Summary
A user can install an add-on which arbitrarily changes NVDA's code.
A malicious add-on can hijack when NVDA elevates to administrative privileges via UAC authorization.
After installing the add-on, the next time an administrator accepts a UAC dialog for NVDA, arbitrary code with administrator privileges can be executed.
Patch commit(s)
None: This is a consequence of an intended feature.
Limitations
A user must be able to install add-ons to NVDA.
This can be prevented by using NVDA's Secure Mode to restrict add-on installations.
An administrator must accept a UAC prompt from NVDA after a user has installed a malicious add-on.
Proof of concept 1
- A malicious add-on is created and installed, which patches NVDA's functions used during UAC administrator elevation.
- NVDA asks to update to the next version
- The user accepts and asks an administrator to accept the UAC prompt to install the updated NVDA.
The administrator who has entered the credential believes they are installing NVDA.
But during the installation, the malicious code is executed with admin privileges.
Proof of concept 2
- An evil add-on author distributes a malicious add-on through the Add-on Store (there is usually no code checking) or externally
- A user installs the add-on at their own risk; the user knows that the add-on can act with non-admin user privileges and accepts this risk.
- The add-on patches the update function with malicious code.
- When NVDA updates, the user accepts UAC
Indicators of compromise
Unknown
Workarounds
- As an administrator, disable users from installing add-ons. This can be done using Secure Mode.
- Before performing an administrator action using NVDA, restart NVDA using the
-c flag to prevent custom code from being executed.
Timeline
- Reported late October 2022
- Secure Mode system parameter released in 2023.2 (September 2023) to improve mitigation for this.
- Corporate and Governance page updated Jan-March 2024
- Fix released for secure mode to prevent custom config loading in 2023.3.4 on March 4 2024.
For more information
If you have any questions or comments about this advisory:
CyrilleB79 Analyst
Summary
A user can install an add-on which arbitrarily changes NVDA's code.
A malicious add-on can hijack when NVDA elevates to administrative privileges via UAC authorization.
After installing the add-on, the next time an administrator accepts a UAC dialog for NVDA, arbitrary code with administrator privileges can be executed.
Patch commit(s)
None: This is a consequence of an intended feature.
Limitations
A user must be able to install add-ons to NVDA.
This can be prevented by using NVDA's Secure Mode to restrict add-on installations.
An administrator must accept a UAC prompt from NVDA after a user has installed a malicious add-on.
Proof of concept 1
The administrator who has entered the credential believes they are installing NVDA.
But during the installation, the malicious code is executed with admin privileges.
Proof of concept 2
Indicators of compromise
Unknown
Workarounds
-cflag to prevent custom code from being executed.Timeline
For more information
If you have any questions or comments about this advisory: