Deskflow IPC Named Pipe Vulnerability Allowing Local Privilege Escalation

A local privilege escalation vulnerability has been identified in Deskflow versions through 1.20.0 and in the Continuous v1.26.0.134 prerelease. The Deskflow daemon runs as the SYSTEM user and exposes an inter-process communication (IPC) named pipe with WorldAccessOption enabled. This configuration allows any local unprivileged user to connect to the pipe and execute arbitrary commands as the SYSTEM user, without authentication or authorization. The vulnerability arises because the daemon processes privileged commands from the named pipe, leveraging the SYSTEM token to execute commands with elevated privileges.

Impact

Exploitation of this vulnerability allows a local unprivileged user to execute arbitrary commands as the SYSTEM user, potentially leading to full system compromise.

Reproduction

The vulnerability can be reproduced by connecting to the 'deskflow-daemon' named pipe using a named pipe client stream. Once connected, commands can be sent to the daemon without authentication. The 'elevate' command can be used to execute commands with SYSTEM privileges. For example, sending a command to launch 'calc.exe' or to write the output of 'whoami' to a file on the C: drive will execute those commands as the SYSTEM user.