Share
## https://sploitus.com/exploit?id=PACKETSTORM:176203
SEC Consult Vulnerability Lab Security Advisory < 20231206-0 >  
=======================================================================  
title: Kiosk Escape Privilege Escalation  
product: One Identity Password Manager Secure Password Extension  
vulnerable version: <5.13.1  
fixed version: 5.13.1  
CVE number: CVE-2023-48654  
impact: critical  
homepage: https://www.oneidentity.com/products/password-manager/  
found: 2023-10-09  
by: Stefan Schweighofer (Office Vienna)  
Constantin Schieber-Knöbl (Office Vienna)  
Armin Weihbold (Office Linz)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"One Identity delivers solutions that help customers strengthen operational  
efficiency, reduce risk surface, control costs and enhance their  
cybersecurity. Our Unified Identity Platform brings together best-in-class  
software to enable organizations to shift from a fragmented identity strategy  
to a holistic approach."  
  
Source: https://www.oneidentity.com/company/  
  
  
Business recommendation:  
------------------------  
The vendor provides a patch version 5.13.1 which should be installed immediately.  
  
SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.  
  
  
Vulnerability overview/description:  
-----------------------------------  
The Password Manager Application by One Identity enables users to reset  
their Active Directory passwords on the login screen of a Windows client, with  
the Secure Password Extension. The Secure Password Manager Extension launches a  
Chromium based browser in Kiosk mode to provide the reset functionality.  
  
Due to application-specific functionalities the Password Manager Extension  
suffers from two exploitable Kiosk Escape vulnerabilities which allow a local,  
pre-authenticated attacker to escalate the privileges to SYSTEM.  
  
  
1) Password Manager Kiosk Escape with Google ReCAPTCHA (CVE-2023-48654)  
The Password Manager Extension uses Google ReCAPTCHA, which enables an  
attacker to escape the Kiosk Mode of the browser and gain  
"nt authority\system" permissions on the login screen of the targeted machine.  
This is possible due to the fact that Google ReCAPTCHA links to external  
websites, which open in a new browser window and enable an attacker to  
navigate to other external websites.  
  
2) Password Manager Kiosk Escape after Session Timeout  
The Password Manager application provides a link to a help page of  
One Identity. This link references an external site and is therefore hidden  
in the Kiosk Mode browser of the Password Manager Extension. If the Password  
Manager Extension website is loaded after an active session expires the  
link to the external One Identity websites gets shown. This enables an  
attacker to escape the Kiosk Mode of the browser and gain  
"nt authority\system" permissions on the login screen of the targeted machine.  
  
  
Proof of concept:  
-----------------  
1) Password Manager Kiosk Escape with Google ReCAPTCHA (CVE-2023-48654)  
An attacker requires access to a locked machine, where the Password Manger  
Extension is installed, either via physical (pre-auth) or remote (RDP) access.  
From the login screen the Password Manger Extension Kiosk mode browser can  
be launched.  
  
Since Google ReCAPTCHA is used on the Password Manger website the Google  
ReCAPTCHA icon is also shown on the website and provides a link to an  
external website via the "Privacy" button of the Google ReCAPTCHA field.  
  
  
2) Password Manager Kiosk Escape after Session Timeout  
An attacker requires access to a username to login to either the Password Manager  
website or a logged in user, which leaves the session open until the session  
expires. Since the Password Manager uses Active Directory credentials, the  
username from the Windows login screen can be used to log into the website.  
For this attack the session of a logged-in user has to expire.  
  
After the session expiration the Password Manager website gets reloaded and displays  
a help icon that is usually hidden. The help icon links to the external  
One Identity website., from witch it is possible to navigate to the Google Search  
website using the Sign In option of the One Identity website. The Sign In page  
has the option to login with a Facebook account and information about cookies  
is displayed on this page, which links to a Google Chrome website.  
  
  
For both vulnerability 1 and 2, an attacker can use the Google Search website and  
trigger the "search by image" feature. This "search by image" feature can be used  
to trigger an upload, which then opens a file explorer window for file selection.  
  
The file explorer window makes it possible to input "cmd" in the path field  
of the file explorer to open a command prompt. The created command prompt  
is executed with highest "nt authority\system" permissions.  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:  
* 5.13  
  
It is assumed that all previous versions are affected as well.  
  
  
Vendor contact timeline:  
------------------------  
2023-11-06: Contacting vendor through vendor security contact form  
https://support.oneidentity.com/de-de/essentials/reporting-security-vulnerability  
2023-11-07: Vendor is able to reproduce both escapes, internal discussion with  
product team needed.  
2023-11-14: Vendor notifies us that the product team fixed the vulnerabilities  
and will release an update soon. Asking for CVE numbers.  
2023-11-15: Vendor will not assign CVE numbers, we are going to request them.  
Patch release scheduled for 17th or the week after.  
2023-11-17: Receiving one CVE number from MITRE, asking about the second one;  
No response.  
2023-11-20: Asking for status update as no patch was released on 17th.  
2023-11-21: Patch was postponed to 1st December, setting our release date to  
6th December.  
2023-12-01: Vendor releases fixed version v5.13.1.  
2023-12-06: Coordinated release of security advisory.  
  
  
Solution:  
---------  
The vendor provides a patch which can be downloaded from  
https://support.oneidentity.com/password-manager/5.13.1  
  
The release notes of the vendor can be found here:  
https://support.oneidentity.com/technical-documents/password-manager/5.13.1/release-notes/  
  
  
Workaround:  
-----------  
None  
  
  
Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF S. Schweighofer, C. Schieber-Knöbl, A. Weihbold / @2023