Статья Local Privilege Escalation via MSI installer (CVE-2023-7270)

[admin]

Proof of concept​

1) Local Privilege Escalation via MSI installer (CVE-2023-7270)​

For the exploit to work, SoftMaker Office or FreeOffice have to be installed via the MSI file. Afterwards, any low-privileged user can start the repair of the software by double-clicking the installer and trigger the vulnerable actions without a UAC popup. The installer, if deleted from it's original location, can be found in C:\Windows\Installer with a randomized name.

During the repair process, a console application gets called with SYSTEM privileges and performs a read action on some files.

SoftMaker Office: Executes 7z.exe, which reads

C:\Program Files\SoftMaker Office 2024\tb\7z.exe

FreeOffice: Executes syspin.exe, which reads

C:\Windows\SysWOW64\OneCoreCommonProxyStub.dll

This can be used by an attacker by simply setting an oplock on the files mentioned before.

As soon as it gets read, the process is blocked until the lock is released.

To do that, one can use the 'SetOpLock.exe' tool from "Для просмотра ссылки Войди или Зарегистрируйся" with the following parameters:

while ($true) { SetOpLock.exe "C:\Program Files\SoftMaker Office 2024\tb\7z.exe" x }
while ($true) { SetOpLock.exe "C:\Windows\SysWOW64\OneCoreCommonProxyStub.dll" x }

Figure 1: Executing msiexec.exe to repair the SoftMaker Office MSI file, running "SetOpLock.exe" to set a lock

During the repair process, the locked file is accessed multiple times. The lock has to be released by pressing ENTER several times before the window opens.

If the window appears, the lock should not be released to keep the window open. The window that gets opened when the console program is executed doesn't close and can then be interacted with.

Note 1: The syspin.exe window is minimized. When the lock is triggered, it is advised to check the taskbar whether a window with a blue arrow [see figure 7] exists.

The attacker can then perform the following actions to spawn a SYSTEM shell:

• Right click on the top bar of the window
• Click on properties (see figure 3 and figure 4).
• Under options, click on the "new console features" link
• Open the link with e.g. firefox
• In the opened browser window press the key combination CTRL+o
• Type cmd.exe in the top bar and press Enter, see figure 5 and figure 6.

Figure 3: Console window properties, clicking on "new console features", opening the browser "Firefox" (or Chrome), but others won't work

Figure 4: Same for FreeOffice 2021, just a different console window

Figure 5: Gaining SYSTEM access rights via SoftMaker Office MSI installer

Figure 6: Gaining SYSTEM access rights via FreeOffice MSI installer

Figure 7: Taskbar icon to look out for because the syspin.exe window is minimized


Note 2: This does not work using a recent version of the Edge Browser.

Note 3: The program syspin.exe is invoked several times, sometimes without elevated privileges. If the final cmd.exe is not elevated, release the lock and wait for the next syspin.exe invocation. During our test, the fifth window was run with elevated privileges.

Vulnerable / tested versions​

The following versions have been tested by SEC Consult which were the most recent versions available at the time of the test:

• SoftMaker Office 2024 - 24.0.6034
• FreeOffice 2021 Revision 1068

According to the vendor, all versions of SoftMaker Office NX/2024 before revision 1214 and FreeOffice 2024 before revision 1215 with the MSI installer are affected.

FreeOffice 2021 is unsupported and will not be fixed according to the vendor.

Для просмотра ссылки Войди или Зарегистрируйся

 

[admin]