SEC Consult Vulnerability Lab Security Advisory < 20240627-0 >
=======================================================================
title: Local Privilege Escalation via MSI installer
product: SoftMaker Office / FreeOffice
vulnerable version: SoftMaker Office 2024 / NX before revision 1214
FreeOffice 2021 Revision 1068
FreeOffice 2024 before revision 1215
fixed version: SoftMaker Office 2024 / NX - revision 1214
FreeOffice 2024 - revision 1215
CVE number: CVE-2023-7270
impact: high
homepage: https://www.softmaker.com/en/
found: 2023-11-27
by: Michael Baer (Office Fürth)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"SoftMaker Office makes working with documents, spreadsheets and presentations
a breeze – whether you're on Windows, Linux, Mac, iOS or Android."
Source: https://www.softmaker.com/en/products/softmaker-office
Business recommendation:
------------------------
The vendor provides a patch which should be installed immediately.
SEC Consult highly recommends to perform a thorough security review of the
product conducted by security professionals to identify and resolve potential
further security issues.
Vulnerability overview/description:
-----------------------------------
1) Local Privilege Escalation via MSI installer (CVE-2023-7270)
The SoftMaker Office and FreeOffice MSI installer files were found to produce
a visible conhost.exe window running as the SYSTEM user when using the repair
function of msiexec.exe.
This allows a local, low-privileged attacker to use a chain of actions,
to open a fully functional cmd.exe with the privileges of the SYSTEM user.
Note:
This attack does not work using a recent version of the Edge Browser or
Internet Explorer. A different browser, such as Chrome or Firefox, needs to be
used. Also make sure, that Edge or IE have not been set as default browser
and that Firefox or Chrome are not running before attempting to exploit it.
Otherwise, the spawned process would be running with your own permissions and
the installer will just add a new tab to the browser, instead of spawning a
new process with SYSTEM.
Proof of concept:
-----------------
1) Local Privilege Escalation via MSI installer (CVE-2023-7270)
For the exploit to work, SoftMaker Office or FreeOffice have to be installed
via the MSI file. Afterwards, any low-privileged user can start the
repair of the software by double-clicking the installer and trigger
the vulnerable actions without a UAC popup. The installer, if deleted from it's
original location, can be found in C:\Windows\Installer with a randomized name.
During the repair process, a console application gets called with SYSTEM
privileges and performs a read action on some files.
SoftMaker Office: Executes 7z.exe, which reads
C:\Program Files\SoftMaker Office 2024\tb\7z.exe
FreeOffice: Executes syspin.exe, which reads
C:\Windows\SysWOW64\OneCoreCommonProxyStub.dll
This can be used by an attacker by simply setting an oplock on the files
mentioned before.
As soon as it gets read, the process is blocked until the lock is released.
To do that, one can use the 'SetOpLock.exe' tool from
"https://github.com/googleprojectzero/symboliclink-testing-tools"
with the following parameters:
while ($true) { SetOpLock.exe "C:\Program Files\SoftMaker Office 2024\tb\7z.exe" x }
while ($true) { SetOpLock.exe "C:\Windows\SysWOW64\OneCoreCommonProxyStub.dll" x }
See figure 1 [soft_lock.png] and figure 2 [lock.png]
During the repair process, the locked file is accessed multiple times. The lock
has to be released by pressing ENTER several times before the window opens.
If the window appears, the lock should not be released to keep the
window open. The window that gets opened when the console program is
executed doesn't close and can then be interacted with.
Note 1: The syspin.exe window is minimized. When the lock is triggered, it
is advised to check the taskbar whether a window with a blue arrow,
see figure 7 [taskbar.png], exists.
The attacker can then perform the following actions to spawn a SYSTEM shell:
- Right click on the top bar of the window
- Click on properties, see figure 3 [soft_openbrowser.png] and figure 4 [openbrowser.png]
- Under options, click on the "new console features" link
- Open the link with e.g. firefox
- In the opened browser window press the key combination CTRL+o
- Type cmd.exe in the top bar and press Enter, see figure 5 [soft_cmd.png] and figure 6 [cmd.png]
Note 2: This does not work using a recent version of the Edge Browser.
Note 3: The program syspin.exe is invoked several times, sometimes without
elevated privileges. If the final cmd.exe is not elevated, release the lock
and wait for the next syspin.exe invocation. During our test, the fifth
window was run with elevated privileges.
Vulnerable / tested versions:
-----------------------------
The following versions have been tested by SEC Consult which were the most recent
versions available at the time of the test:
* SoftMaker Office 2024 - 24.0.6034
* FreeOffice 2021 Revision 1068
According to the vendor, all versions of SoftMaker Office NX/2024 before revision 1214
and FreeOffice 2024 before revision 1215 with the MSI installer are affected.
FreeOffice 2021 is unsupported and will not be fixed according to the vendor.
Vendor contact timeline:
------------------------
2023-12-02: Contacting vendor through sales@softmaker.de,
asking for security contact.
2023-12-07: Contacting vendor through https://www.softmaker.com/en/support/customer-support
asking for security contact.
2024-01-11: Contacting vendor through https://www.softmaker.com/en/support/customer-support
asking for security contact.
2024-01-11: Vendor provides security contact and asks for advisory
unencrypted
2024-01-12: Sending advisory draft unencrypted to security contact
2024-02-17: Asking for status of vulnerability, no response
2024-03-06: Asking for status of vulnerability, no response
2024-04-08: Asking for a status update, setting release date to
17th April.
2024-04-08: Vendor response, seems not to have received our previous mails.
Asking for deadline extension as a release it already planned.
2024-04-09: Sending advisory draft again, extending deadline.
2024-04-11: Asking whether email was received, confirmed. Sent proposed
solution.
2024-04-22: Asking when new release is planned and whether fixes could be
incorporated.
2024-04-23: Vendor response, current service pack update not including fixes,
planned in about 6 weeks.
2024-05-27: Vendor response, service pack / revision 1214 was published which fixes
the issue for Office 2024 and Office NX. FreeOffice 2024 will
be fixed in the next release mid June. FreeOffice 2021 is unsupported.
2024-06-11: Vendor: FreeOffice 2024 will be patched on 18th June, asks for advisory
release to be postponed a bit.
2024-06-17: Setting advisory release date for 27th June, reserving CVE.
2024-06-18: Vendor releases FreeOffice 2024 revision 1215.
2024-06-27: Release of security advisory.
Solution:
---------
The vendor provides a service pack version 1214 for SoftMaker Office 2024 and
SofMaker Office NX, which can be downloaded from:
https://softmaker.de/download/servicepacks
FreeOffice 2024 revision 1215:
https://www.freeoffice.com/de/download/servicepacks
FreeOffice 2021 is unsupported and will not be fixed according to the vendor.
Workaround:
-----------
None
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Michael Baer / 2024