Filosoft Comerc.32 Arbitrary Code Execution Vulnerability

A vulnerability in Filosoft Comerc.32 Commercial Invoicing version 16.0.0.3 allows local attackers to execute arbitrary code. During installation, the process can be manipulated to replace a file in a temporary directory with a backdoor, which is then executed when the program is uninstalled via the Control Panel.

Impact

Exploitation of this vulnerability grants the attacker elevated privileges by partially bypassing User Account Control (UAC), allowing for unauthorized actions on the affected system. In environments with multiple administrators, this could lead to further compromise by impersonating a user with higher privileges.

Reproduction

To reproduce this vulnerability, initiate the installation of Filosoft Comerc.32 version 16.0.0.3. While the installer is running, replace the 'setup.exe' file in the temporary folder with a backdoor, ensuring the filename remains unchanged. Once the installation is complete, the backdoor can be executed during the uninstallation process, taking advantage of the UAC prompt to gain higher privileges.

Remediation

Users are advised to limit write permissions to the temporary 'setup.exe' file, allowing only the NT Authority/System and Builtin/Administrators access. Additionally, the integrity of the 'setup.exe' file should be validated before it is moved to its final destination, and the file should be written directly to the intended folder.