Vendor description
"One Identity delivers solutions that help customers strengthen operational efficiency, reduce risk surface, control costs and enhance their cybersecurity. Our Unified Identity Platform brings together best-in-class software to enable organizations to shift from a fragmented identity strategy to a holistic approach."
Source: https://www.oneidentity.com/company/
Business recommendation
The vendor provides a patch version 5.13.1 which should be installed immediately.
SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.
Vulnerability overview/description
The Password Manager Application by One Identity enables users to reset their Active Directory passwords on the login screen of a Windows client, with the Secure Password Extension. The Secure Password Manager Extension launches a Chromium based browser in Kiosk mode to provide the reset functionality.
Due to application-specific functionalities the Password Manager Extension suffers from two exploitable Kiosk Escape vulnerabilities which allow a local, pre-authenticated attacker to escalate the privileges to SYSTEM.
1) Password Manager Kiosk Escape with Google ReCAPTCHA (CVE-2023-48654)
The Password Manager Extension uses Google ReCAPTCHA, which enables an attacker to escape the Kiosk Mode of the browser and gain "nt authority\system" permissions on the login screen of the targeted machine. This is possible due to the fact that Google ReCAPTCHA links to external websites, which open in a new browser window and enable an attacker to navigate to other external websites.
2) Password Manager Kiosk Escape after Session Timeout
The Password Manager application provides a link to a help page of One Identity. This link references an external site and is therefore hidden in the Kiosk Mode browser of the Password Manager Extension. If the Password Manager Extension website is loaded after an active session expires the link to the external One Identity websites gets shown. This enables an attacker to escape the Kiosk Mode of the browser and gain "nt authority\system" permissions on the login screen of the targeted machine.
Proof of concept
1) Password Manager Kiosk Escape with Google ReCAPTCHA (CVE-2023-48654)
An attacker requires access to a locked machine, where the Password Manger Extension is installed, either via physical (pre-auth) or remote (RDP) access. From the login screen the Password Manger Extension Kiosk mode browser can be launched.
Since Google ReCAPTCHA is used on the Password Manger website the Google ReCAPTCHA icon is also shown on the website and provides a link to an external website via the "Privacy" button of the Google ReCAPTCHA field.
2) Password Manager Kiosk Escape after Session Timeout
An attacker requires access to a username to login to either the Password Manager website or a logged in user, which leaves the session open until the session expires. Since the Password Manager uses Active Directory credentials, the username from the Windows login screen can be used to log into the website. For this attack the session of a logged-in user has to expire.
After the session expiration the Password Manager website gets reloaded and displays a help icon that is usually hidden. The help icon links to the external One Identity website, from which it is possible to navigate to the Google Search website using the Sign In option of the One Identity website. The Sign In page has the option to login with a Facebook account and information about cookies is displayed on this page, which links to a Google Chrome website.
For both vulnerability 1 and 2, an attacker can use the Google Search website and trigger the "search by image" feature. This "search by image" feature can be used to trigger an upload, which then opens a file explorer window for file selection.
The file explorer window makes it possible to input "cmd" in the path field of the file explorer to open a command prompt. The created command prompt is executed with highest "nt authority\system" permissions.
Vulnerable / tested versions
The following version has been tested which was the latest version available at the time of the test:
- 5.13
It is assumed that all previous versions are affected as well.