NetSetManPro version 4.7.2 suffers from a privilege escalation vulnerability.
advisories | CVE-2021-34546
-----BEGIN PGP SIGNED MESSAGE-----
NetSetManPro 4.7.2 (other/older releases have not been tested)
https://www.secuvera.de/advisories/secuvera-SA-2021-01.txt (used for
"NetSetMan is a network settings manager software for easily
your preconfigured profiles."
The save file dialogue within the action log window after switching a
using the pre-logon profile switching (if intentionaly enabled) leads
arbitrary command execution as system authority user enabling an
attacker to log on.
An unauthenticated attacker with physical access to a computer with
4.7.2 installed, that has the pre-logon profile switch activated (not
default) as button withinthe windows logon screen, is able to drop to
istrative shell and execute arbitrary commands as system user by the
use of the
"save log to file" feature within NetSetMan Pro.
On a client computer running Microsoft Windows 10 and NetSetMan Pro
an Icon can
appear on the Windows lock-screen if configured. The following steps
must be per-
formed in order to gain an administrative shell:
1. Boot the client system
2. Click on the NetSetMan Pro Icon.
3. Choose an user defined (empty) setting.
4. Click on the "save" button in the appearing Window within the
5. Click on "File-Type" and Choose "*.*"
6. Navigate to path "C:WindowsSystem32"
7. Right-Click on on "cmd.exe" and choose "Run as administrator...".
8. The appearing command prompt has administrative rights.
To be able to bypass authentication a local user with administrative
be added using the following commands:
a. net user Pentest Password123! /add
b. net localgroup Administrators Pentest /add
Update to Version 5.0 or newer (5.0.6 was tested by the researcher).
2021/05/17 vendor initially contacted, submitted all details.
2021/05/17 vendor replied suggesting vulnerability already fixed
in newer versions prior researcher contact
2021/06/02 verified vendor suggested fix using version 5.0.6;
updated advisory and contacted vendor again; vendor
2021/06/09 updated advisory and requested CVE identifier
2021/06/10 public disclosure
All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
to be able to attack or damage. Therefore secuvera shall
not be liable for any direct or indirect damages that might be
caused by using this information.
This message is signed with my PGP key (Short Key ID 661263A5)
You can download it here:
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----