One Identity Password Manager Kiosk Escape Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the One Identity Password Manager Secure Password Extension, affecting versions prior to 5.13.1. This vulnerability allows a local, pre-authenticated attacker to escape from Kiosk mode and execute commands with SYSTEM privileges on the login screen of a Windows client. The issue arises because the Password Manager Extension, which facilitates Active Directory password resets, launches a Chromium-based browser in Kiosk mode. Exploitation involves navigating through Google ReCAPTCHA links to access external websites, ultimately leading to the execution of command-line applications with elevated permissions.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation to the SYSTEM account on the affected machine.

Reproduction

To reproduce this vulnerability, access a locked machine with the One Identity Password Manager Extension installed, either physically or via remote desktop. Launch the Password Manager Kiosk mode browser from the login screen. Once in Kiosk mode, navigate to the Google ReCAPTCHA section and click on the Privacy link, which opens a new browser window. From there, go to a website that allows file uploads, and use the file explorer window to navigate to cmd.exe. Launch cmd.exe, and it will execute with NT AUTHORITY\SYSTEM privileges.

Remediation

Users are advised to update to One Identity Password Manager version 5.13.1, which addresses this vulnerability. The update can be downloaded from the One Identity Support Portal.