Opened 6 years ago

Closed 6 years ago

#11622 closed Bug report (fixed)

Privilege escalation vulnerability in installer due to executing uninstaller using unquoted path

Reported by: Raymond Owned by: Tim Kosse
Priority: high Component: FileZilla Client
Keywords: unquoted uninstall Cc:
Component version: 3.33.0.0 Operating system type: Windows
Operating system version: Win7, Server 2008

Description

Ticket #10832 showed this as closed in v3.17.0.1. I just updated a machine with v3.33.0.0 and our AlienValue issued similar message as in Ticket #10832 (below).

I have verified that the UninstallString is unquoted in my registry settings for both Client and Server. ray

-- Alert --

Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FileZilla Client|C:\Program Files\FileZilla FTP Client\uninstall.exe
Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FileZilla Server|C:\Program Files (x86)\FileZilla Server\uninstall.exe

Impact:

A local attacker could gain elevated privileges by inserting an executable file in the path of the affected service or uninstall entry.

Solution:

Either put the listed vulnerable paths in quotation by manually using the onboard Registry editor or contact your vendor to get an update
for the specified software that fixes this vulnerability.

Change History (2)

comment:1 by Tim Kosse, 6 years ago

Owner: set to Tim Kosse
Status: newaccepted

Under normal circumstances this is harmless, creating c:\Program.exe requires administrative permissions. Any program able to create that file does not need to escalate privileges to begin with.

It only affects custom installations in non-standard locations.

comment:2 by Tim Kosse, 6 years ago

Resolution: fixed
Status: acceptedclosed
Note: See TracTickets for help on using tickets.