Rufus Race Condition Vulnerability in Fido PowerShell Script Handling Allows Local Privilege Escalation

A race condition vulnerability has been identified in Rufus, a utility for creating bootable USB drives. This vulnerability exists in all versions through 4.11, specifically in the handling of Fido PowerShell scripts. Rufus operates with elevated privileges and writes scripts to the temporary directory, which is accessible to standard users. The lack of file locking allows a local attacker to replace a legitimate script with a malicious one before it is executed, leading to arbitrary code execution with Administrator rights.

Impact

Exploitation of this vulnerability allows a low-privileged user to escalate privileges to Administrator level by executing arbitrary commands within the context of an elevated Rufus process.

Reproduction

To reproduce this vulnerability, a standard user must run a script that monitors the temporary directory for the creation of PowerShell script files. Once a file is detected, it can be overwritten with a malicious payload. Meanwhile, Rufus should be launched as an Administrator and the Fido script download process initiated. The timing of these actions is crucial for successful exploitation.

Remediation

Users can upgrade to Rufus version 4.12 or later to address this vulnerability.