CleverControl Employee Monitoring Software Missing TLS Validation Vulnerability Allowing Remote Code Execution

A vulnerability in CleverControl employee monitoring software version 11.5.1041.6 allows for remote code execution with SYSTEM privileges. The issue arises because the software's installer fails to validate TLS server certificates. During installation, the installer downloads external components using curl.exe with the --insecure flag, which disables certificate verification. This oversight enables a man-in-the-middle attacker to intercept the download and deliver malicious files that are executed with elevated rights. While it is assumed that previous versions are also affected, this has not been confirmed.

Impact

Exploitation of this vulnerability allows for arbitrary code execution with administrative privileges on the affected system.

Reproduction

The vulnerability can be reproduced by opening the CleverControl MSI installer. The installation process will trigger the download of two script files, 'instredist.cmd' and 'srec.cmd', without validating the server's TLS certificate. These scripts are executed during installation, using curl.exe to download files from a server that can be controlled by an attacker. By intercepting this download, an attacker can deliver a malicious executable that, when executed, runs with SYSTEM privileges, thereby achieving full remote code execution.