{"vuid":"VU#287122","idnumber":"287122","name":"Parsec Remote Desktop App is prone to a local elevation of privilege due to a logical flaw in its code integrity verification process","keywords":null,"overview":"### Overview\r\nParsec updater for Windows was prone to a local privilege escalation vulnerability, this vulnerability allowed a local user with Parsec access to gain NT_AUTHORITY/SYSTEM privileges.\r\n\r\n### Description\r\nThe vulnerability is a time-of-check timeā€“of-use (TOCTOU) vulnerability. There existed a small window between verifying the signature and integrity of the update DLL and the execution of DLL main. \r\n\r\nBy exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user as described in CVE-2023-37250.\r\n\r\n**CVE-2023-37250**\r\nThe application launches DLLs from a User owned directory. Since the user owns both the DLL file and the directory, it is possible to (successfully) attempt tricking Parsec into loading an unsigned/arbitrary DLL file and execute its DllMain() method with SYSTEM privileges, creating a Local Privilege Escalation vulnerability.\r\n\r\n### Impact\r\nBy exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user.\r\n\r\n### Solution\r\nThe vulnerability applies to a \"Per User\" installation as opposed to a \"Shared User\". There is an update that has been made available. To force an update, you can either completely quit, and re-open the application several times until the loader is updated (by confirming in the logs). Or you can download a special installer that only updates the files inside of the program files that can be downloaded from https://builds.parsec.app/package/parsec-update-executables.exe.\r\n\r\n### Acknowledgements\r\nThanks to the reporter, Julian Horoszkiewicz.This document was written by Timur Snoke.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://atos.net/en/lp/securitydive/roaming-and-racing-to-get-system-cve-2023-37250","https://support.parsec.app/hc/en-us/articles/18311425588237-CVE-2023-37250"],"cveids":["CVE-2023-37250"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2023-08-16T16:18:56.804888Z","publicdate":"2023-08-16T16:18:56.594233Z","datefirstpublished":"2023-08-16T16:18:56.828124Z","dateupdated":"2023-08-16T16:18:56.594223Z","revision":1,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":87}