CVE-2023-3181 - OpenCVE

The C:\Program Files (x86)\Splashtop\Splashtop Software Updater\uninst.exe process creates a folder at C:\Windows\Temp~nsu.tmp and copies itself to it as Au_.exe. The C:\Windows\Temp~nsu.tmp\Au_.exe file is automatically launched as SYSTEM when the system reboots or when a standard user runs an MSI repair using Splashtop Streamer’s Windows Installer. Since the C:\Windows\Temp~nsu.tmp folder inherits permissions from C:\Windows\Temp and Au_.exe is susceptible to DLL hijacking, standard users can write a malicious DLL to it and elevate their privileges.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Microsoft	Windows
Splashtop	Software Updater

Configuration 1 [-]

AND

cpe:2.3:a:splashtop:software_updater:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0015.md	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Google

Published: 2024-01-25T15:22:47.828Z

Updated: 2024-01-25T15:22:47.828Z

Reserved: 2023-06-09T09:44:05.431Z

Link: CVE-2023-3181

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-01-25T16:15:07.400

Modified: 2024-02-03T01:34:52.677

Link: CVE-2023-3181

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-3181", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "dateReserved": "2023-06-09T09:44:05.431Z", "datePublished": "2024-01-25T15:22:47.828Z", "dateUpdated": "2024-01-25T15:22:47.828Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Splashtop Software Updater", "vendor": "Splashtop", "versions": [{"lessThan": "1.5.6.21", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\uninst.exe process creates a folder at C:\\Windows\\Temp~nsu.tmp and copies itself to it as Au_.exe. The C:\\Windows\\Temp~nsu.tmp\\Au_.exe file is automatically launched as SYSTEM when the system reboots or when a standard user runs an MSI repair using Splashtop Streamer\u2019s Windows Installer. Since the C:\\Windows\\Temp~nsu.tmp folder inherits permissions from C:\\Windows\\Temp and Au_.exe is susceptible to DLL hijacking, standard users can write a malicious DLL to it and elevate their privileges."}], "value": "The C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\uninst.exe process creates a folder at C:\\Windows\\Temp~nsu.tmp and copies itself to it as Au_.exe. The C:\\Windows\\Temp~nsu.tmp\\Au_.exe file is automatically launched as SYSTEM when the system reboots or when a standard user runs an MSI repair using Splashtop Streamer\u2019s Windows Installer. Since the C:\\Windows\\Temp~nsu.tmp folder inherits permissions from C:\\Windows\\Temp and Au_.exe is susceptible to DLL hijacking, standard users can write a malicious DLL to it and elevate their privileges."}], "impacts": [{"capecId": "CAPEC-165", "descriptions": [{"lang": "en", "value": "CAPEC-165 File Manipulation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-379", "description": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2024-01-25T15:22:47.828Z"}, "references": [{"url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0015.md"}], "source": {"discovery": "UNKNOWN"}, "title": "Insecure Permissions in Splashtop Software Updater", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splashtop:software_updater:*:*:*:*:*:*:*:*", "matchCriteriaId": "5B171E7A-307B-4342-8DC8-662D3AC42894", "versionEndIncluding": "1.5.6.21", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\uninst.exe process creates a folder at C:\\Windows\\Temp~nsu.tmp and copies itself to it as Au_.exe. The C:\\Windows\\Temp~nsu.tmp\\Au_.exe file is automatically launched as SYSTEM when the system reboots or when a standard user runs an MSI repair using Splashtop Streamer\u2019s Windows Installer. Since the C:\\Windows\\Temp~nsu.tmp folder inherits permissions from C:\\Windows\\Temp and Au_.exe is susceptible to DLL hijacking, standard users can write a malicious DLL to it and elevate their privileges."}, {"lang": "es", "value": "El proceso C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\uninst.exe crea una carpeta en C:\\Windows\\Temp~nsu.tmp y se copia en ella como Au_.exe. El archivo C:\\Windows\\Temp~nsu.tmp\\Au_.exe se inicia autom\u00e1ticamente como SISTEMA cuando el sistema se reinicia o cuando un usuario est\u00e1ndar ejecuta una reparaci\u00f3n de MSI utilizando el instalador de Windows de Splashtop Streamer. Dado que la carpeta C:\\Windows\\Temp~nsu.tmp hereda permisos de C:\\Windows\\Temp y Au_.exe es susceptible al secuestro de DLL, los usuarios est\u00e1ndar pueden escribirle una DLL maliciosa y elevar sus privilegios."}], "id": "CVE-2023-3181", "lastModified": "2024-02-03T01:34:52.677", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2024-01-25T16:15:07.400", "references": [{"source": "cve-coordination@google.com", "tags": ["Third Party Advisory"], "url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0015.md"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-379"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}