GoSign Desktop Insecure Update Mechanism Leading to Remote Code Execution Vulnerability

A vulnerability in GoSign Desktop in versions through 2.4.0 allows for remote code execution due to an insecure update mechanism. The application relies on an unsigned update manifest, which is not digitally verified and thus vulnerable to interception. When a proxy is configured, the application can disable TLS certificate validation, leaving users open to man-in-the-middle attacks. An attacker could exploit this to inject a malicious update that the application would install as legitimate, executing arbitrary code with the user's privileges on Windows and macOS, or with elevated rights on certain Linux distributions.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected system, with the executed code running under the privileges of the GoSign Desktop user. On Windows and macOS, this is done with the user's current rights, while on some Linux deployments, the executed code can have elevated privileges.

Reproduction

The vulnerability can be reproduced by configuring GoSign Desktop to use a proxy server, which disables TLS certificate validation. Then, a malicious update manifest can be injected through the intercepted network traffic. The application will download and install the tampered update, executing the injected code with the user's privileges.

Remediation

Users can update to GoSign Desktop version 2.4.1, which addresses the issue of remote code execution by introducing verification for the digital signature of the update manifest. However, it's important to note that this version does not fix the TLS certificate validation issue when a proxy is configured.