Blog | https://rw.md |
https://twitter.com/buffaloverflow | |
GitHub | https://github.com/rxwx |
Blog | https://rw.md |
https://twitter.com/buffaloverflow | |
GitHub | https://github.com/rxwx |
Here is the advisory:
The NSIS uninstaller package did not enforce appropriate permissions on the temporary directory used during the uninstall process. Furthermore, it did not ensure that the temporary directory was removed before running executable content from it. This could potentially result in privilege escalation under certain scenarios.
If you want to find vulnerable software, go onto GitHub or public sandboxes etc and look for software that has a service and (un)installs NSIS packages. Triggering an uninstall may be possible through RPC/COM methods or perhaps custom IPC. I’m sure you will find some 👀
Some example code to get started with a poc:
https://gist.github.com/rxwx/1717e95e5ec11bea12d33e93a3832508