CVE-2019-3999
published 2020-02-25CVE-2019-3999: Improper neutralization of special elements used in an OS command in Druva inSync Windows Client 6.5.0 allows a local, unauthenticated attacker to execute…
PriorityP258high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
8.57%
94.4th percentile
Improper neutralization of special elements used in an OS command in Druva inSync Windows Client 6.5.0 allows a local, unauthenticated attacker to execute arbitrary operating system commands with SYSTEM privileges.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| druva | insync_client | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
69 6e 53 79 6e 63 20 50 48 43 20 52 50 43 57 5b 76 30 30 30 32 5d 05 00 00 00
- →Monitor TCP port 6064 on localhost for connections sending RPC type 5 messages (byte sequence 0x05 0x00 0x00 0x00) prefixed with the magic header 'inSync PHC RPCW[v0002]'. Any such traffic from non-Druva processes is suspicious. ↗
- →Alert on inSyncCPHwnet64.exe spawning unexpected child processes (e.g. cmd.exe, net.exe, powershell.exe) as SYSTEM, which would indicate successful exploitation via CreateProcessW. ↗
- →Search inSyncCPH.log for entries containing 'Got a request to create a process for sysstate' with unexpected command strings to identify exploitation attempts. ↗
- →Flag inSync versions 6.6.3 and prior (specifically confirmed on 6.5.2r99097 and 6.6.3r102156) as vulnerable targets for prioritized patching and detection coverage. ↗
- ·The exploit connects to 127.0.0.1:6064, meaning the attack surface is local only — network-based detection must focus on the loopback interface. ↗
- ·The RPC protocol requires sending the hello, func_num, command_length, and command_line as separate sequential TCP sends — a single-packet signature will not capture the full exploit handshake. ↗
- ·The command payload is encoded as wide (UTF-16LE) characters before transmission; detection signatures must account for null-byte padding between each character. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Druva inSync Windows Client 6.5.2 - Local Privilege Escalation
exploitdb·2020-04-29·CVSS 7.8
CVE-2019-3999 [HIGH] Druva inSync Windows Client 6.5.2 - Local Privilege Escalation
Druva inSync Windows Client 6.5.2 - Local Privilege Escalation
---
# Exploit Title: Druva inSync Windows Client 6.5.2 - Local Privilege Escalation
# Date: 2020-04-28
# Exploit Author: Chris Lyne
# Vendor Homepage: druva.com
# Software Link: https://downloads.druva.com/downloads/inSync/Windows/6.5.2/inSync6.5.2r99097.msi
# Version: 6.5.2
# Tested on: Windows 10
# CVE : CVE-2019-3999
# See also: https://www.tenable.com/security/research/tra-2020-12
import socket
import struct
import sys
# Command injection in inSyncCPHwnet64 RPC service
# Runs as nt authority\system. so we have a local privilege escalation
if len(sys.argv) "
print "E.g. " + __file__ + " \"net user /add tenable\""
sys.exit(0)
ip = '127.0.0.1'
port = 6064
command_line = sys.argv[1]
# command gets passed to CreateProcess
Metasploit
Druva inSync inSyncCPHwnet64.exe RPC Type 5 Privilege Escalation
metasploit
Druva inSync inSyncCPHwnet64.exe RPC Type 5 Privilege Escalation
Druva inSync inSyncCPHwnet64.exe RPC Type 5 Privilege Escalation
Druva inSync client for Windows exposes a network service on TCP port 6064 on the local network interface. inSync versions 6.6.3 and prior do not properly validate user-supplied program paths in RPC type 5 messages, allowing execution of arbitrary commands as SYSTEM. This module has been tested successfully on inSync versions 6.5.2r99097 and 6.6.3r102156 on Windows 7 SP1 (x64).
Tenable
Druva inSync Windows Client Local Privilege Escalation (CVE-2019-3999 Patch Bypass)
blogs_tenable·2020-05-21·CVSS 7.8
[HIGH] Druva inSync Windows Client Local Privilege Escalation (CVE-2019-3999 Patch Bypass)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Druva inSync Client Multiple Vulnerabilities
blogs_tenable·2020-02-25
Druva inSync Client Multiple Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://packetstormsecurity.com/files/157493/Druva-inSync-Windows-Client-6.5.2-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/157680/Druva-inSync-inSyncCPHwnet64.exe-RPC-Type-5-Privilege-Escalation.htmlhttps://www.tenable.com/security/research/tra-2020-12http://packetstormsecurity.com/files/157493/Druva-inSync-Windows-Client-6.5.2-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/157680/Druva-inSync-inSyncCPHwnet64.exe-RPC-Type-5-Privilege-Escalation.htmlhttps://www.tenable.com/security/research/tra-2020-12
2020-02-25
Published