[Loki]

CVE-2024-34329

Datacard XPS Card Printer Driver Version: <= 8.4

The application is prone to LPE due to insecure file/folder permissions on its default installation, by which it grants the rights for everyone for full control over the path: C:\ProgramData\Datacard\XPS Card Printer\Service. Files and folders in the path "C:\ProgramData\Datacard" can be modified by unprivileged users, malicious processes and/or threat actors. 

Once an admin installs XPS Card Printer, which runs under SYSTEM context, it will invoke the DEVOBJ.dll or CFGMGR32.dll in the directory "C:\ProgramData\Datacard\XPS Card Printer\Service", where a low privileged user can already place a malicious dll upfront and which will not be checked and deleted by the installation. These dlls do not exist and therefore will give NOT FOUND by the application installer. If an attacker can place a dll named DEVOBJ.dll or CFGMGR32.dll within this directory, the setup will inadvertently execute these malicious dll when the service is trying to connect to the card printer, running them with SYSTEM privileges.

Exploit POC:

Hidden Content

You must register or login to view this content.

[jjw53535353]

Good Share thanks