gsd-2020-15264
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
The Boxstarter installer before version 2.13.0 configures C:\ProgramData\Boxstarter to be in the system-wide PATH environment variable. However, this directory is writable by normal, unprivileged users. To exploit the vulnerability, place a DLL in this directory that a privileged service is looking for. For example, WptsExtensions.dll When Windows starts, it'll execute the code in DllMain() with SYSTEM privileges. Any unprivileged user can execute code with SYSTEM privileges. The issue is fixed in version 3.13.0
Aliases
Aliases
{ "GSD": { "alias": "CVE-2020-15264", "description": "The Boxstarter installer before version 2.13.0 configures C:\\ProgramData\\Boxstarter to be in the system-wide PATH environment variable. However, this directory is writable by normal, unprivileged users. To exploit the vulnerability, place a DLL in this directory that a privileged service is looking for. For example, WptsExtensions.dll When Windows starts, it\u0027ll execute the code in DllMain() with SYSTEM privileges. Any unprivileged user can execute code with SYSTEM privileges. The issue is fixed in version 3.13.0", "id": "GSD-2020-15264" }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2020-15264" ], "details": "The Boxstarter installer before version 2.13.0 configures C:\\ProgramData\\Boxstarter to be in the system-wide PATH environment variable. However, this directory is writable by normal, unprivileged users. To exploit the vulnerability, place a DLL in this directory that a privileged service is looking for. For example, WptsExtensions.dll When Windows starts, it\u0027ll execute the code in DllMain() with SYSTEM privileges. Any unprivileged user can execute code with SYSTEM privileges. The issue is fixed in version 3.13.0", "id": "GSD-2020-15264", "modified": "2023-12-13T01:21:43.846612Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15264", "STATE": "PUBLIC", "TITLE": "Privilege Escalation in Boxstarter" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "boxstarter", "version": { "version_data": [ { "version_value": "\u003c 2.13.0" } ] } } ] }, "vendor_name": "chocolatey" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The Boxstarter installer before version 2.13.0 configures C:\\ProgramData\\Boxstarter to be in the system-wide PATH environment variable. However, this directory is writable by normal, unprivileged users. To exploit the vulnerability, place a DLL in this directory that a privileged service is looking for. For example, WptsExtensions.dll When Windows starts, it\u0027ll execute the code in DllMain() with SYSTEM privileges. Any unprivileged user can execute code with SYSTEM privileges. The issue is fixed in version 3.13.0" } ] }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-668 Exposure of Resource to Wrong Sphere" } ] }, { "description": [ { "lang": "eng", "value": "CWE-73 External Control of File Name or Path" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/chocolatey/boxstarter/security/advisories/GHSA-rpgx-h675-r3jf", "refsource": "CONFIRM", "url": "https://github.com/chocolatey/boxstarter/security/advisories/GHSA-rpgx-h675-r3jf" }, { "name": "https://github.com/chocolatey/boxstarter/commit/67e320491813550b48900e87105a34ceefdcf633", "refsource": "MISC", "url": "https://github.com/chocolatey/boxstarter/commit/67e320491813550b48900e87105a34ceefdcf633" }, { "name": "VU#208577", "refsource": "CERT-VN", "url": "https://www.kb.cert.org/vuls/id/208577" } ] }, "source": { "advisory": "GHSA-rpgx-h675-r3jf", "discovery": "UNKNOWN" } }, "nvd.nist.gov": { "configurations": { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:chocolatey:boxstarter:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.13.0", "vulnerable": true } ], "operator": "OR" } ] }, "cve": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15264" }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "en", "value": "The Boxstarter installer before version 2.13.0 configures C:\\ProgramData\\Boxstarter to be in the system-wide PATH environment variable. However, this directory is writable by normal, unprivileged users. To exploit the vulnerability, place a DLL in this directory that a privileged service is looking for. For example, WptsExtensions.dll When Windows starts, it\u0027ll execute the code in DllMain() with SYSTEM privileges. Any unprivileged user can execute code with SYSTEM privileges. The issue is fixed in version 3.13.0" } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "en", "value": "CWE-668" }, { "lang": "en", "value": "CWE-73" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/chocolatey/boxstarter/commit/67e320491813550b48900e87105a34ceefdcf633", "refsource": "MISC", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/chocolatey/boxstarter/commit/67e320491813550b48900e87105a34ceefdcf633" }, { "name": "https://github.com/chocolatey/boxstarter/security/advisories/GHSA-rpgx-h675-r3jf", "refsource": "CONFIRM", "tags": [ "Third Party Advisory" ], "url": "https://github.com/chocolatey/boxstarter/security/advisories/GHSA-rpgx-h675-r3jf" }, { "name": "VU#208577", "refsource": "CERT-VN", "tags": [ "Third Party Advisory" ], "url": "https://www.kb.cert.org/vuls/id/208577" } ] } }, "impact": { "baseMetricV2": { "acInsufInfo": false, "cvssV2": { "accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0" }, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false }, "baseMetricV3": { "cvssV3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 1.8, "impactScore": 5.9 } }, "lastModifiedDate": "2020-10-30T22:32Z", "publishedDate": "2020-10-20T21:15Z" } } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…