Skip to content

Local privilege elevation vulnerability in default admin installation

Low
johnstevenson published GHSA-wgrx-r3qv-332c Aug 14, 2020

Package

composer Composer-Setup.exe (Composer)

Affected versions

< 6.0.0

Patched versions

6.0.0

Description

Impact

If the developer's computer is shared with other users, a local attacker may be able to exploit the following scenarios.

  1. A local regular user may modify the existing C:\ProgramData\ComposerSetup\bin\composer.bat in order to get elevated command execution when composer is run by an administrator.
  2. A local regular user may create a specially crafted dll in the C:\ProgramData\ComposerSetup\bin folder in order to get Local System privileges. See: https://itm4n.github.io/windows-server-netman-dll-hijacking.
  3. If the directory of the php.exe selected by the user is not in the system path, it is added without checking that it is admin secured, as per Microsoft guidelines. See: https://msrc-blog.microsoft.com/2018/04/04/triaging-a-dll-planting-vulnerability.

Workarounds

Change C:\ProgramData\ComposerSetup\bin user permissions to read and execute only.

Severity

Low

CVE ID

CVE-2020-15145

Weaknesses

No CWEs

Credits