https://bugs.documentfoundation.org/show_bug.cgi?id=164225
Bug ID: 164225
Summary: LibreOffice is vulnerable to LPE if it's installed to
a non-default location
Product: LibreOffice
Version: 24.8.3.2 release
Hardware: All
OS: Windows (All)
Status: UNCONFIRMED
Severity: normal
Priority: medium
Component: Installation
Assignee: [email protected]
Reporter: [email protected]
Description:
LibreOffice allows the installing admin to choose a custom installation
directory, but the installer does not set the ACLs of the target to be secure.
Because the installer creates a service that runs with LocalSystem privileges
and can also be started by non-admin users, a non-admin user can simply replace
update_service.exe and then start the LibreOffice Maintenance Service to have
update_service.exe run with SYSTEM privileges.
Steps to Reproduce:
1.Install LibreOffice to C:\Programs\LibreOffice
2.As a non-admin user, replace
C:\Programs\LibreOffice\program\update_service.exe with the EXE of your choice.
3.As a non-admin user, start LibreOffice Maintenance Service
Actual Results:
update_service.exe, which was replaced by a non-admin user, runs with SYSTEM
privileges
Expected Results:
A non-admin user should not be able to replace update_service.exe or plant DLLs
in that directory.
Reproducible: Always
User Profile Reset: No
Additional Info:
## Recommendations
* Do not allow the installation directory to be chosen at install time
* Manually set ACLs for the installation directory
* If the installing user manually chooses an installation directory, warn them
that this may affect the security of the system that the Ivanti software is
loaded onto.
--
You are receiving this mail because:
You are the assignee for the bug.
