ActFax Version 7.10 Build 0335 (2020-05-25) is susceptible to a privilege escalation vulnerability due to insecure folder permissions on %PROGRAMFILES%\ActiveFax\Client\, %PROGRAMFILES%\ActiveFax\Install\ and %PROGRAMFILES%\ActiveFax\Terminal\. The folder permissions allow Full Control to Everyone. An authenticated local attacker can exploit this to replace the TSClientB.exe binary in the Terminal directory, which is executed on logon for every user. Alternatively, the attacker can replace any of the binaries in the Client or Install directories. The latter requires additional user interaction, for example starting the client.
| Key | Value |
|---|---|
| Product | ActFax |
| Vendor | ActFax Communication-Software GmbH (Krems an der Donau, Austria) |
| Tested Versions | 7.10 Build 0335 |
| Fixed Version | 7.15 Build 0342 |
| Vulnerability Type | Privilege Escalation caused by incorrect default permissions |
| CVSSv3.1 Severity | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
| CWE Reference | CWE-276 |
| CVE Reference | CVE-2020-15843 |
Proof of Concept
Description of the steps taken in the Proof of Concept video above:
- Using an administrative account,
ActFax 7.10 Build 0335is installed. - The administrator logs off.
- A regular user (without administrative permissions) logs on. This could be an attacker.
- The incorrect folder permissions of the
Terminalfolder are shown. - The
TSClientB.exebinary is replaced with a binary containing a reverse shell to an attacking linux VM. - The user logs off.
- A netcat listener is started in the Linux VM.
- The administrator logs in once more.
- Instead of the original
TSClientB.exethe attacker’s EXE-file is launched in the background. - The attacker receives a reverse shell connection from the victim, giving them administrative access to the system.
Remediation
ActFax version 7.15 Build 0342, released on the 14th of September 2020, sets correct permissions on the Terminal, Install, and Client folders for both new and existing installations. The corrected default permissions do not allow Everyone to modify the folders or their contents, therefore mitigating the privilege escalation vulnerability.
Disclosure Timeline
| Date | Event |
|---|---|
| 2020-07-07 | Vulnerability discovered |
| 2020-07-17 | CVE reserved |
| 2020-07-20 | Vulnerability reported to the vendor. |
| 2020-07-20 | Vendor response, a patched version of the software will be released in September. |
| 2020-07-21 | The vendor supplied a beta version which should fix the problem for both existing and new installations. |
| 2020-07-21 | Confirmed that the vulnerability no longer exists for the „Terminal“ folder in the beta version. However, previously overlooked folders with the same issue were found. |
| 2020-07-22 | Informed the vendor of the previously overlooked folders. |
| 2020-07-28 | The vendor confirms that they discovered the same issue with the other folders during internal testing. A beta version mitigating the problem for every folder is made available. |
| 2020-09-03 | The vendor notified me of the planned release date (2020-09-14). |
| 2020-09-14 | The vendor released the patched version (7.15 Build 0342). |
| 2020-09-21 | Advisory published. |
I would like to thank the ActFax team for their quick and professional communication through the entire timeline.