Local Privilege Escalation via MSI installer in SoftMaker Office / FreeOffice

Title

Local Privilege Escalation via MSI installer

Product

SoftMaker Office / FreeOffice

Vulnerable Version

SoftMaker Office 2024 / NX before revision 1214, FreeOffice 2021 Revision 1068, FreeOffice 2024 before revision 1215

Fixed Version

SoftMaker Office 2024 / NX - revision 1214, FreeOffice 2024 - revision 1215

CVE Number

CVE-2023-7270

Impact

high

Homepage

https://www.softmaker.com/en/

Found

27.11.2023

By

Michael Baer (Office Fürth) | SEC Consult Vulnerability Lab

The MSI installers of SoftMaker Office and FreeOffice (SoftMaker) contained a privilege escalation vulnerability. This enabled a local, low-privileged attacker with GUI access to a system, where SoftMaker Office or FreeOffice are installed via MSI, to escalate the privileges to SYSTEM level.

Vendor description

"SoftMaker Office makes working with documents, spreadsheets and presentations a breeze – whether you're on Windows, Linux, Mac, iOS or Android."

Source: https://www.softmaker.com/en/products/softmaker-office


Business recommendation

The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.


Vulnerability overview/description

1) Local Privilege Escalation via MSI installer (CVE-2023-7270)

The SoftMaker Office and FreeOffice MSI installer files were found to produce a visible conhost.exe window running as the SYSTEM user when using the repair function of msiexec.exe.

This allows a local, low-privileged attacker to use a chain of actions, to open a fully functional cmd.exe with the privileges of the SYSTEM user.

Note:
This attack does not work using a recent version of the Edge Browser or Internet Explorer. A different browser, such as Chrome or Firefox, needs to be used. Also make sure, that Edge or IE have not been set as default browser and that Firefox or Chrome are not running before attempting to exploit it. Otherwise, the spawned process would be running with your own permissions and the installer will just add a new tab to the browser, instead of spawning a new process with SYSTEM.


Proof of concept

1) Local Privilege Escalation via MSI installer (CVE-2023-7270)

For the exploit to work, SoftMaker Office or FreeOffice have to be installed via the MSI file. Afterwards, any low-privileged user can start the repair of the software by double-clicking the installer and trigger the vulnerable actions without a UAC popup. The installer, if deleted from it's original location, can be found in C:\Windows\Installer with a randomized name.

During the repair process, a console application gets called with SYSTEM privileges and performs a read action on some files.

SoftMaker Office: Executes 7z.exe, which reads

C:\Program Files\SoftMaker Office 2024\tb\7z.exe

FreeOffice: Executes syspin.exe, which reads

C:\Windows\SysWOW64\OneCoreCommonProxyStub.dll

This can be used by an attacker by simply setting an oplock on the files mentioned before.

As soon as it gets read, the process is blocked until the lock is released.

To do that, one can use the 'SetOpLock.exe' tool from "https://github.com/googleprojectzero/symboliclink-testing-tools" with the following parameters:

while ($true) { SetOpLock.exe "C:\Program Files\SoftMaker Office 2024\tb\7z.exe" x }
while ($true) { SetOpLock.exe "C:\Windows\SysWOW64\OneCoreCommonProxyStub.dll" x }

 

Figure 1: Executing msiexec.exe to repair the SoftMaker Office MSI file, running "SetOpLock.exe" to set a lock
Figure 2: Executing msiexec.exe to repair the FreeOffice MSI file, running "SetOpLock.exe" to set a lock
Figure 3: Console window properties, clicking on "new console features", opening the browser "Firefox" (or Chrome), but others won't work
Figure 4: Same for FreeOffice 2021, just a different console window
Figure 5: Gaining SYSTEM access rights via SoftMaker Office MSI installer
Figure 6: Gaining SYSTEM access rights via FreeOffice MSI installer
Figure 7: Taskbar icon to look out for because the syspin.exe window is minimized

During the repair process, the locked file is accessed multiple times. The lock has to be released by pressing ENTER several times before the window opens.

If the window appears, the lock should not be released to keep the window open. The window that gets opened when the console program is executed doesn't close and can then be interacted with.

Note 1: The syspin.exe window is minimized. When the lock is triggered, it is advised to check the taskbar whether a window with a blue arrow [see figure 7] exists.

The attacker can then perform the following actions to spawn a SYSTEM shell:

  • Right click on the top bar of the window
  • Click on properties (see figure 3 and figure 4).
  • Under options, click on the "new console features" link
  • Open the link with e.g. firefox
  • In the opened browser window press the key combination CTRL+o
  • Type cmd.exe in the top bar and press Enter, see figure 5 and figure 6.

 

Note 2: This does not work using a recent version of the Edge Browser.

Note 3: The program syspin.exe is invoked several times, sometimes without elevated privileges. If the final cmd.exe is not elevated, release the lock and wait for the next syspin.exe invocation. During our test, the fifth window was run with elevated privileges.

Vulnerable / tested versions

The following versions have been tested by SEC Consult which were the most recent versions available at the time of the test:

  • SoftMaker Office 2024 - 24.0.6034
  • FreeOffice 2021 Revision 1068

According to the vendor, all versions of SoftMaker Office NX/2024 before revision 1214 and FreeOffice 2024 before revision 1215 with the MSI installer are affected.

FreeOffice 2021 is unsupported and will not be fixed according to the vendor.


Vendor contact timeline

2023-12-02 Contacting vendor through sales@softmaker.de, asking for security contact.
2023-12-07 Contacting vendor through https://www.softmaker.com/en/support/customer-support asking for security contact.
2024-01-11 Contacting vendor through https://www.softmaker.com/en/support/customer-support asking for security contact.
2024-01-11 Vendor provides security contact and asks for advisory unencrypted
2024-01-12 Sending advisory draft unencrypted to security contact
2024-02-17 Asking for status of vulnerability, no response
2024-03-06 Asking for status of vulnerability, no response
2024-04-08 Asking for a status update, setting release date to 17th April.
2024-04-08 Vendor response, seems not to have received our previous mails. Asking for deadline extension as a release it already planned.
2024-04-09 Sending advisory draft again, extending deadline.
2024-04-11 Asking whether email was received, confirmed. Sent proposed solution.
2024-04-22 Asking when new release is planned and whether fixes could be incorporated.
2024-04-23 Vendor response, current service pack update not including fixes, planned in about 6 weeks.
2024-05-27 Vendor response, service pack / revision 1214 was published which fixes the issue for Office 2024 and Office NX. FreeOffice 2024 will be fixed in the next release mid June. FreeOffice 2021 is unsupported.
2024-06-11 Vendor: FreeOffice 2024 will be patched on 18th June, asks for advisory release to be postponed a bit.
2024-06-17 Setting advisory release date for 27th June, reserving CVE.
2024-06-18 Vendor releases FreeOffice 2024 revision 1215.
2024-06-27 Release of security advisory.

Solution

The vendor provides a service pack version 1214 for SoftMaker Office 2024 and SofMaker Office NX, which can be downloaded from:
https://softmaker.de/download/servicepacks

FreeOffice 2024 revision 1215:
https://www.freeoffice.com/de/download/servicepacks

FreeOffice 2021 is unsupported and will not be fixed according to the vendor.


Workaround

None

 

Advisory URL

https://sec-consult.com/vulnerability-lab/

EOF Michael Baer  @2024

 

Interested to work with the experts of SEC Consult? Send us your application

Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices

Back