Rich WarrenJul 10, 2023

Last week NSIS released a new version which addresses a privilege escalation issue I reported (CVE-2023-37378).

Its an interesting one which affects certain setups where you can trigger an uninstaller as SYSTEM. I found various software including endpoint management and security software where this is exploitable :)

https://github.com/advisories/GHSA-5r79-3284-v2f8

CVE-2023-37378 - GitHub Advisory Database

Nullsoft Scriptable Install System (NSIS) before 3.09...

GitHub
Show threadRich WarrenJul 10, 2023

If you want to find vulnerable software, go onto GitHub or public sandboxes etc and look for software that has a service and (un)installs NSIS packages. Triggering an uninstall may be possible through RPC/COM methods or perhaps custom IPC. Iā€™m sure you will find some šŸ‘€

Some example code to get started with a poc:

https://gist.github.com/rxwx/1717e95e5ec11bea12d33e93a3832508

Determine redirection path for SxS DotLocal DLL Hijacking

Determine redirection path for SxS DotLocal DLL Hijacking - GetSxsPath.cs

Gist
Show threadRich WarrenJul 10, 2023
If you have access to EDR/SIEM telemetry you can also search for instances of Un_[A-Z]\.exe (usually Un_A.exe) running as SYSTEM
Show threadRich Warren

Here is the advisory:

https://research.nccgroup.com/2023/07/03/technical-advisory-nullsoft-scriptable-installer-system-nsis-insecure-temporary-directory-usage/

Technical Advisory - Nullsoft Scriptable Installer System (NSIS) - Insecure Temporary Directory Usage

The NSIS uninstaller package did not enforce appropriate permissions on the temporary directory used during the uninstall process. Furthermore, it did not ensure that the temporary directory was removed before running executable content from it. This could potentially result in privilege escalation under certain scenarios.

NCC Group Research Blog
Jul 11, 2023 at 10:06amWeb