Either the Custom installation or No system integration option is chosen in the installer GUI: Method 1 - requires administrator interaction MsiExec.exe is executed with the repair flag /fa as the low privileged user. Insecure Access Control in MSI installer package of PeaZip version 5.4.0 through 8.8.0 allows attackers to perform local privilege escalation by controlling the program directory during a "Repair". ProcMon shows the race condition was won:Ī second later, the attacker-placed binary is executed by System:ĬVE-2022-(CVE pending) - Windows Installer Local Privilege Escalation by controlling program directory Description The executable file (cmd.exe) opened by MsiExec as nt authority\system.Executing the PeaZip Windows Installer repair.The race-condition code from the NinjaRMM blog post is modified with new paths, and the exploit is run (each step corresponding to the steps in the below screenshot): ProcMon shows the executable peazip-8.8.0.WIN64.exe is written to the low privileged user's AppData\Local\Temp\ and later executed by System: MsiExec.exe is executed with the repair flag /fa as the low privileged user: More details on identifying and exploiting the EXEMSI MSI Installer vulnerability can be read in the original NinjaRMM blog post. Properties of the latest MSI from PeaZip's GitHub (left), and the MSI in C:\Windows\Installer post installation (right) confirms the SourceForge finding: Most results are from online malware analysis tools, for example PowerUp's Write-UserAddMSI was found to be using MSI Wrapper:Īt the time I did not identify PeaZip, but by searching again I found PeaZip may be wrapped by MSI Wrapper: Identification of MSI Wrapper use was possible as MSI Wrapper adds the comment "Installer wrapped by MSI Wrapper": Prior to my disclosure EXEMSI contacted their customers, and I identified and contacted other software vendors using the vulnerable MSI Wrapper to create awareness of the vulnerability. In 2021, I disclosed a local privilege escalation vulnerability in NinjaRMM Agent which was introduced as the NinjaOne developers used EXEMSI MSI Wrapper to “wrap” the EXE in an MSI allowing for easier deployment. Insecure Access Control in MSI installer package of PeaZip version 7.7.1 to 8.8.0 allows attackers to perform local privilege escalation by winning a race condition during a "Repair". Affects PeaZip at least since version 5.4.0 through 8.8.0 if installed with the MSI installer.ĬVE-2022-40779 - Windows Installer Local Privilege Escalation due to 'EXEMSI MSI Installer' vulnerability Description.CVE-2022-47082, Windows Installer Local Privilege Escalation by controlling program directory.MITRE ATT&CK technique: Hijack Execution Flow: Executable Installer File Permissions Weakness.Affects PeaZip from version 7.7.1 through 8.8.0 if installed with the MSI installer.CVE-2022-40779, Windows Installer Local Privilege Escalation due to 'EXEMSI MSI Installer' vulnerability.October 9, 2022: PeaZip releases version 8.9.0 with no MSI installerĭeveloper acknowledgement CVEs registered & affected versions.September 13, 2022: PeaZip confirmed vulnerability.September 13, 2022: Informed PeaZip about the vulnerabilities.Update third-party tools and libraries frequently.Subscribe to security advisories from all third-party tools, libraries, and other vendors.Delete the MSI installer associated with PeaZip in C:\Windows\Installer.Only installations made with the MSI installer on PeaZip's GitHub are vulnerable: Surprisingly a second simple LPE was also found. Indeed there was one application, PeaZip. As I last year found that MSI installers created with "EXEMSI MSI Installer" can be vulnerable to LPE I thought more applications that use vulnerable EXEMSI versions must exist. The vulnerabilities were found during a challenge. The vulnerabilities allow a low privileged user to become NT AUTHORTY\SYSTEM. This blog describes two local privilege escalation (LPE) vulnerabilities in PeaZip, affecting versions up to 8.8.0.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |