| Product | Cryptomato |
| Vendor | Skymatic GmbH |
| Affected Versions | <=1.9.1 |
| Tested Versions | 1.9.1 |
| Subject | Improper Privilege Management - CWE-269 |
| Risk Level | Medium |
| Solution Status | Fixed |
| Manufacturer Notification | Jul 20 2023 |
| Solution Date | Jul 24 2023 |
| Public Disclosure | Jul 24 2023 |
| CVE Reference | CVE-2023-37907 |
| Author | Matthias Zöllner, Cyvisory Group GmbH |
The MSI installer provided on the homepage https://github.com/cryptomator/cryptomator/releases/download/1.9.1/Cryptomator-1.9.1-x64.msi allows LPE for low privileged users, via the repair function.
The problem occurs, as the repair function of the MSI is spawning two administrative cmds. If caught, a simple LPE is possible via a very simple breakout.
As a low privileged user do the following steps to reproduce:
Locate the msi installer under c:\windows\installer\ . The installer gets cached here for almost forever. To easily locate the installer, use either the timestamp or the script from Mandiant: https://raw.githubusercontent.com/mandiant/msi-search/main/msi_search.ps1
Run the located installer with
msiexec.exe /fa C:\Windows\Installer\2847d63.msi
When the installer runs, note that there are two cmd windows flickering.
Catch the cmd, by quickly selecting some text
Spawn a new SYSTEM cmd via: cmd -> properties -> “legacy console mode” Link -> Internet Explorer -> CTRL+O -> cmd.exe
Local Elevation of Privileges. On every machine, where the msi installer still can be found or can be brought to.
It should be able to add a WixQuietExec to the custom action.
https://wixtoolset.org/docs/v3/customactions/qtexec/
2023-07-20: Vulnerability discovered
2023-07-20: Vulnerability reported to manufacturer
2023-07-24: Fixed by vendor
2023-08-01: Public disclosure of vulnerability
Found and reported by Matthias Zoellner from Cyvisory Group GmbH
E-Mail: [email protected]
Website: https://Cyvisory.group
The information provided in this security advisory is provided “as is” and without warranty of any kind.
