{"id":22423,"date":"2024-03-26T12:46:40","date_gmt":"2024-03-26T11:46:40","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2023-0029\/"},"modified":"2024-04-03T10:42:56","modified_gmt":"2024-04-03T08:42:56","slug":"usd-2023-0029","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2023-0029\/","title":{"rendered":"usd-2023-0029"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.24.2\" _module_preset=\"default\" custom_padding=\"||13px|||\" global_colors_info=\"{}\"]<\/p>\n<h1>usd-2023-0029 | Privilege Escalation via Weak Registry Permissions<\/h1>\n<h1><\/h1>\n<p><strong>Advisory ID<\/strong>: usd-2023-0029<br \/><strong>Product<\/strong>: Unknown<br \/><strong>Affected Version<\/strong>: Unknown<br \/><strong>Vulnerability Type<\/strong>: CWE-732: Incorrect Permission Assignment for Critical Resource<br \/><strong>Security Risk<\/strong>: HIGH - CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H<br \/><strong>Vendor URL<\/strong>: <a href=\"https:\/\/www.sonix.com.tw\/masterpage-en\" target=\"_blank\" rel=\"noopener\">https:\/\/www.sonix.com.tw\/masterpage-en<\/a><br \/><strong>Vendor acknowledged vulnerability<\/strong>: No<br \/><strong>Vendor Status<\/strong>: Not fixed<br \/><strong>CVE number<\/strong>: CVE-2023-51715<br \/><strong>CVE Link<\/strong>: Pending<\/p>\n<h3>Description<\/h3>\n<p>Systems with a SONIX Technology Webcam using the SonixDeviceMFT.dll driver in its default configuration are vulnerable to a DLL-Hijacking attack.<br \/>The registry key <strong>HKLM\\SOFTWARE\\Classes\\CLSID{5A50829A-86DD-4D18-8685-891EEE643C24}\\InprocServer32<\/strong> contains a path to the aforementioned .dll file and can be overwritten by low privileged users. This potentially allows attackers to load a malicous DLL and in turn escalate their privileges.<br \/>The DLL referenced by the registry key is loaded with NT-AUTHORITY\\SYSTEM privileges when the webcam of the device is activated.<\/p>\n<h3>Proof of Concept<\/h3>\n<ol>\n<ol>\n<li>The registry key <strong>HKLM\\SOFTWARE\\Classes\\CLSID{5A50829A-86DD-4D18-8685-891EEE643C24}\\InprocServer32<\/strong> initially contains <strong>%SystemRoot%\\system32\\SonixDeviceMFT.dll<\/strong>.<\/li>\n<li>The permissions of the key can be listed with accesschk.exe by Sysinternals. This reveals that all membery of the <strong>Users<\/strong> group can edit the key.<\/li>\n<\/ol>\n<\/ol>\n<pre class=\"codehilite\" style=\"line-height: 125%;background: #263238;color: #eff\">.\\SysinternalsSuite\\accesschk.exe -accepteula -s -w $USER -k \"HKLM\\SOFTWARE\\Classes\\CLSID\\{5A50829A-86DD-4D18-8685-891EEE643C24}\\\" -u        Accesschk v6.15 - Reports effective permissions for securable objects        Copyright (C) 2006-2022 Mark Russinovich        Sysinternals - www.sysinternals.com                HKLM\\SOFTWARE\\Classes\\CLSID\\{5A50829A-86DD-4D18-8685-891EEE643C24}\\InprocServer32          RW VORDEFINIERT\\Benutzer          RW VORDEFINIERT\\Administratoren          RW NT-AUTHORITY\\SYSTEM        <\/pre>\n<ol>\n<li>Overwrite the registry key with <strong>C:\\ProgramData\\malicious.dll<\/strong> or another location.<\/li>\n<li>When the webcam of the system is activated eg. for a video call, a process running with NT-AUTHORITY\\SYSTEM privileges tries to load the DLL. This can be verified with Procmon.exe by Sysinernals.<\/li>\n<\/ol>\n<h3>Fix<\/h3>\n<p>For the vendor, it is recommended to adjust the permissions for the registry key and prevent low privileged users from accessing it.<\/p>\n<p>Users of the affected product can perform a workaround fix by adjusting the permissions of the <strong>HKLM\\SOFTWARE\\Classes\\CLSID{5A50829A-86DD-4D18-8685-891EEE643C24}\\InprocServer32<\/strong> registry key so that low privileged users do not have write access to it.<\/p>\n<h3>References<\/h3>\n<p><a href=\"https:\/\/book.hacktricks.xyz\/windows-hardening\/windows-local-privilege-escalation\/dll-hijacking\" target=\"_blank\" rel=\"noopener\">https:\/\/book.hacktricks.xyz\/windows-hardening\/windows-local-privilege-escalation\/dll-hijacking<\/a><\/p>\n<h3>Timeline<\/h3>\n<ul>\n<li><strong>2023-07-28<\/strong>: Vulnerability identified by Luca Rupp.<\/li>\n<li><strong>2023-08-01<\/strong>: First contact with vendor via mkt@sonix.com.tw and sales@sonix.com.tw.<\/li>\n<li><strong>2023-09-07<\/strong>: The Responsible Disclosure once more tried to get in contact with the vendor via the above email addresses and via usa@sonix.com.tw.<\/li>\n<li><strong>2023-10-02<\/strong>: Another contact request sent to the above email addresses.<\/li>\n<li><strong>2023-10-23<\/strong>: Another email warning of possible public disclosure should we not receive a reply.<\/li>\n<li><strong>2023-12-14<\/strong>: Our customer reports that they have no objections towards public disclosure.<\/li>\n<li><strong>2024-03-26<\/strong>: Advisory released by usd AG in accordance to our disclosure process.<\/li>\n<\/ul>\n<h3>Credits<\/h3>\n<p>This security vulnerability was identified by Luca Rupp of usd AG.<\/p>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2023-0029 | Privilege Escalation via Weak Registry Permissions Advisory ID: usd-2023-0029Product: UnknownAffected Version: UnknownVulnerability Type: CWE-732: Incorrect Permission Assignment for Critical ResourceSecurity Risk: HIGH - CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:HVendor URL: https:\/\/www.sonix.com.tw\/masterpage-enVendor acknowledged vulnerability: NoVendor Status: Not fixedCVE number: CVE-2023-51715CVE Link: Pending Description Systems with a SONIX Technology Webcam using the SonixDeviceMFT.dll driver in its default configuration are vulnerable [&hellip;]<\/p>\n","protected":false},"author":114,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-22423","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/22423","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/114"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=22423"}],"version-history":[{"count":5,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/22423\/revisions"}],"predecessor-version":[{"id":22461,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/22423\/revisions\/22461"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=22423"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}