HP ThinPro - Information disclosure  
* CVE-2019-16285  
CVSSv3 score  
6.1 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)  
HP - [](  
Deliver secure desktop virtualization that’s as comfortable for IT as it is  
for end users with the stunningly redesigned HP ThinPro. It has a bold new  
user interface and workflow refinements that make it a breeze to configure,  
manage, and use right out of the box.  
Affected versions  
- HP ThinPro Linux 7.1  
- HP ThinPro Linux 7.0  
- HP ThinPro Linux 6.2.1  
- HP ThinPro Linux 6.2  
Eldar Marcussen - xen1thLabs - Software Labs  
Vulnerability summary  
If the thin client is configured with `local user must login` then an  
unauthenticated attacker with physical access to the thin client can  
extract sensitive information onto a USB drive. This information could then  
lead to the attacker gaining administrative access to this device and  
others on the network.  
Technical details  
An attacker can use the `generate diagnostic` feature under the `system  
logs` tab of the `system information` window to generate a tar ball  
sensitive files, such as the `/root` directory including `.bash_history`,  
the `registry.xml` file from `/writeable/tmp` and `shadow-` from `/etc`.  
These files can be found under their relative path under the `files/`  
directory in the generated `Diagnostic.tgz`  
Proof of concept  
The following evidence is provided to illustrate the existence and  
1. Insert USB drive  
2. At the login screen press the wrench icon on the login window  
3. Press the `i` icon  
4. Select the `System Logs` tab  
5. Select `Trace` in the dropdown for the Debug level  
6. Click the `Diagnostic` button to generate the `Diagnostic.tgz` file  
7. Save file to drive  
8. On a different computer extract the file  
9. Observe the presence and content of the following files:  
* `files/etc/shadow-`  
* `files/writeable/tmp/registry.xml`  
* `files/root/.bash_history`  
Contact vendor for a solution  
Date | Status  
19-AUG-2019 | Reported to vendor  
22-NOV-2019 | Patch available  
24-MAR-2020 | Public disclosure