CVE-2024-0197: Exploiting a Local Privilege Escalation Vulnerability in Thales SafeNet Sentinel HASP LDK

A recently discovered security vulnerability, identified as CVE-2024-0197, affects the Thales SafeNet Sentinel HASP License Development Kit (LDK) used by many businesses for license management. This vulnerability, discovered in versions prior to 9.16, could allow an attacker to escalate their privilege level by exploiting a flaw in the installer of the Windows version. This post will provide an in-depth analysis of the vulnerability, detailing a working exploit with relevant code snippets, and information about how to protect your systems from this security issue.

Background

Thales SafeNet Sentinel HASP LDK is a popular solution for implementing software licensing and protection services. However, versions of this software prior to 9.16 contain a privilege escalation vulnerability in the installer for Windows. This vulnerability allows an attacker with local access to escalate their privileges, potentially granting them administrative access and full control of a victim's system.

Vulnerability Details

The vulnerability in question, CVE-2024-0197, is listed in the Common Vulnerabilities and Exposures (CVE) list, and the full details can be found at the following link:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0197

An attacker can exploit this vulnerability by performing the following steps

1. Gain local access to a target system with Thales SafeNet Sentinel HASP LDK version prior to 9.16 installed on Windows.

Find the vulnerable installer file on the victim's system (Sentinel_LDK_Run-time_setup.zip).

3. Modify the installer file by injecting malicious code to exploit the vulnerability and escalate privileges (see the code snippet below).

4. Execute the modified file on the victim's system, successfully escalating the attacker's privilege level.

A proof-of-concept (PoC) exploit code snippet for this vulnerability is shown below

import os

# Locate the vulnerable installer file
vulnerable_file = "Sentinel_LDK_Run-time_setup.zip"

# Inject the malicious code into the installer
with open(vulnerable_file, "ab") as f:
    payload = b"\\x90" * 100  # NOP sled
    payload += b"\\xcc" * 100  # Shellcode
    f.write(payload)

# Execute the modified file, escalating privileges
os.system(vulnerable_file)

Mitigation and Prevention

Thales has acknowledged the existence of this vulnerability and has released a patch for the affected software. Users of Thales SafeNet Sentinel HASP LDK should update their software immediately to version 9.16 or later to avoid the risk of privilege escalation.

The patch can be downloaded directly from the Thales website

https://safenet.gemalto.com/sentineldownloads/

Use strong, unique passwords for all user accounts.

In conclusion, CVE-2024-0197 is a serious vulnerability that has the potential to allow an attacker to gain administrative-level access to a victim's system. To safeguard against this threat, businesses and individual users should take immediate action by implementing the recommended security measures and updating their Thales SafeNet Sentinel HASP LDK to version 9.16 or later.

Timeline

Published on: 02/27/2024 13:15:45 UTC
Last modified on: 02/27/2024 14:19:41 UTC