Skip to content

Access to escalated python console on secure screens

High
feerrenrut published GHSA-mvc8-5rv9-w3hx Mar 22, 2022

Software

nvda

Affected versions

<2021.3.4

Patched versions

2021.3.4

Description

Summary

When performing an action in a secure screen, such as the sign-in screen, an unauthenticated user can open a python console with system privileges.
This allows a user to escalate Windows privileges from administrator to system.

Pull request(s)

#13487

Limitations

This requires a user to bind a gesture for the wx inspection tool.
The user must also copy their configuration to a secure screen.

Technical details

To enter a secure screen:

  • Run an application as administrator, causing the User Access Control dialog to appear
  • Enable NVDA to run during sign-in, then lock the desktop and continue to the password entry sign-in screen.

Proof of concept

  1. Running NVDA logged into a normal user account, open the NVDA input gestures dialog and bind a gesture to the GUI inspection tool script.
  2. In the NVDA General settings panel, copy the current user config to the system config for use on secure screens.
  3. Enter a secure screen
  4. Execute the gesture you bound to the GUI inspection tool.
  5. Execute the gesture and check that the tool starts.
  6. Note the python console with system privileges

Workarounds

To prevent unauthenticated users from opening the python console on older NVDA versions:

  • run NVDA while logged in, and not in secure mode
  • unbind the input gesture for the wx GUI inspection tool
  • copy your configuration for use on secure screens
  • consider limiting administrator privileges of other users of the device, so that they cannot overwrite this by copying their configuration to secure screens

Timeline

This was reported in late February, after the 2021.3.3 release.
A patch was created to be added to a 2021.3.4 patch release in early March.

Indicators of compromise

Unknown

For more information

If you have any questions or comments about this advisory:

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
High
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

CVE ID

No known CVE

Weaknesses

No CWEs

Credits