background-shape

Beamgun <= 0.2.4 Local Elevation of Privileges

Product Beamgun
Vendor Josh Lospinoso
Affected Versions <= 0.2.4
Tested Versions 0.2.4
Subject Improper Privilege Management - CWE-269
Risk Level Medium
Solution Status unfixed
Manufacturer Notification Jul 21 2023
Solution Date
Public Disclosure Oct 13 2023
CVE Reference
Author Matthias Zöllner, Cyvisory Group GmbH

Summary

The MSI installer provided on the homepage https://lospi.net/beamgun/ allows LPE for low privileged users, via the repair function.

Details

The problem occurs, as the repair function of the MSI is spawning SCHTASKS.exe . If caught, LPE is possible via a very simple breakout.

The problem occurs here: https://github.com/JLospinoso/beamgun/blob/master/BeamgunInstaller/Library.wxs#L104-L107

<CustomAction Id='CreateBeamgunTask' Return="check" Execute="commit" Directory="TARGETDIR" Impersonate="no"
    ExeCommand="&quot;[SystemFolder]SCHTASKS.EXE&quot; /Create /SC ONLOGON /TN &quot;Beamgun&quot; /TR &quot;&apos;[BEAMGUNDIR]BeamgunApp.exe&apos;&quot; /RU [LogonUser] /F /RL HIGHEST"/>
<CustomAction Id='RemoveBeamgunTask' Return="ignore" Execute="commit" Directory="TARGETDIR" Impersonate="no"
    ExeCommand="&quot;[SystemFolder]SCHTASKS.EXE&quot; /Delete /TN &quot;Beamgun&quot; /F"/>

Proof of Concept (PoC)

As a low privileged user do the following steps to reproduce:

  • Locate the msi installer under c:\windows\installer\. The installer gets cached here for almost forever. To easily locate the installer, use either the timestamp or the script from Mandiant: https://raw.githubusercontent.com/mandiant/msi-search/main/msi_search.ps1

  • Run the located installer with msiexec.exe /fa C:\Windows\Installer\2847d63.msi

  • When the installer runs, note that there are two windows flickering.

  • Catch the conhost window, by quickly selecting some text

  • Spawn a new SYSTEM cmd via: cmd -> properties -> “legacy console mode” Link -> Internet Explorer -> CTRL+O -> cmd.exe

Proof-of-Concept

Impact

Local Elevation of Privileges. On every machine, where the msi installer still can be found or can be brought to.

Workaround / Fix

It should be able to add a WixQuietExec to the custom action.

https://wixtoolset.org/docs/v3/customactions/qtexec/

Disclosure Timeline

2023-07-20: Vulnerability discovered
2023-07-21: Vulnerability reported to manufacturer via github
2023-10-13: Disclosure, as project seems not maintained anymore

References

Credits

Found and reported by Matthias Zoellner from Cyvisory Group GmbH

E-Mail: [email protected]
Website: https://Cyvisory.group

Disclaimer

The information provided in this security advisory is provided “as is” and without warranty of any kind.