Headline
CVE-2023-37907: MSI installer allows LPE
Cryptomator is data encryption software for users who store their files in the cloud. Prior to version 1.9.2, the MSI installer provided on the homepage allows local privilege escalation (LPE) for low privileged users, if already installed. The problem occurs as the repair function of the MSI spawns two administrative CMDs. A simple LPE is possible via a breakout. Version 1.9.2 fixes this issue.
Summary
The MSI installer provided on the homepage allows LPE for low privileged users, if allready installed.
Details
The problem occurs, as the repair function of the MSI is spawning two administratice cmds. If catched, a simple LPE is possible via a very simple breakout.
PoC
As a low privileged user do the following steps to reproduce.
Locate the msi installer under c:\windows\installer\ . The Installer get cached here for almost forever. To easily locate the installer, use either the timestamp or the script from Mandiant: https://raw.githubusercontent.com/mandiant/msi-search/main/msi_search.ps1
Run the located installer with
msiexec.exe /fa C:\Windows\Installer\2847d63.msiWhen the installer runs, note that there are two cmd windows flickering.
Catch the cmd, by quickly selecting some text
Spawn a new SYSTEM cmd via: cmd -> properties -> “legacy console mode” Link -> Internet Explorer -> STRG+O -> cmd.exe
Impact
Local Elevation of Privileges. On every machine, where the msi installer still can be found. Rolling out the software via SCCM typically also keeps the msi file.
Notes
Please let me know, if you have any questions here and keep me updated about the progress and if you can replicate this.
I would like to get a CVE assigned for this, if you agree.
Best Regards,
Matthias Zoellner
CYVISORY GROUP