HP ThinPro 6.x / 7.x Information Disclosure

HP ThinPro versions 7.1, 7.0, 6.2.1, and 6.2 suffer from a local physical access information disclosure vulnerability.

MD5 | 255ed9d1368d7aa40e9fa99b81e489f7

HP ThinPro - Information disclosure

* CVE-2019-16285

CVSSv3 score
6.1 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

HP - [https://www.hp.com](https://www.hp.com)

Deliver secure desktop virtualization that’s as comfortable for IT as it is
for end users with the stunningly redesigned HP ThinPro. It has a bold new
user interface and workflow refinements that make it a breeze to configure,
manage, and use right out of the box.

Affected versions
- HP ThinPro Linux 7.1
- HP ThinPro Linux 7.0
- HP ThinPro Linux 6.2.1
- HP ThinPro Linux 6.2

Eldar Marcussen - xen1thLabs - Software Labs

Vulnerability summary
If the thin client is configured with `local user must login` then an
unauthenticated attacker with physical access to the thin client can
extract sensitive information onto a USB drive. This information could then
lead to the attacker gaining administrative access to this device and
others on the network.

Technical details
An attacker can use the `generate diagnostic` feature under the `system
logs` tab of the `system information` window to generate a tar ball
sensitive files, such as the `/root` directory including `.bash_history`,
the `registry.xml` file from `/writeable/tmp` and `shadow-` from `/etc`.
These files can be found under their relative path under the `files/`
directory in the generated `Diagnostic.tgz`

Proof of concept
The following evidence is provided to illustrate the existence and

1. Insert USB drive
2. At the login screen press the wrench icon on the login window
3. Press the `i` icon
4. Select the `System Logs` tab
5. Select `Trace` in the dropdown for the Debug level
6. Click the `Diagnostic` button to generate the `Diagnostic.tgz` file
7. Save file to drive
8. On a different computer extract the file
9. Observe the presence and content of the following files:
* `files/etc/shadow-`
* `files/writeable/tmp/registry.xml`
* `files/root/.bash_history`

Contact vendor for a solution

Date | Status
19-AUG-2019 | Reported to vendor
22-NOV-2019 | Patch available
24-MAR-2020 | Public disclosure

Related Posts