CVE-2022–29333 Privilege Escalation Power Director 14 — Exploiting GUI Weakness
A little while ago I saw a video of a PoC of CVE-2022–0354 where the researcher found a vulnerability in a native application of his lenovo notebook which allowed to escalate privileges exploiting a very curious factor.
And based on that, I decided to start my research that gave good results. But which vulnerability exactly am I talking about?
Imagine an application running in Administrative mode and you with users with common permissions can’t do much, but by a simple interaction with the application’s GUI and you can open an administrative Command Prompt from a simple Save As?
Still don’t understand? Watch these 2 videos, but don’t worry, I’ll show you in practice!
CVE-2022–0354
CVE-2022–29333 — My CVE
Inspired by the exploration method of CVE 0354, I did the same process in countless other applications, I can say that I got a surprising result which generated the first CVE of this PoC of several that may come with the reports I made.
And I even had the honor of being my second CVE that appears in a Bulletins
https://nvd.nist.gov/vuln/detail/CVE-2022-29333
https://vuldb.com/pt/?id.200676
https://security-tracker.debian.org/tracker/CVE-2022-29333
https://ubuntu.com/security/CVE-2022-29333]
In practice
Details: Vulnerability in Power Director 14, allows me to save a promotion link and run a reverse shell as admin if power director is running as admin.
Now let’s understand better how exploration is!
First I ran a normal CMD for you to understand the level of privileges I have
I ran Power Director which is already enabled to run as Administrator. And now the crucial detail is that I noticed the discount advertisement in the application that allowed me to right-click to interact.
I clicked on Save Destination, and after that click it will open explorer.exe and at that moment that will be crucial
Notice that I typed C:\Windows\system32\cmd.exe in the path, so when I click “GO TO” it will open CMD.exe for me in an administrative way
And this is the result!
Privileges successfully escalated and now just create a user and put him in the admin group for you to have fun.
Is a reverse shell possible?
In my research I also made tests creating some malicious executables, I’ll leave the video below using the same vector to get a privileged shell using Metasploit.
Mitre Att&ck
Yes! It can be a technique that malicious attackers and even insiders can use to exploit a corporate environment, as it is both simple and dangerous.
Below is the technique and my contribution as well.
T1068 — Exploitation for Privilege Escalation
How many applications are vulnerable and how to remedy?
So far, I have tested it in 13 applications and obtained positive results in 13, as it is not a loophole in itself that needs to develop an Exploit to exploit it, in addition to being a local and not a remote technique.
But the biggest question is how developers create their applications and how the user interface interacts with the system, because what I do is explore native system resources, after all, no one would imagine that if I somehow manage to open explorer.exe, could run an executable inside the application process and get an administrative shell.
Conclusion
I summarize a lot, I wish I had done something academic level, but I want to deepen my research to go further, involving Defense Evasion and the like. But I’m happy to answer any questions!
