25 Oct Security Advisory – SOS-18-003 – Inteset Secure Lockdown
Inteset Secure Lockdown Standard Edition – Privilege Escalation and Insecure Cryptographic Storage.
Release Date: 25-Oct-2018
Last Update: –
Vendor Notification Date: 23-Feb-2018
Product: Inteset Secure Lockdown Standard Edition
Platform: Tested on Microsoft Windows 7, 8.1 and 10
Affected versions: Tested versions v2.00.160 -> v2.00.196
Severity Rating: High
Impact: Privilege escalation , Security bypass
Attack Vector: From local system
Solution Status: Currently no solution
CVE reference: CVE – Not yet assigned
The Inteset Secure Lockdown desktop application allows the use of the deprecated SHA-1 hash function to store the Inteset administrator’s password in the Windows registry.
The hash can be found at the following registry location: HKEY_CURRENT_USER\Software\Inteset\SecureLockdown_v2\Password
The above key is configured to be read and can be written to by the logged in user by design. This allows an attacker to view or edit the registry while the application is running and replace the stored hash with a self-generated known plain-text hash value. More recent versions of the application use a stronger PKCS1 RSA function to store the password, though the stored value is still susceptible to being replaced with an attacker-known value to escalate permissions.
Once the hash has been replaced the user can open Inteset using the ‘alt + shift + s’ key combination and enter the newly configured password to take control of the locked down system.
Please refer to the PDF version of this advisory for proof of concept code examples.
No vendor supplied solution has been offered.
Nathaniel Carew from Sense of Security Labs.