SonyCreative Catalyst Privilege Escalation

Platform: Windows 10 version 1903

Class: Privilege Escalation

Product: CatalystProductionSuite.2019.1.exe
Version: 1.1.0.21

Product: CatalystBrowseSuite.2019.1.exe
Version: 1.1.0.21

Summary:
A weak malicious user can escalate its privilege whenever CatalystProductionSuite.2019.1.exe and CatalystBrowseSuite.2019.1.exe installers run.
The vulnerability is in the form of DLL Hijacking.
The installers try to load DLLs that don’t exist from its current directory;
Both installers try to load a dll named “NETUTILS.dll”. by doing so, an attacker can quickly escalate its privileges.

Additional missing DLL List:
1. MSIMG32.dll
2. VERSION.dll
3. WINMM.dll
4. WININET.dll
5. WTSAPI32.dll
6. MSVFW32.dll
7. WINMMBASE.dll
8. winnlsres.dll
9. RichEd20.dll
10. USP10.dll
11. msls31.dll
12. imageres.dll
13. srpapi.dll
14. MsiMsg.dll
15. WKSCLI.dll

Steps to reproduce:
1. Use DLL proxy to OS DLLs.
2. Place the malicious dll in the current directory of the installers
3. Finally, the installers try to load DLLs from the current directory like NETUTILS.dll for CatalystProductionSuite.2019.1.exe and CatalystBrowseSuite.2019.1.exe and many more dlls that could also be hijacked.

Impact:
1. Privilege Escalation
2. DoS

Mitigation:
- Don’t load DLLs from the current directory

Eli Paz,
CyberArk Labs

Hello Mr Eli-Paz,
I tried to replicate vulnerability on exact same version you have mentioned, i was able to spawn Shell but it is of same privileges as of user executing installer file.
please let me know if i am missing any step