-18-003
| Release Date. | 25-Oct-2018 |
| Last Update. | – |
| Vendor Notification Date. | 23-Feb-2018 |
| Product. | Inteset Secure Lockdown Standard Edition |
| Platform. | Tested on Microsoft Windows 7, 8.1 and 10 |
| Affected versions. | Tested versions v2.00.160 -> v2.00.196 |
| Severity Rating. | High |
| Impact. | Privilege escalation Security bypass |
| Attack Vector. | From local system |
| Solution Status. | Currently no solution |
| CVE reference. | CVE – Not yet assigned |
Details
The Inteset Secure Lockdown desktop application allows the use of the deprecated SHA-1 hash function to store the Inteset administrator’s password in the Windows registry. The hash can be found at the following registry location:
HKEY_CURRENT_USER\Software\Inteset\SecureLockdown_v2\Password
The above key is configured to be read and can be written to by the logged in user by design. This allows an attacker to view or edit the registry while the application is running and replace the stored hash with a self-generated known plain-text hash value. More recent versions of the application use a stronger PKCS1 RSA function to store the password, though the stored value is still susceptible to being replaced with an attacker-known value to escalate permissions.
Once the hash has been replaced the user can open Inteset using the ‘alt + shift + s’ key combination and enter the newly configured password to take control of the locked down system.
Please refer to the PDF version of this advisory for proof of concept code examples.
Solution
No vendor supplied solution has been offered.
Discovered By
Nathaniel Carew from Sense of Security Labs.