Mandiant discovered and exploited a local privilege escalation vulnerability (CVE-2023-6080) in Lakeside Software’s SysTrack installer, allowing low-privilege users to gain arbitrary code execution through flaws in the Microsoft Software Installer (MSI) repair process. The issue has been addressed in version 11.0 of SysTrack. Affected: SysTrack, Windows systems
Keypoints :
- Mandiant exploited a vulnerability in Lakeside Software’s SysTrack version 10.7.8.
- An attacker with low-privilege access could escalate privileges locally through the MSI repair action.
- The vulnerability was identified and reported responsibly to Lakeside Software.
- The issue has been fixed in SysTrack version 11.0.
- Insecure coding practices in Microsoft Software Installer’s Custom Actions were a primary cause of the vulnerability.
- File operations during MSI repair could trigger from NT AUTHORITYSYSTEM context, leading to privilege escalation.
- The exploit involved creating a race condition during the repair action to execute arbitrary code.
- Defensive measures should include secure coding practices and appropriate folder permissions.
- Mandiant recommends auditing endpoint security and monitoring for privilege escalation attempts.
MITRE Techniques :
- Privilege Escalation (T1068) – An attacker exploits a vulnerability in the MSI repair process to gain elevated privileges.
- Exploitation for Client Execution (T1203) – The attacker executes a malicious executable by manipulating the repair functionality of SysTrack.
Indicator of Compromise :
- [File] wac0000.tmp
- [File] wacFFFF.tmp
- [File] wac1.tmp
- [File] wac2.tmp
- [File] wac3.tmp
Full Story: https://cloud.google.com/blog/topics/threat-intelligence/cve-2023-6080-third-party-installer-abuse/
Views: 49