Skip to content

Latest commit

 

History

History
40 lines (27 loc) · 1.61 KB

MNDT-2024-0003.md

File metadata and controls

40 lines (27 loc) · 1.61 KB

MNDT-2024-0003

Description

JumpCloud agent installer contains a local privilege escalation vulnerability which affected versions 1.147.0 and prior.

Impact

High - Exploiting the vulnerability will give a local unprivileged attacker SYSTEM level privileges

Exploitability

Medium - Any authenticated local user can exploit the vulnerability and an exploit is trivial to produce

CVE Reference

CVE-2023-26603

Common Weakness Enumeration

CWE-379: Creation of Temporary File in Directory with Insecure Permissions

Common Vulnerability Scoring System

Base Score: 7.8 - Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Technical Details

The installation of the agent uses the Windows Installer framework and an MSI file is cached in C:\Windows\Installer. An unprivileged user can trigger a repair operation, either by using the Windows Installer API or by running "msiexec.exe /fa c:\Windows\Installer[XXXXX].msi".

Running a repair operation will trigger a number of file operations as SYSTEM in the low-privileged user’s %TEMP% folder. Execution of files in the user’s %TEMP% folder from a SYSTEM context could lead to an attacker hijacking its execution and run arbitrary commands as SYSTEM.

Resolution

The issue was fixed in version 1.178.0.

Discovery Credits

  • Andrew Oliveau, Mandiant

Disclosure Timeline

  • 23-Feb-2023 - Vulnerability reported to JumpCloud
  • 27-Feb-2023 - Vulnerability confirmed by JumpCloud
  • 25-Apr-2024 - Confirmed vulnerability fixed in version 1.178.0

References