lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <89345087-afdb-4d3a-8984-9232c8ce7f71@sec-consult.com>
Date: Thu, 27 Jun 2024 10:18:16 +0000
From: SEC Consult Vulnerability Lab via Fulldisclosure
 <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] SEC Consult SA-20240627-0 :: Local Privilege Escalation via
 MSI installer in SoftMaker Office / FreeOffice

SEC Consult Vulnerability Lab Security Advisory < 20240627-0 >
=======================================================================
               title: Local Privilege Escalation via MSI installer
             product: SoftMaker Office / FreeOffice
  vulnerable version: SoftMaker Office 2024 / NX before revision 1214
                      FreeOffice 2021 Revision 1068
                      FreeOffice 2024 before revision 1215
       fixed version: SoftMaker Office 2024 / NX - revision 1214
                      FreeOffice 2024 - revision 1215
          CVE number: CVE-2023-7270
              impact: high
            homepage: https://www.softmaker.com/en/
               found: 2023-11-27
                  by: Michael Baer (Office Fürth)
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"SoftMaker Office makes working with documents, spreadsheets and presentations
a breeze – whether you're on Windows, Linux, Mac, iOS or Android."

Source: https://www.softmaker.com/en/products/softmaker-office


Business recommendation:
------------------------
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the
product conducted by security professionals to identify and resolve potential
further security issues.


Vulnerability overview/description:
-----------------------------------
1) Local Privilege Escalation via MSI installer (CVE-2023-7270)
The SoftMaker Office and FreeOffice MSI installer files were found to produce
a visible conhost.exe window running as the SYSTEM user when using the repair
function of msiexec.exe.

This allows a local, low-privileged attacker to use a chain of actions,
to open a fully functional cmd.exe with the privileges of the SYSTEM user.

Note:
This attack does not work using a recent version of the Edge Browser or
Internet Explorer. A different browser, such as Chrome or Firefox, needs to be
used. Also make sure, that Edge or IE have not been set as default browser
and that Firefox or Chrome are not running before attempting to exploit it.
Otherwise, the spawned process would be running with your own permissions and
the installer will just add a new tab to the browser, instead of spawning a
new process with SYSTEM.


Proof of concept:
-----------------
1) Local Privilege Escalation via MSI installer (CVE-2023-7270)
For the exploit to work, SoftMaker Office or FreeOffice have to be installed
via the MSI file. Afterwards, any low-privileged user can start the
repair of the software by double-clicking the installer and trigger
the vulnerable actions without a UAC popup. The installer, if deleted from it's
original location, can be found in C:\Windows\Installer with a randomized name.

During the repair process, a console application gets called with SYSTEM
privileges and performs a read action on some files.

SoftMaker Office: Executes 7z.exe, which reads
C:\Program Files\SoftMaker Office 2024\tb\7z.exe

FreeOffice: Executes syspin.exe, which reads
C:\Windows\SysWOW64\OneCoreCommonProxyStub.dll

This can be used by an attacker by simply setting an oplock on the files
mentioned before.

As soon as it gets read, the process is blocked until the lock is released.

To do that, one can use the 'SetOpLock.exe' tool from
"https://github.com/googleprojectzero/symboliclink-testing-tools"
with the following parameters:

while ($true) { SetOpLock.exe "C:\Program Files\SoftMaker Office 2024\tb\7z.exe" x }
while ($true) { SetOpLock.exe "C:\Windows\SysWOW64\OneCoreCommonProxyStub.dll" x }

See figure 1 [soft_lock.png] and figure 2 [lock.png]

During the repair process, the locked file is accessed multiple times. The lock
has to be released by pressing ENTER several times before the window opens.

If the window appears, the lock should not be released to keep the
window open. The window that gets opened when the console program is
executed doesn't close and can then be interacted with.

Note 1: The syspin.exe window is minimized. When the lock is triggered, it
is advised to check the taskbar whether a window with a blue arrow,
see figure 7 [taskbar.png], exists.

The attacker can then perform the following actions to spawn a SYSTEM shell:
- Right click on the top bar of the window
- Click on properties, see figure 3 [soft_openbrowser.png] and figure 4 [openbrowser.png]
- Under options, click on the "new console features" link
- Open the link with e.g. firefox
- In the opened browser window press the key combination CTRL+o
- Type cmd.exe in the top bar and press Enter, see figure 5 [soft_cmd.png] and figure 6 [cmd.png]

Note 2: This does not work using a recent version of the Edge Browser.

Note 3: The program syspin.exe is invoked several times, sometimes without
elevated privileges. If the final cmd.exe is not elevated, release the lock
and wait for the next syspin.exe invocation. During our test, the fifth
window was run with elevated privileges.


Vulnerable / tested versions:
-----------------------------
The following versions have been tested by SEC Consult which were the most recent
versions available at the time of the test:
* SoftMaker Office 2024 - 24.0.6034
* FreeOffice 2021 Revision 1068

According to the vendor, all versions of SoftMaker Office NX/2024 before revision 1214
and FreeOffice 2024 before revision 1215 with the MSI installer are affected.

FreeOffice 2021 is unsupported and will not be fixed according to the vendor.


Vendor contact timeline:
------------------------
2023-12-02: Contacting vendor through sales@...tmaker.de,
             asking for security contact.
2023-12-07: Contacting vendor through https://www.softmaker.com/en/support/customer-support
             asking for security contact.
2024-01-11: Contacting vendor through https://www.softmaker.com/en/support/customer-support
             asking for security contact.
2024-01-11: Vendor provides security contact and asks for advisory
             unencrypted
2024-01-12: Sending advisory draft unencrypted to security contact
2024-02-17: Asking for status of vulnerability, no response
2024-03-06: Asking for status of vulnerability, no response
2024-04-08: Asking for a status update, setting release date to
             17th April.
2024-04-08: Vendor response, seems not to have received our previous mails.
             Asking for deadline extension as a release it already planned.
2024-04-09: Sending advisory draft again, extending deadline.
2024-04-11: Asking whether email was received, confirmed. Sent proposed
             solution.
2024-04-22: Asking when new release is planned and whether fixes could be
             incorporated.
2024-04-23: Vendor response, current service pack update not including fixes,
             planned in about 6 weeks.
2024-05-27: Vendor response, service pack / revision 1214 was published which fixes
             the issue for Office 2024 and Office NX. FreeOffice 2024 will
             be fixed in the next release mid June. FreeOffice 2021 is unsupported.
2024-06-11: Vendor: FreeOffice 2024 will be patched on 18th June, asks for advisory
             release to be postponed a bit.
2024-06-17: Setting advisory release date for 27th June, reserving CVE.
2024-06-18: Vendor releases FreeOffice 2024 revision 1215.
2024-06-27: Release of security advisory.


Solution:
---------
The vendor provides a service pack version 1214 for SoftMaker Office 2024 and
SofMaker Office NX, which can be downloaded from:
https://softmaker.de/download/servicepacks

FreeOffice 2024 revision 1215:
https://www.freeoffice.com/de/download/servicepacks

FreeOffice 2021 is unsupported and will not be fixed according to the vendor.


Workaround:
-----------
None


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Michael Baer / 2024
Download attachment "lock.png" of type "image/png" (51889 bytes)

Download attachment "soft_openbrowser.png" of type "image/png" (67742 bytes)

Download attachment "soft_cmd.png" of type "image/png" (29624 bytes)

Download attachment "openbrowser.png" of type "image/png" (69145 bytes)

Download attachment "taskbar.png" of type "image/png" (3450 bytes)

Download attachment "soft_lock.png" of type "image/png" (47378 bytes)

Download attachment "cmd.png" of type "image/png" (20890 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ