Executive Summary
Summary | |
---|---|
Title | Parsec Remote Desktop App is prone to a local elevation of privilege due to a logical flaw in its code integrity verification process |
Informations | |||
---|---|---|---|
Name | VU#287122 | First vendor Publication | 2023-08-16 |
Vendor | VU-CERT | Last vendor Modification | 2023-08-16 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : | |||
---|---|---|---|
Cvss Base Score | N/A | Attack Range | N/A |
Cvss Impact Score | N/A | Attack Complexity | N/A |
Cvss Expoit Score | N/A | Authentication | N/A |
Calculate full CVSS 2.0 Vectors scores |
Detail
OverviewParsec updater for Windows was prone to a local privilege escalation vulnerability, this vulnerability allowed a local user with Parsec access to gain NT_AUTHORITY/SYSTEM privileges. DescriptionThe vulnerability is a time-of-check time?of-use (TOCTOU) vulnerability. There existed a small window between verifying the signature and integrity of the update DLL and the execution of DLL main. By exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user as described in CVE-2023-37250. CVE-2023-37250 The application launches DLLs from a User owned directory. Since the user owns both the DLL file and the directory, it is possible to (successfully) attempt tricking Parsec into loading an unsigned/arbitrary DLL file and execute its DllMain() method with SYSTEM privileges, creating a Local Privilege Escalation vulnerability. ImpactBy exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user. SolutionThe vulnerability applies to a "Per User" installation as opposed to a "Shared User". There is an update that has been made available. To force an update, you can either completely quit, and re-open the application several times until the loader is updated (by confirming in the logs). Or you can download a special installer that only updates the files inside of the program files that can be downloaded from https://builds.parsec.app/package/parsec-update-executables.exe. AcknowledgementsThanks to the reporter, Julian Horoszkiewicz.This document was written by Timur Snoke. |
Original Source
Url : https://kb.cert.org/vuls/id/287122 |
Alert History
Date | Informations |
---|---|
2023-08-16 21:22:07 |
|