NSIS Privilege Escalation Vulnerability via Low Integrity Temporary Directory

A privilege escalation vulnerability has been identified in NSIS (Nullsoft Scriptable Install System) versions 3.06.1 prior to 3.12. The issue arises when NSIS is executed with SYSTEM privileges, as it sometimes utilizes the Low Integrity (IL) temporary directory. This behavior can be exploited by local attackers who can manipulate the temporary file generation process to gain elevated privileges.

Impact

Exploitation of this vulnerability allows local attackers to escalate privileges, potentially leading to unauthorized actions or access within the system.

Reproduction

To reproduce this vulnerability, run an NSIS installer as the SYSTEM user. The installer will inadvertently use the Low Integrity temporary directory, which can be exploited by causing the 'my_GetTempFileName' function to return a value of 0. This manipulation can be achieved by exploiting the way temporary file names are generated, particularly when the 'uUnique' parameter is set to 0, allowing for the creation of a unique file name based on the current system time.

Remediation

Users can update to NSIS version 3.12 or later, where this vulnerability has been addressed.