来源

关联漏洞

介绍

# CVE-2022-27438
> Caphyon Ltd Advanced Installer 19.3 "CustomDetection" Update Check Remote Code Execution Vulnerability.

Usage: `python3 cve-2022-27438_poc.py`

Details in the report at [gerr.re](https://gerr.re/posts/cve-2022-27438/).

## Steps to reproduce
For other affected products, you have to change the update server and update configuration filename. These can often be found in the updater `.ini` in the application installation directory.

1. Install [Advanced Installer 19.3](https://www.advancedinstaller.com/downloads/advinst.msi);
2. Set spoof `www.advancedinstaller.com` to our attacker ip;
    * For the proof of concept it is easiest to edit `c:\windows\system32\drivers\etc\hosts` on the target.
        - Attackers may e.g. use:
            + poorly configured routers/switches/DNS
            + DNS spoof / cache poisoning
            + ARP spoof / cache poisoning
3. Generate self-signed certificates;
   * e.g. using `openssl req -new -x509 -keyout www.advancedinstaller.com.pem -out www.advancedinstaller.com.pem -days 365 -nodes -subj "/CN=www.advancedinstaller.com"`
4. Run the proof of concept script on the attacker;
5. Start Advanced Installer to trigger update automatically, or
    * wait for 2 days to trigger update automatically, or
    * trigger update manually through the application menu/settings, or
    * trigger update manually by starting the update application at `C:\Program Files (x86)\Caphyon\Advanced Installer 19.3\bin\x86\updater.exe`;
6. Proceed with the Windows untrusted certificate security alert (if applicable).

As a result, the binary specified in `CustomDetection` with parameters specified in `CustomDetectionParameters` is executed in the context of the current user.

文件快照

 [4.0K]  /data/pocs/1b159f89f8f74387dea42c496baf5c962870678a
├── [1.7K]  cve-2022-27438_poc.py
├── [453K]  cve-2022-27438_public-advisory.pdf
└── [1.7K]  README.md

0 directories, 3 files

备注