SEC Consult Vulnerability Lab Security Advisory < 20240930-0 > ======================================================================= title: Local Privilege Escalation via MSI Installer product: Nitro PDF Pro vulnerable version: <14.26.1.0 <13.70.8.82 fixed version: 14.26.1.0 or higher 13.70.8.82 or higher CVE number: CVE-2024-35288 impact: high homepage: https://www.gonitro.com/ found: 2023-12-19 by: Sandro Einfeldt Michael Baer (Office Munich) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "We are on a mission to deliver a one-of-a-kind platform that accelerates document productivity for businesses around the world. Nitro was born in a bustling Melbourne laneway back in 2005. It started with a team of three, a single product and a goal to provide the world with better tools for everyday work. Our team now spans the globe and works with over half of the Fortune 500, but we haven't strayed too far from our roots. We put our customers, employees, and communities at the center of everything we do." Source: https://www.gonitro.com/about/our-story Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Local Privilege Escalation via MSI Installer (CVE-2024-35288) The Nitro PDF Pro application uses a .msi installer file (embedded into an executable .exe installer file) for installation. The MSI installer uses custom actions in repair mode in an unsafe way. Attackers with low-privileged system access to a Windows system where Nitro PDF Pro is installed, can exploit the cached MSI installer's custom actions to effectively escalate privileges and get a command prompt running in context of NT AUTHORITY\SYSTEM. Note: This attack does not work using a recent version of the Edge Browser or Internet Explorer. A different browser, such as Chrome or Firefox, needs to be used. Also make sure, that Edge or IE have not been set as default browser and that Firefox or Chrome are not running before attempting to exploit it. Otherwise, the spawned process would be running with your own permissions and the installer will just add a new tab to the browser, instead of spawning a new process with SYSTEM. Proof of concept: ----------------- 1) Local Privilege Escalation via MSI Installer (CVE-2024-35288) After the installation of the software in standard configuration, any low- privileged user can access the cached (randomly named) .msi file in the following directory: C:\Windows\Installer A low privileged attacker can start the installer in repair mode (which is then running with SYSTEM privileges) without UAC popping up, by using the following command: msiexec.exe /fa C:\Installer\<installer name>.msi At the end of the repair process, three sub-processes (certutil.exe), called by MSI custom actions, perform the following operations: [SystemFolder]CertUtil –addstore –f "ca" "[APPLICATIONFOLDER]notarius-root-certificate-authority.cer" [SystemFolder]CertUtil –addstore –f "ca" "[APPLICATIONFOLDER]notarius-certificate-authority.cer" [SystemFolder]CertUtil –addstore –f "ca" "[APPLICATIONFOLDER]notarius-root-certificate-authority_2021-2036.cer" The previously mentioned operations get executed in a conhost.exe window in the context of NT AUTHORITY\SYSTEM. The attacker can use the appearing conhost.exe windows to get an elevated command prompt. Therefore, the attacker has to interrupt the execution flow of one of the certutil operations before the conhost.exe window closes. This can be done by locking the file operations on one of the following files: notarius-root-certificate-authority.cer notarius-certificate-authority.cer notarius-root-certificate-authority_2021-2036.cer For this purpose, the attacker can use SetOpLock.exe from the following source: https://github.com/googleprojectzero/symboliclink-testing-tools To lock all operations on one of the previously mentioned files, the attacker has to use the following syntax: while ($true) { .\SetOpLock.exe <Path> x } For example, to lock the operations on the first of the mentioned files, the following command loop can be used: while ($true) { .\SetOpLock.exe "C:\Program Files\Nitro\PDF Pro\14\notarius-root-certificate-authority.cer" x } The tool will lock any operation on the file until the attacker presses Enter. While executing the previously mentioned msiexec-command, multiple operation locks will get triggered. The attacker has to skip multiple of them (by pressing Enter) until a conhost.exe window opens. The conhost.exe process is running with SYSTEM privileges and can be used to escalate privileges. The following steps have to be conducted: 1. Right click on the top bar of the conhost.exe window. 2. Click on "Properties". 3. Under options, click on the "Legacyconsolemode" link. 4. Open the link with a browser other than Internet Explorer or Edge (both don't open as SYSTEM in Windows 11). 5. In the opened browser window press the key combination "CTRL+o". 6. Type "C:\Windows\System32\cmd.exe" in the top bar and press Enter. A command prompt should open with the user permission context of NT AUTHORITY\SYSTEM. The privileges have been escalated and the system is fully compromised. Vulnerable / tested versions: ----------------------------- The following version has been tested which was the latest version available at the time of the test: * Nitro PDF Pro 14.18.1.41 According to the vendor, version branch 13 is also affected. The vendor confirmed that the following versions are vulnerable: * Nitro PDF Pro <14.26.1.0 * Nitro PDF Pro <13.70.8.82 Vendor contact timeline: ------------------------ 2023-12-22: Contacting vendor through security@gonitro.com; asking for PGP key. No response. 2024-01-11: Asking whether our email was received 2024-01-15: Vendor response: high workload, requesting security advisory, PGP key will be shared in another email. 2024-01-16: No PGP key received, asking again. 2024-01-17: Sending encrypted security advisory. 2024-01-30: Asking for a status update. 2024-02-01: Vendor is currently investigating the issue to ensure it applies to the latest version of the Pro software. 2024-02-12: Vendor asking for tested Windows version. 2024-02-13: Tested with Windows 10, referenced advisory information to only use Firefox or Chrome browser, not Edge/IE. 2024-03-05: Asking for a status update, if the issue could be reproduced, whether we should reserve a CVE number. 2024-03-07: Vendor will provide update in a few days, few issues in the queue. Will ask internally regarding CVE. 2024-04-08: Asking for status update. Setting advisory disclosure date to 17th April. 2024-04-08: Vendor was unable to reproduce issue, asking for a video to verify the issue. 2024-04-09: Providing POC video to the vendor. 2024-04-11: Vendor still unable to reproduce. Suggesting short call to demonstrate the issue; no response. 2024-04-16: Asking how to proceed now. Vendor: was now able to reproduce the issue on Windows 10, patch implementation will be expedited. Telling the vendor that we will wait for the patch, asking if they reserve a CVE. 2024-05-02: Vendor: CVE is being requested, patch is planned as soon as possible. 2024-05-02: Confirming advisory release after patch is available and other necessary details (fixed version number, CVE, etc). 2024-05-21: Vendor is still waiting for CVE. 2024-05-22: Asking whether the issue is otherwise fixed, asking for version number etc; No response. 2024-06-17: Asking for status update again, regarding patch &amp; CVE. Fix is completed for current version 14.x, preparing a patch, but also checking previous versions. 2024-06-21: Vendor informs us that version 13 is also affected which takes more time to backport. 2024-06-24: Giving more time to patch and coordinate release versions. Questions about CVE. 2024-06-24: Vendor responds that CVE-2024-35288 can be used. 2024-07-15: Vendor releases version 14.26.1.0 which includes the fix for v14. 2024-09-17: Vendor informs us that security update for v13 is scheduled for 25th September (seems we did not receive this email). 2024-09-23: Vendor following up regarding patch schedule &amp; acknowledgement. 2024-09-24: Confirming receipt of email and patch day, our advisory will be scheduled for early next week. 2024-09-24: Vendor provides affected version numbers. 2024-09-25: Asking vendor for clarification regarding version numbers. 2024-09-25: Vendor sends version numbers for the fix (13.70.8.82, 14.26.1.0) 2024-09-30: Coordinated release of security advisory. Solution: --------- The vendor provides a patch in version 13.70.8.82 and 14.26.1.0 which can be downloaded from the following URL: https://www.gonitro.com/product-details/downloads/pdf-pro The vendor released a security advisory as well: https://www.gonitro.com/security/updates SEC Consult has also released a blog post on 12th September 2024 regarding MSI installer security issues tracked as CVE-2024-38014 and a general fix by Microsoft. We have contacted Microsoft to have a more general solution for every affected vendor. For further details check out the blog post: https://r.sec-consult.com/msi Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Sandro Einfeldt, Michael Baer, Johannes Greil / @2024