| Product | Cryptomato |
| Vendor | Skymatic GmbH |
| Affected Versions | <=1.9.2 |
| Tested Versions | 1.9.2 |
| Subject | Improper Privilege Management - CWE-269 |
| Risk Level | Medium |
| Solution Status | Fixed |
| Manufacturer Notification | Aug 3 2023 |
| Solution Date | Aug 7 2023 |
| Public Disclosure | Aug 7 2023 |
| CVE Reference | CVE-2023-39520 |
| Author | Matthias Zöllner, Cyvisory Group GmbH |
The MSI installer provided on the homepage https://github.com/cryptomator/cryptomator/releases/download/1.9.2/Cryptomator-1.9.2-x64.msi allows LPE for low privileged users, via the repair function.
The problem occurs, as the repair function of the MSI is spawning an SYSTEM Powershell without the -NoProfile parameter. Therefore the profile of the user starting the repair will be loaded.
As a low privileged user do the following steps to reproduce:
Locate the msi installer under c:\windows\installer\ . You can also bring in a fresh one, as long as the version fits.
Generate a default profile for the user under %HOME%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1.
Add execution to the profile, e.g. Start-Process -FilePath cmd.exe -Wait;
Run the located installer with
msiexec.exe /fa '.\Cryptomator-1.9.2-x64(1).msi'
A SYSTEM cmd will spawn
Local Elevation of Privileges. On every machine, where the msi installer still can be found or can be brought to.
Adding the -NoProfile parameter to the powershell should help.
2023-08-03: Vulnerability discovered
2023-08-03: Vulnerability reported to manufacturer
2023-08-07: Fixed by Vendor
Found and reported by Matthias Zoellner from Cyvisory Group GmbH
E-Mail: [email protected]
Website: https://Cyvisory.group
The information provided in this security advisory is provided “as is” and without warranty of any kind.
