Executive Summary

Summary
Title Chocolatey Boxstarter is vulnerable to privilege escalation due to weak ACLs
Informations
Name VU#208577 First vendor Publication 2020-10-22
Vendor VU-CERT Last vendor Modification 2020-11-09
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score 7.8
Base Score 7.8 Environmental Score 7.8
impact SubScore 5.9 Temporal Score 7.8
Exploitabality Sub Score 1.8
 
Attack Vector Local Attack Complexity Low
Privileges Required Low User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 7.2 Attack Range Local
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Overview

Chocolatey Boxstarter fails to properly set ACLs, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges.

Description

CVE-2020-15264

The Chocolatey Boxstarter installer fails to set a secure access-control list (ACL) on the C:\ProgramData\Boxstarter directory, which is added to the system-wide PATH environment variable. A privilege escalation vulnerability is introduced since any location in the system-wide PATH environment variable may be used to load code that runs with privileges.

Impact

By placing a specially-crafted DLL file in the C:\ProgramData\Boxstarter directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Boxstarter software installed. See DLL Search Order Hijacking for more details.

Solution

Apply an update

This vulnerability is addressed in Chocolatey Boxstarter version 2.13.0. Please see the security advisory for more details.

Acknowledgements

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Original Source

Url : https://kb.cert.org/vuls/id/208577

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-668 Exposure of Resource to Wrong Sphere
50 % CWE-73 External Control of File Name or Path

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2020-11-10 00:17:35
  • Multiple Updates
2020-11-01 17:28:53
  • Multiple Updates
2020-10-22 21:17:57
  • First insertion