what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

PDF24 Creator 11.15.1 Local Privilege Escalation

PDF24 Creator 11.15.1 Local Privilege Escalation
Posted Dec 13, 2023
Authored by Mario Keck, Lukas Donaubauer | Site sec-consult.com

PDF24 Creator versions 11.15.1 and below suffer from a local privilege escalation vulnerability via the MSI installer.

tags | exploit, local
advisories | CVE-2023-49147
SHA-256 | 968fc9fb4051bc72306845d86156cb25074805a3bb032972995cac553c60f125

PDF24 Creator 11.15.1 Local Privilege Escalation

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20231211-0 >
=======================================================================
title: Local Privilege Escalation via MSI installer
product: PDF24 Creator (geek Software GmbH)
vulnerable version: <=11.15.1
fixed version: 11.15.2
CVE number: CVE-2023-49147
impact: High
homepage: https://tools.pdf24.org/en/creator/
found: 2023-10-16
by: Lukas Donaubauer (Office Munich)
Mario Keck (Office Munich)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult, an Eviden business
Europe | Asia

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"pdf24.org is a project of geek software GmbH, a German company based in Berlin,
that was founded in 2006. PDF24 offers free and easy to use PDF solutions for
many PDF problems, online and as software for download. Solutions include the
well-known PDF24 Creator and PDF24 Online Tools."

Source: https://www.pdf24.org/en/about-us


Business recommendation:
------------------------
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product
conducted by security professionals to identify and resolve potential further
security issues.


Vulnerability overview/description:
-----------------------------------
1) Local Privilege Escalation via MSI installer (CVE-2023-49147)
The configuration of the PDF24 Creator MSI installer file was found to
produce a visible cmd.exe window running as the SYSTEM user when using
the repair function of msiexec.exe. This allows a local attacker to use
a chain of actions, to open a fully functional cmd.exe with the privileges
of the SYSTEM user.

Note: This attack does not work using a recent version of the Edge Browser or
Internet Explorer. A different browser, such as Chrome or Firefox, needs to be
used. Also make sure, that Edge or IE have not been set to the default browser.


Proof of concept:
-----------------
1) Local Privilege Escalation via MSI installer (CVE-2023-49147)
For the exploit to work, the PDF24 Creator has to be installed via the MSI file.
Afterwards, any low-privileged user can run the following command to start the
repair of PDF24 Creator and trigger the vulnerable actions without a UAC popup:

msiexec.exe /fa <PATH TO INSTALLERFILE>\pdf24-creator-11.14.0-x64.msi

At the very end of the repair process, the sub-process pdf24-PrinterInstall.exe gets
called with SYSTEM privileges and performs a write action on the file
"C:\Program Files\PDF24\faxPrnInst.log". This can be used by an attacker by simply
setting an oplock on the file as soon as it gets read. To do that, one can use the
'SetOpLock.exe' tool from "https://github.com/googleprojectzero/symboliclink-testing-tools"
with the following parameters:

SetOpLock.exe "C:\Program Files\PDF24\faxPrnInst.log" r

If the oplock is set, the cmd window that gets opened when pdf24-PrinterInstall.exe
is executed doesn't close. The attacker can then perform the following actions to
spawn a SYSTEM shell:
- right click on the top bar of the cmd window
- click on properties
- under options click on the "Legacyconsolemode" link
- open the link with a browser other than internet explorer or edge (both don't open as SYSTEM when on Win11)
- in the opened browser window press the key combination CTRL+o
- type cmd.exe in the top bar and press Enter


Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version available
at the time of the test:
* 11.14.0 (pdf24-creator-11.14.0-x64.msi)
* 11.15.1 (pdf24-creator-11.15.1-x64.msi)

A new version was released during our contact attempts (v11.15.1) which is
also affected by the vulnerability.

The tests were conducted on an up to date Windows 10 system.


Vendor contact timeline:
------------------------
2023-10-20: Contacting vendor through team@pdf24.org; no response.
2023-11-14: Contacting vendor again through team@pdf24.org and stefan@pdf24.org
No response.
2023-11-17: Requesting CVE number
2023-11-23: Received CVE number
2023-11-27: Sending vendor CVE number and setting preliminary deadline for
advisory release (11th December)
2023-11-27: Identified that latest version 11.15.1 is also vulnerable.
2023-11-28: Vendor response, seems our emails ended up in spam.
Sending advisory unencrypted upon vendor request.
2023-12-04: Asking for a status update. Further questions from vendor.
Providing more details, clarification regarding Windows 11, browser
usage and recommendation for fix.
2023-12-08: Vendor releases fixed version 11.15.2.
2023-12-11: Coordinated release of advisory.


Solution:
---------
The vendor provides a patched version 11.15.2 which can be downloaded from the
vendor's website:

https://tools.pdf24.org/en/creator

Also check out the changelog from the vendor for further information:
https://creator.pdf24.org/changelog/en.html


Workaround:
-----------
Use the available EXE installer.


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF L. Donaubauer, M. Keck / @2023
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close