A vulnerability in a Microsoft software installer developed by Lakeside Software has been discovered, allowing attackers with lower privileges to gain full system access. The local privilege escalation flaw, identified by Google Mandiant, has been addressed with a patch.
The vulnerability, known as CVE-2023-6080, is considered high-severity, with a CVE ranking of 7.8. It affects Lakeside Software’s SysTrack LsiAgent Installer version for Windows. When exploited, the vulnerability allows attackers to escalate their privileges to gain system-level access.
The root cause of the flaw lies in a feature within SysTrack LsiAgent Installer known as the repair function. This function is typically used in software applications to provide users with access to systems to address issues affecting the installed software. However, during the execution of an MSI file, the repair function allows for the creation or execution of multiple files from NT AUTHORITYSYSTEM, a Windows account with the highest level of privileges. Hackers can exploit this feature for privilege escalation.
In order to exploit CVE-2023-6080, Mandiant utilized a real-time file monitoring system called Process Monitor to analyze the file operations executed during the repair operations of SysTrack MSI. By running the repair process as a low-privileged user, Mandiant observed file creation and execution within the user’s %TEMP% folder from MSIExec.exe.
The researchers then created a PowerShell script to test the executables in file names created and observed the behavior of the application when rerunning the repair function. This process revealed a race condition vulnerability that could be exploited by overwhelming a system with simultaneous requests attempting to modify the same data.
By writing another PowerShell script to exploit the race condition vulnerability, the researchers were able to overwrite a file created by MSIExec.exe with a test.exe file, leading to the execution of NT AUTHORITYSYSTEM. This could potentially result in privilege escalation and arbitrary code execution.
In addition to privilege escalation, the exploit could also allow hackers to modify files within NT AUTHORITYSYSTEM, enabling further malicious activities. To mitigate such risks, Mandiant researchers recommended that software developers adhere to secure coding practices to prevent attackers from taking advantage of high-privilege operations.
Furthermore, developers should ensure that all privileged file operations are executed from secure folders to prevent unauthorized access. Lakeside Software addressed the vulnerability in August 2024 after being notified by Google of the issue.
This incident follows a similar discovery by Mandiant involving a flaw in the MSI installer for Atera Agent 1.8.3.6. As the cybersecurity landscape continues to evolve, it is crucial for organizations to remain vigilant and proactive in addressing vulnerabilities to safeguard their systems and data.