One Identity Password Manager Kiosk Escape Privilege Escalation – Torchsec
=======================================================================
title: Kiosk Escape Privilege Escalation
product: One Identity Password Manager Secure Password Extension
vulnerable version: <5.13.1
fixed version: 5.13.1
CVE number: CVE-2023-48654
impact: critical
homepage: https://www.oneidentity.com/products/password-manager/
found: 2023-10-09
by: Stefan Schweighofer (Office Vienna)
Constantin Schieber-Knöbl (Office Vienna)
Armin Weihbold (Office Linz)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"One Identity delivers solutions that help customers strengthen operational
efficiency, reduce risk surface, control costs and enhance their
cybersecurity. Our Unified Identity Platform brings together best-in-class
software to enable organizations to shift from a fragmented identity strategy
to a holistic approach."
Source: https://www.oneidentity.com/company/
Business recommendation:
------------------------
The vendor provides a patch version 5.13.1 which should be installed immediately.
SEC Consult highly recommends to perform a thorough security review of the
product conducted by security professionals to identify and resolve potential
further security issues.
Vulnerability overview/description:
-----------------------------------
The Password Manager Application by One Identity enables users to reset
their Active Directory passwords on the login screen of a Windows client, with
the Secure Password Extension. The Secure Password Manager Extension launches a
Chromium based browser in Kiosk mode to provide the reset functionality.
Due to application-specific functionalities the Password Manager Extension
suffers from two exploitable Kiosk Escape vulnerabilities which allow a local,
pre-authenticated attacker to escalate the privileges to SYSTEM.
1) Password Manager Kiosk Escape with Google ReCAPTCHA (CVE-2023-48654)
The Password Manager Extension uses Google ReCAPTCHA, which enables an
attacker to escape the Kiosk Mode of the browser and gain
"nt authority\system" permissions on the login screen of the targeted machine.
This is possible due to the fact that Google ReCAPTCHA links to external
websites, which open in a new browser window and enable an attacker to
navigate to other external websites.
2) Password Manager Kiosk Escape after Session Timeout
The Password Manager application provides a link to a help page of
One Identity. This link references an external site and is therefore hidden
in the Kiosk Mode browser of the Password Manager Extension. If the Password
Manager Extension website is loaded after an active session expires the
link to the external One Identity websites gets shown. This enables an
attacker to escape the Kiosk Mode of the browser and gain
"nt authority\system" permissions on the login screen of the targeted machine.
Proof of concept:
-----------------
1) Password Manager Kiosk Escape with Google ReCAPTCHA (CVE-2023-48654)
An attacker requires access to a locked machine, where the Password Manger
Extension is installed, either via physical (pre-auth) or remote (RDP) access.
From the login screen the Password Manger Extension Kiosk mode browser can
be launched.
Since Google ReCAPTCHA is used on the Password Manger website the Google
ReCAPTCHA icon is also shown on the website and provides a link to an
external website via the "Privacy" button of the Google ReCAPTCHA field.
2) Password Manager Kiosk Escape after Session Timeout
An attacker requires access to a username to login to either the Password Manager
website or a logged in user, which leaves the session open until the session
expires. Since the Password Manager uses Active Directory credentials, the
username from the Windows login screen can be used to log into the website.
For this attack the session of a logged-in user has to expire.
After the session expiration the Password Manager website gets reloaded and displays
a help icon that is usually hidden. The help icon links to the external
One Identity website., from witch it is possible to navigate to the Google Search
website using the Sign In option of the One Identity website. The Sign In page
has the option to login with a Facebook account and information about cookies
is displayed on this page, which links to a Google Chrome website.
For both vulnerability 1 and 2, an attacker can use the Google Search website and
trigger the "search by image" feature. This "search by image" feature can be used
to trigger an upload, which then opens a file explorer window for file selection.
The file explorer window makes it possible to input "cmd" in the path field
of the file explorer to open a command prompt. The created command prompt
is executed with highest "nt authority\system" permissions.
Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version available
at the time of the test:
* 5.13
It is assumed that all previous versions are affected as well.
Vendor contact timeline:
------------------------
2023-11-06: Contacting vendor through vendor security contact form
https://support.oneidentity.com/de-de/essentials/reporting-security-vulnerability
2023-11-07: Vendor is able to reproduce both escapes, internal discussion with
product team needed.
2023-11-14: Vendor notifies us that the product team fixed the vulnerabilities
and will release an update soon. Asking for CVE numbers.
2023-11-15: Vendor will not assign CVE numbers, we are going to request them.
Patch release scheduled for 17th or the week after.
2023-11-17: Receiving one CVE number from MITRE, asking about the second one;
No response.
2023-11-20: Asking for status update as no patch was released on 17th.
2023-11-21: Patch was postponed to 1st December, setting our release date to
6th December.
2023-12-01: Vendor releases fixed version v5.13.1.
2023-12-06: Coordinated release of security advisory.
Solution:
---------
The vendor provides a patch which can be downloaded from
https://support.oneidentity.com/password-manager/5.13.1
The release notes of the vendor can be found here:
https://support.oneidentity.com/technical-documents/password-manager/5.13.1/release-notes/
Workaround:
-----------
None
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF S. Schweighofer, C. Schieber-Knöbl, A. Weihbold / @2023
Gloss