Splashtop Streamer Image File Execution Options Injection Vulnerability [CVE-2024-42050]
CVE number = CVE-2024-42050
CVSS Score = Base score: 7.0 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
The MSI installer for Splashtop Streamer for Windows versions < 3.7.0.0 uses a temporary folder with weak permissions during installation. A local authenticated user can exploit this to escalate privileges to SYSTEM.
If the MSI installer still exists in the original location it was executed from, or it was originally executed from a location it can be copied back to, a regular user can force a reinstall of the product.
During reinstall, a .reg file (CredProvider_Inst.reg) is loaded from a user-writable folder in the user’s %TEMP% directory.
A local authenticated user can set an oplock on the file and then overwrite it repeatedly with arbitrary contents after the oplock has been triggered.
If the race condition is won, the file will be loaded in the SYSTEM context, and any keys and values defined in it will be written to the registry.
This can be used to write a Debugger value to the Image File Execution Options registry key for a binary that runs as SYSTEM and point it to an arbitrary binary that will be executed instead.
Further details / patch information – https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/25584410412571–Splashtop-Streamer-version-v3-7-0-0-for-Windows-released

I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.

Checked with Splashtop and was informed the CVE was already fixed in released version 3700