Cordaware Bestinformed Infoclient Privilege Escalation Vulnerability

A vulnerability in Cordaware Bestinformed Infoclient versions prior to 6.3.8.1 allows low-privileged users to change the server address of the Bestinformed Server that the client connects to. This is problematic because the Infoclient operates with elevated permissions as 'nt authority\system'. By redirecting the server address to a malicious server or a script that mimics a server, users can exploit certain features of the Bestinformed Web server to escalate privileges to 'nt authority\system' on the Windows client. Exploitation can involve pushing malicious update packages or performing arbitrary registry reads as 'nt authority\system'. However, this vulnerability can be mitigated by deploying a custom configuration file that disables the relevant GUI options or by using the Infoclient quick configuration to lock the address and port fields.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation to 'nt authority\system' on the affected Windows client.

Remediation

Users can upgrade to Cordaware Bestinformed Infoclient version 6.3.8.1 or later, where this vulnerability has been addressed. Instructions for updating can be found on the Cordaware website.