Wondershare Filmora Uncontrolled Search Path Vulnerability in Installer Component Allows Privilege Escalation

A critical vulnerability exists in Wondershare Filmora version 14.5.16, specifically within the installer component. The issue arises from an uncontrolled search path vulnerability in the 'NFWCHK.exe' executable, which improperly loads the 'CRYPTBASE.dll' library from the current working directory. This flaw allows local attackers with standard user privileges to execute arbitrary code with administrative rights. The vulnerability exploitation is complicated and has been publicly disclosed, with a proof-of-concept exploit available.

Impact

Exploitation of this vulnerability leads to local privilege escalation, allowing a standard user to gain administrative rights on the system.

Reproduction

To reproduce this vulnerability, a local user must first create the directory 'C:\Users\Public\Documents\Wondershare\' and place a malicious 'CRYPTBASE.dll' file into it. This DLL should be crafted to execute a payload, such as a reverse shell, when loaded. Once the malicious DLL is in place, an administrator can run the Filmora installer, which will trigger the 'NFWCHK.exe' executable to load the malicious DLL, resulting in code execution with elevated privileges.