Description An issue in MobaXterm v.24.2 allows a local attacker to escalate privileges and execute arbitrary code via the function of the MobaXterm MSI, which spawns an Administrative cmd (conhost.exe).
Vulnerability Type
Local Privilege Escalation (LPE)
Author
Ahmed Sherif (https://xphantom.nl)
Vendor of Product
https://www.mobatek.net/
Affected Product Code Base
MobaXterm - v24.2
Affected Component
The MSI installer of MobaXterm v24.2 (MobaXterm_installer_24.2.msi
)
Attack Type
Local
Impact Code Execution
true
Impact Escalation of Privileges
true
Attack Vectors
An attacker could carry out a TOCTOU attack by locking files that the MobaXterm MSI installer attempts to modify/delete. This causes the conhost.exe
privileged window to hang, allowing the attacker to exploit the situation. By enabling legacy mode, they can open a new cmd.exe
instance with 'NT AUTHORITY\SYSTEM' privileges and execute commands.
References