Local Privilege Escalation via MSI installer in PDF24 Creator (geek Software GmbH)

Title

Local Privilege Escalation via MSI installer

Product

PDF24 Creator (geek Software GmbH)

Vulnerable Version

<=11.15.1

Fixed Version

11.15.2

CVE Number

CVE-2023-49147

Impact

high

Homepage

https://tools.pdf24.org/en/creator/

Found

16.10.2023

By

Lukas Donaubauer, Mario Keck (Office Munich) | SEC Consult Vulnerability Lab

The MSI installer of PDF24 Creator contains a privilege escalation vulnerability. This enables an attacker with GUI access to a system, where PDF24 Creator is installed via MSI, to escalate the privileges to SYSTEM level.

Vendor description

"pdf24.org is a project of geek software GmbH, a German company based in Berlin, that was founded in 2006. PDF24 offers free and easy to use PDF solutions for many PDF problems, online and as software for download. Solutions include the well-known PDF24 Creator and PDF24 Online Tools."

Source: https://www.pdf24.org/en/about-us


Business recommendation

The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.


Vulnerability overview/description

1) Local Privilege Escalation via MSI installer (CVE-2023-49147)

The configuration of the PDF24 Creator MSI installer file was found to produce a visible cmd.exe window running as the SYSTEM user when using the repair function of msiexec.exe. This allows a local attacker to use a chain of actions, to open a fully functional cmd.exe with the privileges of the SYSTEM user.

Note: This attack does not work using a recent version of the Edge Browser or Internet Explorer. A different browser, such as Chrome or Firefox, needs to be used. Also make sure, that Edge or IE  have not been set to the default browser.


Proof of concept

1) Local Privilege Escalation via MSI installer (CVE-2023-49147)

For the exploit to work, the PDF24 Creator has to be installed via the MSI file. Afterwards, any low-privileged user can run the following command to start the repair of PDF24 Creator and trigger the vulnerable actions without a UAC popup:

msiexec.exe /fa <PATH TO INSTALLERFILE>\pdf24-creator-11.14.0-x64.msi

At the very end of the repair process, the sub-process pdf24-PrinterInstall.exe gets called with SYSTEM privileges and performs a write action on the file "C:\Program Files\PDF24\faxPrnInst.log". This can be used by an attacker by simply setting an oplock on the file as soon as it gets read. To do that, one can use the 'SetOpLock.exe' tool from "https://github.com/googleprojectzero/symboliclink-testing-tools" with the following parameters:

SetOpLock.exe "C:\Program Files\PDF24\faxPrnInst.log" r

If the oplock is set, the cmd window that gets opened when pdf24-PrinterInstall.exe is executed doesn't close. The attacker can then perform the following actions to spawn a SYSTEM shell:

  • right click on the top bar of the cmd window
  • click on properties
  • under options click on the "Legacyconsolemode" link
  • open the link with a browser other than internet explorer or edge (both don't open as SYSTEM when on Win11)
  • in the opened browser window press the key combination CTRL+o
  • type cmd.exe in the top bar and press Enter


Vulnerable / tested versions

The following version has been tested which was the latest version available at the time of the test:

  • 11.14.0 (pdf24-creator-11.14.0-x64.msi)
  • 11.15.1 (pdf24-creator-11.15.1-x64.msi)

A new version was released during our contact attempts (v11.15.1) which is also affected by the vulnerability.

The tests were conducted on an up to date Windows 10 system.


Vendor contact timeline

2023-10-20: Contacting vendor through team@pdf24.org; no response.
2023-11-14: Contacting vendor again through team@pdf24.org and stefan@pdf24.org - No response.
2023-11-17: Requesting CVE number
2023-11-23: Received CVE number
2023-11-27: Sending vendor CVE number and setting preliminary deadline for advisory release (11th December)
2023-11-27: Identified that latest version 11.15.1 is also vulnerable.
2023-11-28: Vendor response, seems our emails ended up in spam. Sending advisory unencrypted upon vendor request.
2023-12-04: Asking for a status update. Further questions from vendor. Providing more details, clarification regarding Windows 11, browser usage and recommendation for fix.
2023-12-08: Vendor releases fixed version 11.15.2.
2023-12-11: Coordinated release of advisory.

Solution

The vendor provides a patched version 11.15.2 which can be downloaded from the vendor's website:

https://tools.pdf24.org/en/creator

Also check out the changelog from the vendor for further information: https://creator.pdf24.org/changelog/en.html


Workaround

Use the available EXE installer.

Advisory URL

https://sec-consult.com/vulnerability-lab/

EOF Lukas Donaubauer, Mario Keck / @2023

 

Interested to work with the experts of SEC Consult? Send us your application

Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices

Back