# Exploit Title: HP System Event Utility - Local Privilege Escalation
# Author: hyp3rlinx
# Vendor: www.hp.com
# Link: https://hp-system-event-utility.en.lo4d.com/download
# CVE: CVE-2019-18915
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/HP-SYSTEM-EVENT-UTILITY-LOCAL-PRIVILEGE-ESCALATION.txt
[+] ISR: ApparitionSec
HP System Event Utility
The genuine HPMSGSVC.exe file is a software component of HP System Event Utility by HP Inc.
HP System Event Utility enables the functioning of special function keys on select HP devices.
Local Privilege Escalation
The HP System Event service "HPMSGSVC.exe" will load an arbitrary EXE and execute it with SYSTEM integrity.
HPMSGSVC.exe runs a background process that delivers push notifications.
The problem is that HP Message Service will load and execute any arbitrary executable named "Program.exe"
if found in the users c:\ drive.
Path: C:\Program Files (x86)\HP\HP System Event\SmrtAdptr.exe
Two Handles are inherit, properties are Write/Read
This results in arbitrary code execution persistence mechanism if an attacker can place an EXE in this location
and can be used to escalate privileges from Admin to SYSTEM.
HP has/is released/releasing a mitigation: https://support.hp.com/us-en/document/c06559359
# 0day.today [2020-02-21] #