Search
Send enquiry

Author: ne@cirosec.de

Vulnerability in neo42 Sumatra PDF Package

Posted on by ne@cirosec.de
Search
Send enquiry
  • Advisories

Vulnerability in neo42 Sumatra PDF Package

Sumatra PDF is an open-source PDF reader. The vulnerability was found in the installer for this product shipped by neo42 for Matrix 42 Unified Endpoint Management.

Bug
Timeline

Local Privilege Escalation Vulnerability in neo42 Sumatra PDF Package

The installer package used a folder that was writeable by unprivileged users to store executables. An attacker with access to the system could have manipulated these executables to gain SYSTEM privileges.

The vulnerability was acknowledged and fixed by neo42 within 4 weeks. We want to thank neo42 for their exemplary reaction to the vulnerability report.

CVSS Score
7.8 (CVSS v3)

CVSS Vector String
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Version
neo42 Sumatra PDF Package Version 3.4.6.0

Mitigation
The vulnerability can be resolved by using the newest version of the installer provided by neo42.

Credits
Kolja Grassmann (cirosec GmbH)

Timeline

2023-10-06

Vulnerability found

2023-10-18

Vendor was contacted and informed about the vulnerability

2023-10-18

Initial response from vendor

2023-11-07

Vendor informs us that the issue was resolved

Do you want to protect your systems? Feel free to get in touch with us.
Send Enquiry
Contact Details

Vulnerability in Bytello Share

Posted on by ne@cirosec.de
Search
Send enquiry
  • Advisories

Vulnerability in Bytello Share

Bytello Share is a software used to share the screen of a device. The vulnerability was found in the installation process of the software.

Bug
Timeline

Local privilege escalation vulnerability in Bytello Share Installer

The installer uses a folder that is writeable by unprivileged users to store executables and DLLs. An attacker with access to the system can manipulate the files during the installation process to gain SYSTEM privileges.

Note that the installer needs administrative rights to run. However, we were able to exploit this in a scenario where all users were able to request the installation of the software using a web interface provided by the software deployment solution. In this case, the user can trigger the execution of the installer with elevated rights and then exploit the installation process to gain SYSTEM privileges.

The vulnerability was not acknowledged by the manufacturer and it is therefore unlikely that it will be fixed. Please refer to the Mitigation section on how to protect your environment.

CVSS Score
6.7 (CVSS v3)

Affected Version
Bytello Share 5.6.0.2497

Mitigation
We recommend refraining from using the Bytello Share Installer in scenarios where an unprivileged user can trigger the installation (e.g. using a Software Kiosk).

Credits
Kolja Grassmann (cirosec GmbH)

Timeline

2023-10-25

Vulnerability found

2023-10-31

Vendor was contacted and informed about the vulnerability

2023-11-06

Vendor informed us that they do not see an issue here, as administrative rights are required during the installation

Do you want to protect your systems? Feel free to get in touch with us.
Send Enquiry
Contact Details

Vulnerability in Kiteworks OwnCloud (CVE-2023-7273)

Posted on by ne@cirosec.de
Search
Send enquiry
  • Advisories

Vulnerability in Kiteworks OwnCloud (CVE-2023-7273)

OwnCloud offers file sharing and collaboration.

Bug
Timeline

CVE-2023-7273: Cross Site Request Forgery

If a request has no Authorization header, it is created with an empty string as value by a rewrite rule. The CSRF check is done by comparing the header value to null, meaning that the existing CSRF check is bypassed in this case. An attacker can, for example, create a new administrator account if the request is executed in the browser of an authenticated victim.

The vulnerability was acknowledged and fixed by OwnCloud within 4 weeks. We like to thank OwnCloud for the good cooperation and the fixing of the vulnerability.

CVSS Score
6.8 (CVSS v3) 

CVSS Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Affected Version
Versions ≤ 10.12

Fixed Version
10.13 with the fix.

References
https://hackerone.com/reports/2041007

Credits
Pascal Geuter

Timeline

2023-06-28

Vulnerability was found and report was submitted via HackerOne.

2023-07-03

Vulnerability triaged by OwnCloud.

2023-07-12

Vulnerability resolved.

2023-08-22

Release of version 10.13.

2023-11-05

Report was disclosed via HackerOne.

Do you want to protect your systems? Feel free to get in touch with us.
Send Enquiry
Contact Details
Search
Search