Summary
Type of issue: Privilege escalation. Bypass login, system access to run/install files
Impact of the issue: Arbitrary code execution, unauthorised access.
By pressing NVDA+control+v and control+v in the UAC window, it is possible to access a series of windows dialogs that eventually allow arbitrary execution of code, including installing software, bypassing UAC.
Patch commit(s)
Note: this fix, included in 2023.3.2, is only tested on Windows 8.1, Windows 10 and Windows 11. 2023.3 is the last NVDA version to work with Windows 7, and is considered insecure.
64e6413
Limitations
NVDA must be allowed to run on secure screens.
Technical details
An OpenClipboard error dialog is raised from Windows natively when attempting to paste on the secure screen.
NVDA settings allows access to a text edit field from the secure screen.
Access to a text edit field causes the clipboard event to be handled with an error dialog instead of failing silently.
This error dialog allows system access.
Proof of concept
- NVDA 2023.3 Installed with "enable on sign-in screen" enabled
- On the sign on screen or at a UAC prompt:
- Use
NVDA+control+v to open the voice settings dialog
- Press
control+v
- Result: able to bring up an NVDA error window with a save file prompt.
- Expected: not allowed to save file.
- Click Save
- In File Name: Type
*.*
- Browse Local Disk
- Result: able to browse around all folders/files
- Result: Able to run .exe and install files
Indicators of compromise
Unknown
Workarounds
Disable running NVDA on secure screens.
Timeline
- NV Access notified: 2024/1/6
- NV Access reproduced: 2024/1/9
- Security advisory raised: 2024/1/9
- Patch passes internal testing: 2024/1/11
- Incomplete Fix 1 released in 2023.3.1: 2024/1/15
- Issues with Fix 1 discovered: 2024/1/15
- Final Fix 2 released in 2023.3.2: 2024/1/22
- Note: this fix is only tested on Windows 8.1, Windows 10 and Windows 11. 2023.3 is the last NVDA version to work with Windows 7, and is considered insecure.
For more information
If you have any questions or comments about this advisory:
Summary
Type of issue: Privilege escalation. Bypass login, system access to run/install files
Impact of the issue: Arbitrary code execution, unauthorised access.
By pressing
NVDA+control+vandcontrol+vin the UAC window, it is possible to access a series of windows dialogs that eventually allow arbitrary execution of code, including installing software, bypassing UAC.Patch commit(s)
Note: this fix, included in 2023.3.2, is only tested on Windows 8.1, Windows 10 and Windows 11. 2023.3 is the last NVDA version to work with Windows 7, and is considered insecure.
64e6413
Limitations
NVDA must be allowed to run on secure screens.
Technical details
An
OpenClipboarderror dialog is raised from Windows natively when attempting to paste on the secure screen.NVDA settings allows access to a text edit field from the secure screen.
Access to a text edit field causes the clipboard event to be handled with an error dialog instead of failing silently.
This error dialog allows system access.
Proof of concept
NVDA+control+vto open the voice settings dialogcontrol+v*.*Indicators of compromise
Unknown
Workarounds
Disable running NVDA on secure screens.
Timeline
For more information
If you have any questions or comments about this advisory: