https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2021-34546_NetSetManPro_4.7.2_%E6%AC%8A%E9%99%90%E6%8F%90%E5%8D%87%E6%BC%8F%E6%B4%9E 2026-04-15T07:59:09Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=CVE-2021-34546_NetSetManPro_4.7.2_%E6%AC%8A%E9%99%90%E6%8F%90%E5%8D%87%E6%BC%8F%E6%B4%9E&diff=4982&oldid=prev 2021-06-13T01:42:22Z

<p>Created page with &quot;&lt;pre&gt; -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Affected Products NetSetManPro 4.7.2 (other/older releases have not been tested) References https://www.secuver...&quot;</p> <p><b>New page</b></p><div>&lt;pre&gt;<br /> -----BEGIN PGP SIGNED MESSAGE-----<br /> Hash: SHA256<br /> <br /> Affected Products<br /> NetSetManPro 4.7.2 (other/older releases have not been tested)<br /> <br /> References<br /> https://www.secuvera.de/advisories/secuvera-SA-2021-01.txt (used for <br /> updates)<br /> CVE-2021-34546 <br /> (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34546)<br /> <br /> Summary:<br /> &quot;NetSetMan is a network settings manager software for easily <br /> switching between<br /> your preconfigured profiles.&quot;<br /> <br /> The save file dialogue within the action log window after switching a <br /> profile<br /> using the pre-logon profile switching (if intentionaly enabled) leads <br /> to<br /> arbitrary command execution as system authority user enabling an <br /> unauthenticated<br /> attacker to log on.<br /> <br /> Effect:<br /> An unauthenticated attacker with physical access to a computer with <br /> NetSetMan Pro<br /> 4.7.2 installed, that has the pre-logon profile switch activated (not <br /> enabled by<br /> default) as button withinthe windows logon screen, is able to drop to <br /> an admin-<br /> istrative shell and execute arbitrary commands as system user by the <br /> use of the<br /> &quot;save log to file&quot; feature within NetSetMan Pro.<br /> <br /> Example:<br /> On a client computer running Microsoft Windows 10 and NetSetMan Pro <br /> an Icon can<br /> appear on the Windows lock-screen if configured. The following steps <br /> must be per-<br /> formed in order to gain an administrative shell:<br /> 1. Boot the client system<br /> 2. Click on the NetSetMan Pro Icon.<br /> 3. Choose an user defined (empty) setting.<br /> 4. Click on the &quot;save&quot; button in the appearing Window within the <br /> &quot;Log&quot; section<br /> (save icon)<br /> 5. Click on &quot;File-Type&quot; and Choose &quot;*.*&quot;<br /> 6. Navigate to path &quot;C:\Windows\System32\&quot;<br /> 7. Right-Click on on &quot;cmd.exe&quot; and choose &quot;Run as administrator...&quot;.<br /> 8. The appearing command prompt has administrative rights.<br /> <br /> To be able to bypass authentication a local user with administrative <br /> rights can<br /> be added using the following commands:<br /> a. net user Pentest Password123! /add<br /> b. net localgroup Administrators Pentest /add<br /> <br /> Solution:<br /> Update to Version 5.0 or newer (5.0.6 was tested by the researcher).<br /> <br /> Disclosure Timeline:<br /> 2021/05/17 vendor initially contacted, submitted all details.<br /> 2021/05/17 vendor replied suggesting vulnerability already fixed<br /> in newer versions prior researcher contact<br /> 2021/06/02 verified vendor suggested fix using version 5.0.6;<br /> updated advisory and contacted vendor again; vendor<br /> suggested edits<br /> 2021/06/09 updated advisory and requested CVE identifier<br /> 2021/06/10 public disclosure<br /> <br /> Credits:<br /> Simon Bieber<br /> sbieber@secuvera.de<br /> secuvera GmbH<br /> https://www.secuvera.de<br /> <br /> Disclaimer:<br /> All information is provided without warranty. The intent is to<br /> provide information to secure infrastructure and/or systems, not<br /> to be able to attack or damage. Therefore secuvera shall<br /> not be liable for any direct or indirect damages that might be<br /> caused by using this information.<br /> <br /> This message is signed with my PGP key (Short Key ID 661263A5)<br /> You can download it here:<br /> https://www.secuvera.de/download/simon-bieber-short-key-id-661263a5/<br /> -----BEGIN PGP SIGNATURE-----<br /> <br /> iQIzBAEBCAAdFiEE6mgEBCu3JYBqmGrgDIJc8mYSY6UFAmDDFocACgkQDIJc8mYS<br /> Y6V1YBAAivvBI79oAYKrkkELU1drnEtIloRggLF6FQ4BlBgZ1DMfLQLcbACVT2LY<br /> ro9SBpU/s6AOaZ98jETA/nS57MD+70ncEevP6hm3DzxV1mHtS4rjTU6hkcFfC8tq<br /> rqeXRz4t1oWhPQd+AB2TOvpUIRtVn4zomNs9e3YkYRhRBixqZgrLz/c0mQjKIW/u<br /> +hf0v5RYYSwA8q9LyhN6QUmm0UCVg06o55l8+eyc6V1JeMekdX7ais99Ki/FNmYw<br /> z66aP4FrPx+RpCVsl0sCpMiZWIhNtUVq37uNJCaE55K6li241RVDLmzZtNFThx8F<br /> maqdUa1wdEJ3AY8Ays/s2HWg4EkTyA1Key25NvSUVNUvYwqDgE/TzXK/rqVpIvIs<br /> +dTiEJ1Q8aBlRL61UF6ddz2fliVj85q/4tQCJ/Nk062pkpI2bfhsgeEnwwkXQrTp<br /> Yqln1z0R4THpWsiUQ0q3VeFFDU33T8Lch1wpURNtR1V1O+Zz4T4W+UX5Q3uIfprF<br /> 04TwIQIGssXFlE2RNAHrO08dct0cFpe4luF5Y8WWh4DiNitpydJfOk9G/Itfm/53<br /> g9Ci5UKFB4+YvGrqMz+StypOWO3syrEzYJf2Sv/Xh1wInPDUboQ8gFev9Gzc3LG5<br /> 8pcflcVN2lGGYuxH3f4KdR5LmgFdYWcPDvY76B9tNWw0bPHUzU8=<br /> =7Aiz<br /> -----END PGP SIGNATURE-----<br /> &lt;/pre&gt;</div>

Pwnwiki