Lighthouse Data GPMAW Insecure File Permissions Vulnerability Allowing Privilege Escalation

A critical vulnerability has been identified in GPMAW version 14.2, a bioinformatics software by Lighthouse Data. The issue arises from insecure file permissions in the installation directory, which is fully accessible to all users. This misconfiguration allows unprivileged users to manipulate files within the directory, including executable files such as GPMAW3.exe, Fragment.exe, and the uninstaller GPsetup64_17028.exe. An attacker with user-level access could exploit this vulnerability by replacing the uninstaller with a malicious version. Since the uninstaller is usually run with administrative privileges, this could lead to unauthorized administrative access and execution of arbitrary code in the admin's context, causing a privilege escalation.

Impact

Exploitation of this vulnerability could result in unauthorized administrative privileges, allowing an attacker to execute arbitrary code with elevated rights, according to the GitHub repository of the vulnerability.

Reproduction

To reproduce this vulnerability, first, navigate to the insecure installation directory 'C:\Program Files\gpmaw', which has full control permissions for all users. As a standard user, replace the 'GPsetup64_17028.exe' uninstaller with a malicious executable. Afterward, wait for an administrator to run the uninstaller, at which point the malicious payload will execute with administrative privileges.

Remediation

To address this vulnerability, it is recommended to restrict permissions on the installation folder, allowing only trusted users, such as Administrators, to have write access. Additionally, GPMAW can be reinstalled in a secured location with the correct Access Control Lists (ACLs).