Skip to content

Instantly share code, notes, and snippets.

@ahmedsherif
Last active October 30, 2024 13:24
Show Gist options
  • Save ahmedsherif/ad56cd3a9ef86cdc05175fb591804c64 to your computer and use it in GitHub Desktop.
Save ahmedsherif/ad56cd3a9ef86cdc05175fb591804c64 to your computer and use it in GitHub Desktop.
CVE-2024-48200 Advisory

ID: CVE-2024-48200

Description An issue in MobaXterm v.24.2 allows a local attacker to escalate privileges and execute arbitrary code via the function of the MobaXterm MSI, which spawns an Administrative cmd (conhost.exe).


Vulnerability Type
Local Privilege Escalation (LPE)


Author
Ahmed Sherif (https://xphantom.nl)


Vendor of Product
https://www.mobatek.net/


Affected Product Code Base
MobaXterm - v24.2


Affected Component
The MSI installer of MobaXterm v24.2 (MobaXterm_installer_24.2.msi)


Attack Type
Local


Impact Code Execution
true


Impact Escalation of Privileges
true


Attack Vectors
An attacker could carry out a TOCTOU attack by locking files that the MobaXterm MSI installer attempts to modify/delete. This causes the conhost.exe privileged window to hang, allowing the attacker to exploit the situation. By enabling legacy mode, they can open a new cmd.exe instance with 'NT AUTHORITY\SYSTEM' privileges and execute commands.


References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment