Balena Etcher Privilege Escalation Vulnerability via TOCTOU Race Condition

A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability has been identified in Balena Etcher for Windows, in versions prior to 2.1.4. This vulnerability allows attackers to escalate privileges and execute arbitrary code by replacing a legitimate script with a crafted payload during the flashing process. The issue arises because Etcher creates a temporary .cmd file in a user writable directory and executes it with elevated privileges via User Account Control (UAC). An application or process running under the current user context can inject malicious commands into the script before it is executed, taking advantage of the application's lack of file integrity validation.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, with injected commands executed under high integrity, potentially leading to arbitrary code execution with elevated rights.

Reproduction

To reproduce this vulnerability, first, run a Python script that monitors the Balena Etcher temporary directory for newly created .cmd files. Once a .cmd file is detected, the script can replace it with a version that includes a payload, such as commands to create a new local administrator account. After replacing the .cmd file, the UAC prompt can be accepted to allow Etcher to execute the modified script with elevated privileges, thereby executing the injected commands.

Remediation

Users are advised to update Balena Etcher for Windows to version 2.1.4 or later, where this vulnerability has been fixed.