CVE-2023-3181

25.01.2024, 16:15

The C:\Program Files (x86)\Splashtop\Splashtop Software Updater\uninst.exe process creates a folder at C:\Windows\Temp~nsu.tmp and copies itself to it as Au_.exe. The C:\Windows\Temp~nsu.tmp\Au_.exe file is automatically launched as SYSTEM when the system reboots or when a standard user runs an MSI repair using Splashtop Streamers Windows Installer. Since the C:\Windows\Temp~nsu.tmp folder inherits permissions from C:\Windows\Temp and Au_.exe is susceptible to DLL hijacking, standard users can write a malicious DLL to it and elevate their privileges.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Google	CNA	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Vendor	Product	Version
splashtop	mirroring360_receiver	𝑥 < 2.4.0.1
splashtop	mirroring360_sender	𝑥 < 1.3.0.0
splashtop	splashtop	𝑥 < 3.5.6.0
splashtop	splashtop	𝑥 < 3.5.8.0
splashtop	splashtop_for_rmm	𝑥 < 3.5.8.0
splashtop	streamer	𝑥 < 3.5.6.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-379 - Creation of Temporary File in Directory with Insecure Permissions
The software creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.

References

https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0015.md