-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 secuvera-SA-2021-01: Privilege Escalation in NetSetMan Pro 4.7.2 Affected Products NetSetManPro 4.7.2 (other/older releases have not been tested) References https://www.secuvera.de/advisories/secuvera-SA-2021-01.txt (used for updates) CVE-2021-34546 Summary: "NetSetMan is a network settings manager software for easily switching between your preconfigured profiles." The save file dialogue within the action log window after switching a profile using the pre-logon profile switching (if intentionaly enabled) leads to arbitrary command execution as system authority user enabling an unauthenticated attacker to log on. Effect: An unauthenticated attacker with physical access to a computer with NetSetMan Pro 4.7.2 installed, that has the pre-logon profile switch activated (not enabled by default) as button withinthe windows logon screen, is able to drop to an admin- istrative shell and execute arbitrary commands as system user by the use of the "save log to file" feature within NetSetMan Pro. Example: On a client computer running Microsoft Windows 10 and NetSetMan Pro an Icon can appear on the Windows lock-screen if configured. The following steps must be per- formed in order to gain an administrative shell: 1. Boot the client system 2. Click on the NetSetMan Pro Icon. 3. Choose an user defined (empty) setting. 4. Click on the "save" button in the appearing Window within the "Log" section (save icon) 5. Click on "File-Type" and Choose "*.*" 6. Navigate to path "C:\Windows\System32\" 7. Right-Click on on "cmd.exe" and choose "Run as administrator...". 8. The appearing command prompt has administrative rights. To be able to bypass authentication a local user with administrative rights can be added using the following commands: a. net user Pentest Password123! /add b. net localgroup Administrators Pentest /add Solution: Update to Version 5.0 or newer (5.0.6 was tested by the researcher). Disclosure Timeline: 2021/05/17 vendor initially contacted, submit all details. 2021/05/17 vendor replied suggesting vulnerability already fixed in newer versions prior researcher contact 2021/06/02 verified vendor suggested fix using version 5.0.6; updated advisory and contacted vendor again; vendor suggested edits 2021/06/09 updated advisory and requested CVE identifier 2021/06/10 public disclosure 2021/06/11 signed information with own pgp key (shotkey ID 661263A5) that can be downloaded via https://www.secuvera.de/unternehmen/pgp-keys/ Credits: Simon Bieber sbieber@secuvera.de secuvera GmbH https://www.secuvera.de Disclaimer: All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore secuvera shall not be liable for any direct or indirect damages that might be caused by using this information. -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE6mgEBCu3JYBqmGrgDIJc8mYSY6UFAmDDSMUACgkQDIJc8mYS Y6W2FhAAk9ixpj1a7ukYzY3mXAsIb7k3C4wjiXSM39hsobIgG82Tz3AC5t8QRx3P E0w5GLIhjcnb2o6mpKvJx6vlwAKNcCUzJTALZk3a2daJ332B+vRDlDAhmMqVQJIy 0wSsXUtNWLvVKg3KO3/16SLxPNGPI95BHaAfqwSA0huhQKDq2c6Rj/+aiuQOMLTh Pht+lu+ynPicajFUTdsXReBbF9HkKOItXAkPupRVekFrKVDYlXEKk7RGAgrVYDIT cTqCv5P7WEqs0TzF6ZOqUhdVAgeu0R1kQ9S/DR2O18sm/wuIaHhNqufIFPWczBHX kiwUuI1BuQO1lTAZe4HTDWsIGyRSYOLzWNMk2yq7BknAKv2hHociY5d1xFExkFG7 MUZ73V4uYf3pShcwztLYGDnp74j8o4xHiPOlKc4cpClK06BjQj7C3TCg6VNxp6c5 xuzGuOBXsxYgVgtCAW331xhTbM7P4zaGZP1RjsM6G4lNKK88qkP7c6rdA38dFxny vXCqip0WR13gKHKZsy1mBmHOQrkAiSuAEn3HvnoFpZDWVhE8YOmkWyELVexrCtoF bD5+rsbE2lUG/u0IdMDQpDqTV6sV89uKOZco33Wd+nIE2+5ituwR1Sgrws2VK3xD L8n1OOVSZOyUh2m7onpoFjciMif2wTBfq5CnkjkL4c+dRLwBrNo= =fsgg -----END PGP SIGNATURE-----