Skip to content

SysTrack Agent bug allows attackers to gain full system privileges

  • by
  • 3 min read

A newly discovered security vulnerability in Lakeside Software’s SysTrack Agent version 10.7.8 could allow attackers to escalate their privileges and gain full control over a compromised system. Identified as CVE-2023-6080, attackers could exploit weaknesses in the Microsoft Software Installer (MSI) repair function using this flaw to execute malicious code with elevated permissions.

The vulnerability stems from insecure coding practices in the creation of MSI Custom Actions, which can expose gaps in folder permissions, broken shortcuts, and missing file references. If left unchecked, these weaknesses allow attackers to execute high-privilege operations using the MSI repair feature.

When software is installed via an MSI file, Windows caches the installer in the C:\Windows\Installer directory. This allows users to initiate the ‘repair’ function, which is intended to fix issues affecting the software. However, researchers observed that executing the repair function as a low-privilege user can trigger file operations in an NT AUTHORITY\SYSTEM context, providing a pathway for privilege escalation.

During the repair operation, the MSIExec.exe created multiple temporary files within the user’s ‘%TEMP%’. Each repair operation generated a new ‘.tmp’ file with a predictable naming scheme — starting with the string ‘wac’ followed by four random hexadecimal characters. With 65,535 possible filename combinations, the repair function’s reliance on an easily exhaustible namespace opened a potential attack vector.

Illustration: Supimol Kumying | Shutterstock
Illustration: Supimol Kumying | Shutterstock

On researching further, experts revealed a race condition vulnerability in the process. By preparing the ‘%TEMP%’ folder with preexisting filenames and executing a specially crafted PowerShell script, researchers were able to replace a system-generated ‘.tmp’ file with their executable before execution. This resulted in the unauthorised of their payload — launching ‘cmd.exe’ as NT AUTHORITY/SYSTEM, effectively achieving full system privileges.

Researchers recommend that software developers limit privileged file operations, enhance filename generation techniques, and perform regular audits while implementing safeguards to address race condition vulnerabilities.

For organisations, they suggest monitoring administrative shell executions in high-privilege contexts, conducting comprehensive endpoint security assessments to identify and mitigate similar issues, and establishing security controls that restrict low-privilege users from interacting with privileged processes.

“Compromise of integrity on a single system can allow an attacker to mount further attacks throughout the network; for example, the Network Access Account used by SCCM can be compromised through a single workstation and when misconfigured can be used to escalate privileges within the domain and pivot to additional systems within the network,” researchers concluded.

In the News: West Bengal busts tech support scam targeting US citizens

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>