|
Research|
Blog|
Newsletter|
Websession|
EN
This blog post describes an unquoted search path vulnerability and its exploitation in the Plantronics Hub software. This client software is used to configure Plantronics audio devices such as headsets. Plantronics Hub is therefore often additionally installed by VoIP or SIP software solutions to ensure compatibility between the headset and the telephony software.
The blog post specifically addresses the vulnerability in combination with the 'OpenScape Fusion for MS Office' software as it also installs the Plantronics Hub as a dependency. OpenScape Fusion for MSOffice is a software solution that integrates unified communications features directly into Microsoft Outlook. OpenScape Fusion enables users to access their unified communications features (such as voice over IP, video calling, instant messaging and presence status) directly from Microsoft Office applications.
The blog post describes how an unquoted search path vulnerability in thePlantronics Hub could result in OpenScape being used to execute arbitrary files under C:\, if incorrect permissions are assigned to that path. This attack also escalates privileges to the local administrator if an administrator starts the OpenScape application.
The vulnerability was found in Plantronics Hub version 3.24.5 and is still present in the latest version 3.25.2. Although this software is no longer officially supported and should not be used, we have found it installed on client laptops in combination with the equally obsolete OpenScape Fusion for MS Office software. HP updated their End of Commercial Sale Notice to inform customers.
The following prerequisites were necessary to successfully exploit the vulnerability on Windows 10.
A security scan of a customer's laptop revealed that the OpenScape for MS Office software was installed with the Plantronics Hub software. A registry entry was found which ensures that OpenScape Fusion is automatically launched when a user logs in.
When analyzing the OpenScape Fusion startup process using ProcessMonitor, an unquoted path vulnerability has been detected. The application tries to start another application named PLTHub.exe via the path C:\Program Files (x86)\Plantronics\Spokes3G SDK\PLTHub.exe, which is stored as an extension in a registry entry. This registry entry is called LocalServer32 and is initially created without quotation marks during the installation of the Plantronics Hub application (PLTHub.exe). This is a specific registry key that is used to specify the full path to a local 32-bit server application. The OpenScape software uses this key as the path to the Plantronics HubServer software.
If you do not use quotation marks for file paths, Windows interprets the path as a file path up to the first space, followed by parameters. For example, the path C:\Program Files (x86)\Plantronics\Spokes3G SDK\PLTHub.exe, where the first space is immediately followed by C:\Program, the program will first search for an executable file C:\Program.exe. Everything after C:\Program is used as a parameter. Only if C:\Program.exe is not found, the execution of the file under the full path C:\Program Files (x86)\Plantronics\Spokes3G SDK\PLTHub.exe will be attempted.
As the system has been configured so that all users can write in C:\, it is possible that a local authenticated attacker could execute arbitrary files through other users. It is also possible to execute commands in the context of an administrative user, if an administrator is logged on to the system locally. As the OpenScape software is configured as a startup application, it should also automatically attempt to run the Plantronics Hub software when an administrator logs in. As a result, we can run commands as an administrator and therefore escalate our privileges.
In ProcessMonitor, the event with the executed path looks like this:
To execute programs as an administrator, a UAC (User Account Control) is necessary. UAC is a Windows feature that prevents unprivileged processes to elevate their privileges without consent. If a user wants to run the process in an elevated mode, UAC displays a dialogue box to confirm that the process is allowed to run with elevated privileges.
To bypass this feature, we will use the UAC-Bypass called akagi from hfiref0x’s Github-Repository UACme.
A total of three files in the C:\ root directory were required to exploit the vulnerability:
We will go through the required files one by one in order to achieve successful execution.
Program.exe is a small self-written compiled C++ program that calls the UAC bypass aka.exe (akagi64). Astute readers may wonder why aka.exe is not renamed directly to Program.exe. This is because additional parameters need to be passed to the UAC bypass. However, as OpenScape only looks for the Plantronic Hub path and we have no control over other parameters, this is not possible. Therefore, the Program.exe isused to perform this redirection with parameters. In this case, Program.exe executes the following command:
C:\aka.exe 41 C:\ape.exe.lnk
aka.exe implements the UAC bypass and should be executed via Program.exe as described above as soon as another user logs in. Then OpenScape should open automatically and attempt to start the Plantronics Hub software. The number 41 in the command describes the method used (Type: Elevated COM interface, Method: ICMLuaUtil) to perform the UAC bypass on Windows. This is followed by the programm to run with administrative rights.
In this case it is ape.exe.lnk, which is a shortcut to Powershell.exe. To specify other payloads, the code to be executed can simply be specified in the shortcut under „Target“. In this case, the following command was used for demonstration purposes to write the current user's permissions to a file:
powershell.exe -c "whoami /all > C:\poc.txt"
Once the three files have been placed in the C:\ directory on the system, the vulnerability is triggered the next time a user logs on to the system. In this case, an administrative logs on to the system. After the automatic start of OpenScape Fusion, ProcessMonitor confirmed that the file C:\Program.exe was searched for and found.
A new process was then started to run the executable. ProcessMonitor also shows that the path is not in quotes, so the target path ends after the first space, resulting in the path „C:\Program.exe“.
Since Program.exe simply runs „C:\aka.exe 41 C:\ape.exe.lnk“, the execution of the UAC bypass aka.exe will be visible in the next step.
The Program.exe payload can also be seen in the command line section of the now-running aka.exe, which should initiate the UAC bypass to run the Powershell shortcut with the configured payload.
If the UAC bypass is successful, a Powershell window with administrative privileges will appear for a short time. The UAC bypass will now run the Powershell shortcut called ape.exe.lnk with the configured parameters as payload.
The process monitor also provides information that the payload has been successfully executed. The integrity of the process is set to a high commitment level. You can also view the FileWrite operations. These write the output of the whoami command to C:\poc.txt.
The poc.txt has been created in the C:\ directory after execution.
The contents of the file show that we were able to get a logged on administrator to run our payload with his privileges. The file shows that the user is in the administrators group. This allowed us to successfully execute code in the context of an administrator using the Unquoted Search Parameter vulnerability in the Plantronics Hub via the OpenScape application configured for startup.
Note that applications often install other applications as dependencies and the paths to these applications may have been stored as unquoted registry keys. As you can see from this blog post, in real-world environments this can lead to privilege escalations. Even if the software itself cannot trigger this vulnerability, another piece of software might - in this case by accessing the LocalServer32 registry key to get the path to the local server application.
As there are several similar vulnerabilities in the world like this one, there is already a CWE for it:
Microsoft documentation also states that these paths should be enclosed in quotation marks to avoid security vulnerabilities.
Unfortunately, an update to address the Plantronics Hub vulnerability is not available as the software is no longer supported. The following steps are recommended to mitigate the vulnerability and reduce the exploitation of such vulnerabilities in general:
To fully fix the vulnerability on the OpenScape Fusion and PlantronicsHub side the registry entry with the path to PLTHub.exe must be enclosed by quotation marks.
For this, wrap the string entry named „(Default)“ under „HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{750B4A16-1338-4DB0-85BB-C6C89E4CB9AC}\LocalServer32“ with quotation marks.
The entry should look like this:
"C:\Program Files (x86)\Plantronics\Spokes3G SDK\PLTHub.exe"
In newer versions the software is installed to C:\Program Files(x86)\Plantronics\Spokes3GSDK\PLTHub.exe instead of C:\Program Files(x86)\Plantronics\Spokes3G SDK\PLTHub.exe (no space in the Spokes 3Gfolder).
So the following path must therefore be enclosed in quotation marks:
"C:\Program Files (x86)\Plantronics\Spokes3GSDK\PLTHub.exe"
Ensure that only administrators and system accounts can write files to the C:\ root directory, as is the default. Write permissions to the C:\directory for non-privileged accounts should be removed.
Cheers
Marcel
13.01.2025 - Contacted HP PSRT and received immediate response, sharing of PoC
13.01.2025 - HP responded with End of Life of Plantronics Hub
14.01.2025 - Asked for notice to customers due to usage
04.02.2025 - HP PSRT responded and updated End of Commercial Sale Notice
05.02.2025 - 8com adjusted disclosure timeline due to no fix
03.03.2025 - 8com provided a draft for this blog post
12.03.2025 - HP approves this blog post
14.03.2025 - Date of disclosure
Image (c) Header Image AI generated with Midjourney
