Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/build/release: Windows installation has misconfigured ACL: privilege escalation possible between users #35575

Open
giuliocomi opened this issue Nov 13, 2019 · 2 comments

Comments

@giuliocomi
Copy link

@giuliocomi giuliocomi commented Nov 13, 2019

The Golang msi installer in Windows install by default Go in C:\Go location.
Files and subfolders of folders created under C:\ by default can be edited, created, deleted.

PS C:\Go> icacls .
  BUILTIN\Administrators:(I)(OI)(CI)(F)
  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
  BUILTIN\Users:(I)(OI)(CI)(RX)
  NT AUTHORITY\Authenticated Users:(I)(M)
  NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)

This means that in a shared Windows environment, is it possible to exploit this insecure ACL to replace/backdoor go.exe binaries, dll and so on.

Scenario Local Privilege Escalation

A Standard User backdoor go.exe, waits for an Administrator to log in and run "go ..." or another component under C:\Go to successfully execute code under the latter elevated context.

Scenario Horizontal Privilege Escalation

A Standard User can backdoor/replace any component under C:\Go and wait for another Standard User to login and run Golang environment to achieve code execution in the context of the target user.

What version of Go are you using (go version)?

Up to latest Golang version: 1.13

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

$ go env
set GOHOSTARCH=amd64
set GOHOSTOS=windows

What did you expect to see?

I was expecting the msi installer to reconfigure after installation the C:\Go default destination folder to have an ACL hardened to allow only Administrators, Administrator, SYSTEM, TrustedInstaller to have modify, write and special permissions over the Golang components.

What did you see instead?

Authenticated Users have Modify permission over any Golang component, thus local privilege escalation is possible.

@andybons andybons changed the title Windows installation has misconfigured ACL: privilege escalation possible between user x/build/release: Windows installation has misconfigured ACL: privilege escalation possible between user Nov 13, 2019
@gopherbot gopherbot added this to the Unreleased milestone Nov 13, 2019
@gopherbot gopherbot added the Builders label Nov 13, 2019
@andybons andybons added OS-Windows and removed Builders labels Nov 13, 2019
@gopherbot gopherbot added the Builders label Nov 13, 2019
@giuliocomi giuliocomi changed the title x/build/release: Windows installation has misconfigured ACL: privilege escalation possible between user x/build/release: Windows installation has misconfigured ACL: privilege escalation possible between users Nov 13, 2019
@giuliocomi
Copy link
Author

@giuliocomi giuliocomi commented May 2, 2020

Hello, is there any patch available in the MSI package installer codebase?

@networkimprov
Copy link

@networkimprov networkimprov commented May 3, 2020

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.