NewsSecurity Vulnerabilities

Splashtop Streamer Image File Execution Options Injection Vulnerability [CVE-2024-42050]

CVE number = CVE-2024-42050

CVSS Score = Base score: 7.0 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

The MSI installer for Splashtop Streamer for Windows versions < 3.7.0.0 uses a temporary folder with weak permissions during installation. A local authenticated user can exploit this to escalate privileges to SYSTEM.

If the MSI installer still exists in the original location it was executed from, or it was originally executed from a location it can be copied back to, a regular user can force a reinstall of the product.

During reinstall, a .reg file (CredProvider_Inst.reg) is loaded from a user-writable folder in the user’s %TEMP% directory.

A local authenticated user can set an oplock on the file and then overwrite it repeatedly with arbitrary contents after the oplock has been triggered.

If the race condition is won, the file will be loaded in the SYSTEM context, and any keys and values defined in it will be written to the registry.

This can be used to write a Debugger value to the Image File Execution Options registry key for a binary that runs as SYSTEM and point it to an arbitrary binary that will be executed instead.

Further details / patch information – https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/25584410412571–Splashtop-Streamer-version-v3-7-0-0-for-Windows-released

Jason Davies

I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.

One thought on “Splashtop Streamer Image File Execution Options Injection Vulnerability [CVE-2024-42050]

  • Checked with Splashtop and was informed the CVE was already fixed in released version 3700

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.