Privilege escalation vulnerability in installer due to executing uninstaller using unquoted path
|Reported by:||Tim Kosse||Owned by:|
|Component version:||Operating system type:||Windows|
|Operating system version:|
As received via mail:
It seems that the setup.exe is prone to unquoted path vulnerability.
more info on the vuln itself : https://cwe.mitre.org/data/definitions/428.html
While it send the command :
"C:\Program Files\FileZilla FTP Client\uninstall.exe _?=C:\Program Files\FileZilla FTP Client"
It fail to quote the path correctly and launch any program named Program.exe in c: with administrator rights ( or Filezilla.exe/Filezilla FTP.exe in Program Files)
I've made piece of code to help me investigate on this (get the command and the parent process) and a video as proof of concept
This trick can be use by malware to gain admin privilege or persistance, on compromised windows system (for info i'm on Win7 SP1 x64 but it should work for all systems as its a common windows vulnerability)
I didn't investigate on the previous version but they are possibly vulnerable too.
A cool way to trigger the vulnerability is to wait for an update as it launch the same unquoted command (that's where it was first discovered and that's why it concern the client too not only the install.exe)
Cyril Vallicari /Ug_0 Security