Splashtop Streamer Image File Execution Options Injection Vulnerability [CVE-2024-42050]
CVE number = CVE-2024-42050
CVSS Score = Base score: 7.0 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
The MSI installer for Splashtop Streamer for Windows versions < 3.7.0.0 uses a temporary folder with weak permissions during installation. A local authenticated user can exploit this to escalate privileges to SYSTEM
.
If the MSI installer still exists in the original location it was executed from, or it was originally executed from a location it can be copied back to, a regular user can force a reinstall of the product.
During reinstall, a .reg
file (CredProvider_Inst.reg
) is loaded from a user-writable folder in the user’s %TEMP%
directory.
A local authenticated user can set an oplock on the file and then overwrite it repeatedly with arbitrary contents after the oplock has been triggered.
If the race condition is won, the file will be loaded in the SYSTEM
context, and any keys and values defined in it will be written to the registry.
This can be used to write a Debugger
value to the Image File Execution Options
registry key for a binary that runs as SYSTEM
and point it to an arbitrary binary that will be executed instead.
Further details / patch information – https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/25584410412571–Splashtop-Streamer-version-v3-7-0-0-for-Windows-released
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.
Checked with Splashtop and was informed the CVE was already fixed in released version 3700