SoftMaker Office / FreeOffice Local Privilege Escalation

`SEC Consult Vulnerability Lab Security Advisory < 20240627-0 >  
=======================================================================  
title: Local Privilege Escalation via MSI installer  
product: SoftMaker Office / FreeOffice  
vulnerable version: SoftMaker Office 2024 / NX before revision 1214  
FreeOffice 2021 Revision 1068  
FreeOffice 2024 before revision 1215  
fixed version: SoftMaker Office 2024 / NX - revision 1214  
FreeOffice 2024 - revision 1215  
CVE number: CVE-2023-7270  
impact: high  
homepage: https://www.softmaker.com/en/  
found: 2023-11-27  
by: Michael Baer (Office Fürth)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"SoftMaker Office makes working with documents, spreadsheets and presentations  
a breeze – whether you're on Windows, Linux, Mac, iOS or Android."  
  
Source: https://www.softmaker.com/en/products/softmaker-office  
  
  
Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.  
  
SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Local Privilege Escalation via MSI installer (CVE-2023-7270)  
The SoftMaker Office and FreeOffice MSI installer files were found to produce  
a visible conhost.exe window running as the SYSTEM user when using the repair  
function of msiexec.exe.  
  
This allows a local, low-privileged attacker to use a chain of actions,  
to open a fully functional cmd.exe with the privileges of the SYSTEM user.  
  
Note:  
This attack does not work using a recent version of the Edge Browser or  
Internet Explorer. A different browser, such as Chrome or Firefox, needs to be  
used. Also make sure, that Edge or IE have not been set as default browser  
and that Firefox or Chrome are not running before attempting to exploit it.  
Otherwise, the spawned process would be running with your own permissions and  
the installer will just add a new tab to the browser, instead of spawning a  
new process with SYSTEM.  
  
  
Proof of concept:  
-----------------  
1) Local Privilege Escalation via MSI installer (CVE-2023-7270)  
For the exploit to work, SoftMaker Office or FreeOffice have to be installed  
via the MSI file. Afterwards, any low-privileged user can start the  
repair of the software by double-clicking the installer and trigger  
the vulnerable actions without a UAC popup. The installer, if deleted from it's  
original location, can be found in C:\Windows\Installer with a randomized name.  
  
During the repair process, a console application gets called with SYSTEM  
privileges and performs a read action on some files.  
  
SoftMaker Office: Executes 7z.exe, which reads  
C:\Program Files\SoftMaker Office 2024\tb\7z.exe  
  
FreeOffice: Executes syspin.exe, which reads  
C:\Windows\SysWOW64\OneCoreCommonProxyStub.dll  
  
This can be used by an attacker by simply setting an oplock on the files  
mentioned before.  
  
As soon as it gets read, the process is blocked until the lock is released.  
  
To do that, one can use the 'SetOpLock.exe' tool from  
"https://github.com/googleprojectzero/symboliclink-testing-tools"  
with the following parameters:  
  
while ($true) { SetOpLock.exe "C:\Program Files\SoftMaker Office 2024\tb\7z.exe" x }  
while ($true) { SetOpLock.exe "C:\Windows\SysWOW64\OneCoreCommonProxyStub.dll" x }  
  
See figure 1 [soft_lock.png] and figure 2 [lock.png]  
  
During the repair process, the locked file is accessed multiple times. The lock  
has to be released by pressing ENTER several times before the window opens.  
  
If the window appears, the lock should not be released to keep the  
window open. The window that gets opened when the console program is  
executed doesn't close and can then be interacted with.  
  
Note 1: The syspin.exe window is minimized. When the lock is triggered, it  
is advised to check the taskbar whether a window with a blue arrow,  
see figure 7 [taskbar.png], exists.  
  
The attacker can then perform the following actions to spawn a SYSTEM shell:  
- Right click on the top bar of the window  
- Click on properties, see figure 3 [soft_openbrowser.png] and figure 4 [openbrowser.png]  
- Under options, click on the "new console features" link  
- Open the link with e.g. firefox  
- In the opened browser window press the key combination CTRL+o  
- Type cmd.exe in the top bar and press Enter, see figure 5 [soft_cmd.png] and figure 6 [cmd.png]  
  
Note 2: This does not work using a recent version of the Edge Browser.  
  
Note 3: The program syspin.exe is invoked several times, sometimes without  
elevated privileges. If the final cmd.exe is not elevated, release the lock  
and wait for the next syspin.exe invocation. During our test, the fifth  
window was run with elevated privileges.  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following versions have been tested by SEC Consult which were the most recent  
versions available at the time of the test:  
* SoftMaker Office 2024 - 24.0.6034  
* FreeOffice 2021 Revision 1068  
  
According to the vendor, all versions of SoftMaker Office NX/2024 before revision 1214  
and FreeOffice 2024 before revision 1215 with the MSI installer are affected.  
  
FreeOffice 2021 is unsupported and will not be fixed according to the vendor.  
  
  
Vendor contact timeline:  
------------------------  
2023-12-02: Contacting vendor through [email protected],  
asking for security contact.  
2023-12-07: Contacting vendor through https://www.softmaker.com/en/support/customer-support  
asking for security contact.  
2024-01-11: Contacting vendor through https://www.softmaker.com/en/support/customer-support  
asking for security contact.  
2024-01-11: Vendor provides security contact and asks for advisory  
unencrypted  
2024-01-12: Sending advisory draft unencrypted to security contact  
2024-02-17: Asking for status of vulnerability, no response  
2024-03-06: Asking for status of vulnerability, no response  
2024-04-08: Asking for a status update, setting release date to  
17th April.  
2024-04-08: Vendor response, seems not to have received our previous mails.  
Asking for deadline extension as a release it already planned.  
2024-04-09: Sending advisory draft again, extending deadline.  
2024-04-11: Asking whether email was received, confirmed. Sent proposed  
solution.  
2024-04-22: Asking when new release is planned and whether fixes could be  
incorporated.  
2024-04-23: Vendor response, current service pack update not including fixes,  
planned in about 6 weeks.  
2024-05-27: Vendor response, service pack / revision 1214 was published which fixes  
the issue for Office 2024 and Office NX. FreeOffice 2024 will  
be fixed in the next release mid June. FreeOffice 2021 is unsupported.  
2024-06-11: Vendor: FreeOffice 2024 will be patched on 18th June, asks for advisory  
release to be postponed a bit.  
2024-06-17: Setting advisory release date for 27th June, reserving CVE.  
2024-06-18: Vendor releases FreeOffice 2024 revision 1215.  
2024-06-27: Release of security advisory.  
  
  
Solution:  
---------  
The vendor provides a service pack version 1214 for SoftMaker Office 2024 and  
SofMaker Office NX, which can be downloaded from:  
https://softmaker.de/download/servicepacks  
  
FreeOffice 2024 revision 1215:  
https://www.freeoffice.com/de/download/servicepacks  
  
FreeOffice 2021 is unsupported and will not be fixed according to the vendor.  
  
  
Workaround:  
-----------  
None  
  
  
Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Michael Baer / 2024  
`