Afterwards, any low-privileged user can run the following command to start the repair of PDF24 Creator and trigger the vulnerable actions without a UAC popup: msiexec.exe /fa \pdf24-creator-11.14.0-圆4.msiĪt the very end of the repair process, the sub-process pdf24-PrinterInstall.exe gets called with SYSTEM privileges and performs a write action on the file "C:\Program Files\PDF24\faxPrnInst.log". Proof of concept 1) Local Privilege Escalation via MSI installer (CVE-2023-49147)įor the exploit to work, the PDF24 Creator has to be installed via the MSI file. Also make sure, that Edge or IE have not been set to the default browser. A different browser, such as Chrome or Firefox, needs to be used. Note: This attack does not work using a recent version of the Edge Browser or Internet Explorer. This allows a local attacker to use a chain of actions, to open a fully functional cmd.exe with the privileges of the SYSTEM user. The configuration of the PDF24 Creator MSI installer file was found to produce a visible cmd.exe window running as the SYSTEM user when using the repair function of msiexec.exe. Vulnerability overview/description 1) Local Privilege Escalation via MSI installer (CVE-2023-49147) SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. The vendor provides a patch which should be installed immediately. Solutions include the well-known PDF24 Creator and PDF24 Online Tools." PDF24 offers free and easy to use PDF solutions for many PDF problems, online and as software for download. " is a project of geek software GmbH, a German company based in Berlin, that was founded in 2006.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |