3rd Party Risk Management
,
Governance & Risk Management
,
Next-Generation Technologies & Secure Development
SysTrack LsiAgent Installer Flaw Escalates Privileges Locally
A flawed Microsoft software installer application developed by Lakeside Software could enable attackers with lower privileges to gain full system access. The local privilege escalation vulnerability uncovered by Google Mandiant has since been patched.
See Also: Fortinet is Turning 25: COO Reflects on Past, Present and Future
CVE-2023-6080, is considered a high-severity vulnerability affecting Lakeside Software’s SysTrack LsiAgent Installer version for Windows. The vulnerability has a CVE ranking of 7.8, or highly severe. When exploited the vulnerability grants attackers system-level access.
The flaw stems from a feature within SysTrack LsiAgent Installer called repair function that is typically used in software applications to allow users access to the systems to fix issues that may be affecting the installed software.
While executing an MSI file, the repair function permits the creation or execution of multiple files from NT AUTHORITYSYSTEM, a built-in Windows account with the highest level of privileges that can be misused by hackers for privilege escalation.
To exploit CVE-2023-6080, Mandiant used a real-time file monitoring systems called Process Monitor to analyze and review file operations executed during SysTrack MSI’s repair operations.
“While running the repair process as a low-privileged user, Mandiant observed file creation and execution within the user’s %TEMP% folder from MSIExec.exe,” Mandiant said.
Since %TEMP% is writable by a low-privilege user, the researchers created a PowerShell script to test the executables in file names created. On rerunning the MSI repair function to observe its subsequent behavior, the application will failover to another file naming pattern.
Additionally, the action also created a race condition vulnerability that can allow hackers to overwhelm a system by sending simultaneous requests attempting to modify the same data.
Mandiant researchers then wrote another PowerShell script designed to exploit the race condition vulnerability by copying a file to the %TEMP% folder to overwrite the file created by MSIExec.exe.
“With the race condition script running, execution of the repair action resulted in the test.exe file overwriting the intended binary and subsequently being executed and opening NT AUTHORITYSYSTEM,” the researchers said.
In addition to privilege escalation, hackers can use the exploit to modify files within NT AUTHORITYSYSTEM, enabling arbitrary code execution, Google Mand.
Since misconfigured custom actions in MSI packages can pose significant security risks due to lower visibility, Mandiant researchers said software developers should follow secure coding practices to prevent attackers from hijacking high-privilege operations.
Because MSI performs operations such as creating and executing files in %TEMP% folder, developers should also ensure all privileged file operations are executed from adequately secured folders, the report said.
“This can include altering the read/write permissions for the folder, or using built-in folders such as which are inherently protected from low-privilege users,” Mandiant researchers added.
Lakeside Software patched the flaw in August 2024 after being alerted by Google.
Earlier, Mandiant uncovered a similar flaw in the MSI installer for Atera Agent 1.8.3.6.