cnvd - cnvd-2020-68541

CNVD-2020-68541

Vulnerability from cnvd - Published: 2020-12-02

Title

chocolatey Boxstarter存在未明漏洞

Description

chocolatey Boxstarter是美国chocolatey公司的一款适用于安装虚拟Windows环境的虚拟机管理软件。 Boxstarter installer 2.13.0之前版本存在安全漏洞，该漏洞源于将C：ProgramDataBoxstarter配置为在系统范围的PATH环境变量中。但是，该目录可由普通的、无特权的用户写入。要利用此漏洞，请将一个DLL放在特权服务正在查找的目录中。当Windows启动时，它将使用系统特权执行DllMain()中的代码。攻击者可利用该漏洞使用系统特权执行代码。

Severity

高

Patch Name

chocolatey Boxstarter存在未明漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/chocolatey/boxstarter/security/advisories/GHSA-rpgx-h675-r3jf

Reference

https://github.com/chocolatey/boxstarter/commit/67e320491813550b48900e87105a34ceefdcf633

Impacted products

Name
chocolatey chocolatey Boxstarter <2.13.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-15264",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-15264"
    }
  },
  "description": "chocolatey Boxstarter\u662f\u7f8e\u56fdchocolatey\u516c\u53f8\u7684\u4e00\u6b3e\u9002\u7528\u4e8e\u5b89\u88c5\u865a\u62dfWindows\u73af\u5883\u7684\u865a\u62df\u673a\u7ba1\u7406\u8f6f\u4ef6\u3002\n\nBoxstarter installer 2.13.0\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5c06C\uff1aProgramDataBoxstarter\u914d\u7f6e\u4e3a\u5728\u7cfb\u7edf\u8303\u56f4\u7684PATH\u73af\u5883\u53d8\u91cf\u4e2d\u3002\u4f46\u662f\uff0c\u8be5\u76ee\u5f55\u53ef\u7531\u666e\u901a\u7684\u3001\u65e0\u7279\u6743\u7684\u7528\u6237\u5199\u5165\u3002\u8981\u5229\u7528\u6b64\u6f0f\u6d1e\uff0c\u8bf7\u5c06\u4e00\u4e2aDLL\u653e\u5728\u7279\u6743\u670d\u52a1\u6b63\u5728\u67e5\u627e\u7684\u76ee\u5f55\u4e2d\u3002\u5f53Windows\u542f\u52a8\u65f6\uff0c\u5b83\u5c06\u4f7f\u7528\u7cfb\u7edf\u7279\u6743\u6267\u884cDllMain()\u4e2d\u7684\u4ee3\u7801\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4f7f\u7528\u7cfb\u7edf\u7279\u6743\u6267\u884c\u4ee3\u7801\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/chocolatey/boxstarter/security/advisories/GHSA-rpgx-h675-r3jf",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-68541",
  "openTime": "2020-12-02",
  "patchDescription": "chocolatey Boxstarter\u662f\u7f8e\u56fdchocolatey\u516c\u53f8\u7684\u4e00\u6b3e\u9002\u7528\u4e8e\u5b89\u88c5\u865a\u62dfWindows\u73af\u5883\u7684\u865a\u62df\u673a\u7ba1\u7406\u8f6f\u4ef6\u3002\r\n\r\nBoxstarter installer 2.13.0\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5c06C\uff1aProgramDataBoxstarter\u914d\u7f6e\u4e3a\u5728\u7cfb\u7edf\u8303\u56f4\u7684PATH\u73af\u5883\u53d8\u91cf\u4e2d\u3002\u4f46\u662f\uff0c\u8be5\u76ee\u5f55\u53ef\u7531\u666e\u901a\u7684\u3001\u65e0\u7279\u6743\u7684\u7528\u6237\u5199\u5165\u3002\u8981\u5229\u7528\u6b64\u6f0f\u6d1e\uff0c\u8bf7\u5c06\u4e00\u4e2aDLL\u653e\u5728\u7279\u6743\u670d\u52a1\u6b63\u5728\u67e5\u627e\u7684\u76ee\u5f55\u4e2d\u3002\u5f53Windows\u542f\u52a8\u65f6\uff0c\u5b83\u5c06\u4f7f\u7528\u7cfb\u7edf\u7279\u6743\u6267\u884cDllMain()\u4e2d\u7684\u4ee3\u7801\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4f7f\u7528\u7cfb\u7edf\u7279\u6743\u6267\u884c\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "chocolatey Boxstarter\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "chocolatey chocolatey Boxstarter \u003c2.13.0"
  },
  "referenceLink": "https://github.com/chocolatey/boxstarter/commit/67e320491813550b48900e87105a34ceefdcf633",
  "serverity": "\u9ad8",
  "submitTime": "2020-10-28",
  "title": "chocolatey Boxstarter\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

CVE-2020-15264 (GCVE-0-2020-15264)

Vulnerability from cvelistv5 – Published: 2020-10-20 20:25 – Updated: 2024-08-04 13:15

Summary

The Boxstarter installer before version 2.13.0 configures C:\ProgramData\Boxstarter to be in the system-wide PATH environment variable. However, this directory is writable by normal, unprivileged users. To exploit the vulnerability, place a DLL in this directory that a privileged service is looking for. For example, WptsExtensions.dll When Windows starts, it'll execute the code in DllMain() with SYSTEM privileges. Any unprivileged user can execute code with SYSTEM privileges. The issue is fixed in version 3.13.0

Severity ?

8 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-668 - Exposure of Resource to Wrong Sphere
CWE-73 - External Control of File Name or Path

Assigner

GitHub_M

References

URL

Tags

	https://github.com/chocolatey/boxstarter/security…	x_refsource_CONFIRM
	https://github.com/chocolatey/boxstarter/commit/6…	x_refsource_MISC
	https://www.kb.cert.org/vuls/id/208577	third-party-advisoryx_refsource_CERT-VN

Impacted products

	Vendor	Product	Version
	chocolatey	boxstarter	Affected: < 2.13.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T13:15:19.037Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/chocolatey/boxstarter/security/advisories/GHSA-rpgx-h675-r3jf"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/chocolatey/boxstarter/commit/67e320491813550b48900e87105a34ceefdcf633"
          },
          {
            "name": "VU#208577",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT-VN",
              "x_transferred"
            ],
            "url": "https://www.kb.cert.org/vuls/id/208577"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "boxstarter",
          "vendor": "chocolatey",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.13.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Boxstarter installer before version 2.13.0 configures C:\\ProgramData\\Boxstarter to be in the system-wide PATH environment variable. However, this directory is writable by normal, unprivileged users. To exploit the vulnerability, place a DLL in this directory that a privileged service is looking for. For example, WptsExtensions.dll When Windows starts, it\u0027ll execute the code in DllMain() with SYSTEM privileges. Any unprivileged user can execute code with SYSTEM privileges. The issue is fixed in version 3.13.0"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-668",
              "description": "CWE-668 Exposure of Resource to Wrong Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "CWE-73 External Control of File Name or Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-10-22T17:06:18",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/chocolatey/boxstarter/security/advisories/GHSA-rpgx-h675-r3jf"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/chocolatey/boxstarter/commit/67e320491813550b48900e87105a34ceefdcf633"
        },
        {
          "name": "VU#208577",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT-VN"
          ],
          "url": "https://www.kb.cert.org/vuls/id/208577"
        }
      ],
      "source": {
        "advisory": "GHSA-rpgx-h675-r3jf",
        "discovery": "UNKNOWN"
      },
      "title": "Privilege Escalation in Boxstarter",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-15264",
          "STATE": "PUBLIC",
          "TITLE": "Privilege Escalation in Boxstarter"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "boxstarter",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 2.13.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "chocolatey"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Boxstarter installer before version 2.13.0 configures C:\\ProgramData\\Boxstarter to be in the system-wide PATH environment variable. However, this directory is writable by normal, unprivileged users. To exploit the vulnerability, place a DLL in this directory that a privileged service is looking for. For example, WptsExtensions.dll When Windows starts, it\u0027ll execute the code in DllMain() with SYSTEM privileges. Any unprivileged user can execute code with SYSTEM privileges. The issue is fixed in version 3.13.0"
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-668 Exposure of Resource to Wrong Sphere"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-73 External Control of File Name or Path"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/chocolatey/boxstarter/security/advisories/GHSA-rpgx-h675-r3jf",
              "refsource": "CONFIRM",
              "url": "https://github.com/chocolatey/boxstarter/security/advisories/GHSA-rpgx-h675-r3jf"
            },
            {
              "name": "https://github.com/chocolatey/boxstarter/commit/67e320491813550b48900e87105a34ceefdcf633",
              "refsource": "MISC",
              "url": "https://github.com/chocolatey/boxstarter/commit/67e320491813550b48900e87105a34ceefdcf633"
            },
            {
              "name": "VU#208577",
              "refsource": "CERT-VN",
              "url": "https://www.kb.cert.org/vuls/id/208577"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-rpgx-h675-r3jf",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-15264",
    "datePublished": "2020-10-20T20:25:17",
    "dateReserved": "2020-06-25T00:00:00",
    "dateUpdated": "2024-08-04T13:15:19.037Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-68541

CVE-2020-15264 (GCVE-0-2020-15264)

Tags

Sightings

Nomenclature