OffensiveOceloot
commented
3 years ago Hi, thank you for your feedback. I think you mentioned some valid points, even though the criticism can be expressed more objectively. I stumbled across these vulnerable programs by accident during some security research. After I confirmed the problem, I contacted both involved developers and explained the issue. One vendor answered quite fast but unfortunately decided not to consider this as a problem. The second one never replied.
All of the five vulnerabilities you mentioned are quite similar and the underlying security problem is the same. In each case, the executable that will be started is writable by any low privileged user on Windows (Everyone in the group “Authenticated Users”). Not properly protected binaries or directories are vulnerable to possible manipulation, which can lead to privilege escalation or lateral movement on the local system – or worse – in a corporate network. This problem is specified and described in general by the MITRE Corporation as CWE-276 (https://cwe.mitre.org/data/definitions/276.html). At this point, three out of the five vulnerabilities already were evaluated by the NIST with either a CVSS score of 7.3 or 7.8. This illustrates the severity of the issue.
By setting the default installation path, for example, to “C:\ProgramX\”, the created folder inherits the folder and file permissions from “C:\” which are by default modifiable. “C:\ProgramX\” and the containing files can now be modified without special permissions by everyone in the group “Authenticated Users”. This applies, as long they aren’t changed by the program itself or the user. I take it that the majority of the users aren’t aware of these circumstances and won`t manually secure the default permissions of the program. Further, it is assumed that a large number of users also won't change the default settings during the installation process.
It’s up to the user to change the folder for the installation, but I think that the default installation settings shouldn’t be a potential security risk for the users. Even when the program is not installed in the “Program Files” folder, it is possible for the program to change the default permissions so only privileged users can modify the installation directory and the associated files. These issues were tested with the specified versions, even though I might reasonably suspect that previous versions are also affected.
Do you really think that all 100% of software should live exclusively in 'Program Files'? Do you really think that the software should not even allow us to chose any other installation path during the installation process? Do you really think that the "non-secure" installation path is the issue of the software itself but not the issue of its installer? Do you really think that only the one latest version of each application is affected by this "issue"?
You know what? It looks like you've found the simple idea that has allowed you to feel appraised and to have some "power" on others and that's the only reason why you have posted them.