Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exploit for mRemoteNG 1.76.20 Privilege Escalation CVE-2020-24307 #2338

Closed
misterR00t opened this issue Feb 3, 2023 · 2 comments
Closed
Labels
1.77.2 Version 1.77.2 Cannot Fix For one or more reasons we are unable to fix this problem. Cannot Reproduce Developers cannot reproduce the issue being reported. Security Vuln

Comments

@misterR00t
Copy link

misterR00t commented Feb 3, 2023

an exploit has been published, urgently release a version with correction CVE-2020-24307.

https://sploitus.com/exploit?id=PACKETSTORM:170794&utm_source=rss&utm_medium=rss

@simonai1254
Copy link
Contributor

Hi @misterR00t

Thanks for reporting this. Unfortunately I was unable to reproduce the permissions with my 1.76.20 installation:

C:\>wmic datafile where name="C:\\Program Files (x86)\\mRemoteNG\\mRemoteNG.exe" get Version /value
Version=1.76.20.24615
C:\>icacls "C:\Program Files (x86)\mRemoteNG\mRemoteNG.exe"
C:\Program Files (x86)\mRemoteNG\mRemoteNG.exe NT AUTHORITY\SYSTEM:(I)(F)
                                               BUILTIN\Administrators:(I)(F)
                                               BUILTIN\Users:(I)(RX)
                                               APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                               APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
Successfully processed 1 files; Failed processing 0 files

Just to go sure I did a clean installation of 1.76.20 in a Windows 10 Sandbox and came to the exact same results.
Same goes for a reference installation of 1.77.2-nb in a Windows 10 Sandbox (now 64bit):

C:\Users\WDAGUtilityAccount>wmic datafile where name="C:\\Program Files\\mRemoteNG\\mRemoteNG.exe" get Version /value
Version=1.77.2.0
C:\Users\WDAGUtilityAccount>icacls "C:\Program Files\mRemoteNG\mRemoteNG.exe"
C:\Program Files\mRemoteNG\mRemoteNG.exe NT AUTHORITY\SYSTEM:(I)(F)
                                         BUILTIN\Administrators:(I)(F)
                                         BUILTIN\Users:(I)(RX)
                                         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                         APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

Note: All installations were done using the MSI installer.

Furthermore the NVD references the documentation of "Unquoted Service Path" vulnerability by NyaMeeEain, which is explicitly for for Services. With the given information in case the permission are actually configured wrong (not reproducible), mRemoteNG is still required to be run by another user with the desired permissions. As mRemoteNG does not run with administrative privileges having the UAC configured properly this only allows to execute stuff in another user's context but not gaining administrative control over the device.

With this information I get a CVSSv3.1 Overall Sore of 3.1 AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N/E:U/RL:W/RC:U/CR:L/IR:L/AR:L/MAV:L/MAC:L/MPR:L/MUI:N/MS:C/MC:L/MI:L/MA:N assuming the vulnerability is actually present (not reproducible on my end).

Do you have any machine that has the wrong permissions set and know how it was installed (e.g. Upgrade Path)?
Otherwise I think this is a false positive.

@Kvarkas Kvarkas added Security Vuln Need 2 check 1.77.2 Version 1.77.2 Cannot Reproduce Developers cannot reproduce the issue being reported. Cannot Fix For one or more reasons we are unable to fix this problem. and removed Need 2 check labels Feb 3, 2023
@Kvarkas Kvarkas closed this as completed Feb 16, 2023
@simonai1254
Copy link
Contributor

The CVE entry got updated to point to this issue: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24307 as advisory.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
1.77.2 Version 1.77.2 Cannot Fix For one or more reasons we are unable to fix this problem. Cannot Reproduce Developers cannot reproduce the issue being reported. Security Vuln
Projects
None yet
Development

No branches or pull requests

3 participants