CVE-2024-27674

Macro Expert <= 4.9.4 - Insecure Permissions Privilege Escalation

Description:

Insecure Permissions vulnerability in Macro Expert 4.9.4 and versions below allows a local unprivileged attacker to execute arbitrary code as SYSTEM via a crafted script by replacing the MacroService.exe binary existing within a controllable path.

Impacted service(s)

servicename: Macro Expert

Path permission: c:\program files (x86)\grasssoft\macro expert

ACL Permissions

C:\>icacls "C:\Program Files (x86)\GrassSoft\Macro Expert"
C:\Program Files (x86)\GrassSoft\Macro Expert BUILTIN\Users:(OI)(CI)(M)
                                              NT SERVICE\TrustedInstaller:(I)(F)
                                              NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                              NT AUTHORITY\SYSTEM:(I)(F)
                                              NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                              BUILTIN\Administrators:(I)(F)
                                              BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                              BUILTIN\Users:(I)(RX)
                                              BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                              CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                              APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                              APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Attack Vector

Files in this path can be modified by unprivileged users, malicious process and/or threat actor. And the service "Macro Expert" which runs under SYSTEM context, will invoke the "MacroService.exe" in this directory. If a malicious user replaces the executable named "MacroService.exe" within this directory, the service will inadvertently execute these malicious binaries upon reboot, running them with SYSTEM privileges.

Discovered by:

Alaa Kachouh