Vulnerability Disclosure -Privilege Escalation @ TightVNC
Status: Fixed (As on 18-Feb-2023)
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H = 8.0( High Severity)
CVE-2023–27830
Fixed version: TightVNC 2.8.75 (Changelog)
Impacted Component: TightVNC 2.8.63 (Windows Desktop App)
Vulnerability Description: To adapt least privilege principle, generally non-admin Windows user login is allowed. Now from TightVNC when the remote user connects, since the process runs in backend as high privileged account, when we do FileTransfer, we can plant executables to exploit replacing original ones. This will allow remote user to gain Windows Privilege escalation. In addition this can be used even when we lock windows account (as the TightVNC service still runs in backend).
Impact rational: Privilege Escalation allowing non-admin user gain complete Administrator access on target system.
Exploitability rational: Although the assumption is the connection password is shared to the attacker, but when we want to adapt least privilege principle which is by design a best practice, this solution allows windows privilege escalation.
Steps To Reproduce:
1. Login as windows non-admin user within target system(this will launch TightVNC in backend)
2. Now from a remote system using TightVNC Viewer connect using Password.
3. Once connected, open file transfer option.
4. Plant malicious executable (Delete original executable if present or plant new directly) within the target system, where we know the program would be launched as admin (e.g. any services from C:\program files\).
OR Lock windows account in the target and retry planting the malicious executable.
5. Restart system for the service to autostart and your malicious code executes as privileged user (or wait for admin user to invoke it manually).
Recommendation:
- Adapt least privilege principle
- Apply role based access control properly
- During system lock, prevent access to filesystem or ask for reauthentication.
