Inteset Secure Lockdown Standard Edition – Privilege Escalation and Insecure Cryptographic Storage.

Release Date: 25-Oct-2018

Last Update: –

Vendor Notification Date: 23-Feb-2018

Product: Inteset Secure Lockdown Standard Edition

Platform: Tested on Microsoft Windows 7, 8.1 and 10

Affected versions: Tested versions v2.00.160 -> v2.00.196

Severity Rating: High

Impact: Privilege escalation , Security bypass

Attack Vector: From local system

Solution Status: Currently no solution

CVE reference: CVE – Not yet assigned

Details

The Inteset Secure Lockdown desktop application allows the use of the deprecated SHA-1 hash function to store the Inteset administrator’s password in the Windows registry.

The hash can be found at the following registry location: HKEY_CURRENT_USER\Software\Inteset\SecureLockdown_v2\Password

The above key is configured to be read and can be written to by the logged in user by design. This allows an attacker to view or edit the registry while the application is running and replace the stored hash with a self-generated known plain-text hash value. More recent versions of the application use a stronger PKCS1 RSA function to store the password, though the stored value is still susceptible to being replaced with an attacker-known value to escalate permissions.

Once the hash has been replaced the user can open Inteset using the ‘alt + shift + s’ key combination and enter the newly configured password to take control of the locked down system.

Please refer to the PDF version of this advisory  for proof of concept code examples.

Solution

No vendor supplied solution has been offered.

Discovered By

Nathaniel Carew from Sense of Security Labs.