!chrome-windows-installer-exploit
Summary:
CVE-2023-2939 uncovers how a minor validation mistake in Google Chrome's Windows installer, before version 114..5735.90, could give a local attacker admin-level access. The trick? A crafty use of Windows' symbolic links (symlinks) that let attackers execute actions with high privileges during install or update. We'll break it down in simple steps, show code snippets, and explain how a real-world exploit could work — so you can understand this flaw even if you’re not a pro.
Severity: Medium (local privilege escalation)
- Vector: Crafted symbolic links during install/update
Impact: Local attacker can gain elevated privileges
In simple terms: when Chrome updates or installs, its installer runs things with high privileges, like SYSTEM. If the installer doesn't carefully check paths and files it interacts with, tricky users can exploit this to run malicious commands as SYSTEM.
Understanding the Bug
The bug boils down to insufficient validation of file paths during the installer’s cleanup or file replacement steps. On Windows, with NTFS, you can create symlinks (or more commonly, directory junctions) that point a path to somewhere else. If a privileged process trusts a symlinked path, an attacker can redirect it to sensitive locations and make the installer overwrite or delete files as SYSTEM.
Here's what the Google Chromium Security Advisories and CVE report say:
> _“Insufficient data validation in Installer in Google Chrome on Windows prior to 114..5735.90 allowed a local attacker to perform privilege escalation via a crafted symbolic link.”_
Further technical details: https://bugs.chromium.org/p/chromium/issues/detail?id=1444695 *(May require login)*
During update, Chrome’s installer runs a cleanup or file replacement, trusting the path.
6. Installer overwrites/deletes file at the real system location as SYSTEM.
Result: Attacker replaces, erases, or plants files in protected system folders, which can then be used for privilege escalation.
Proof of Concept: Exploiting CVE-2023-2939
Below is a simplified PoC for educational purposes only. DO NOT use this on systems you do not own.
:: run as low-privileged user
:: 1. Find out where Chrome's installer operates, e.g. C:\Users\[user]\AppData\Local\Google\Chrome\User Data\Temp
cd %TEMP%
:: 2. Suppose Chrome expects to clean up a folder named "TempCleanup"
md TempCleanup
:: 3. Remove "TempCleanup", create a symlink/junction with the same name pointing to a sensitive spot
rd TempCleanup
mklink /J TempCleanup C:\Windows\System32\
:: 4. Wait for Chrome update -- installer will try to clean up "TempCleanup", actually affecting C:\Windows\System32
*With luck and correct targetting, the Chrome installer’s high-privilege file operations will now hit the system folder via the junction!*
Note: This is a simplified scenario. Real exploits may use more precise timing, automation (PowerShell), and target specific files for maximum impact.
Links to Original References
- Chrome Stable Update for Desktop - June 2023
- Chromium Bug Report (ID 1444695) (*May be restricted*)
- CVE-2023-2939 at NIST NVD
- How Symbolic Links Work on Windows
How Google Fixed It
In Chrome 114..5735.90 and later, Chrome’s installer verifies all file paths before operation. Specifically, it checks:
Antimalware can’t always block abuse if the update installer seems “legit.”
Lesson for users and IT:
Keep Chrome up to date, and be wary of any local exposure, even if an exploit seems “local only.” For IT admins: restrict who can log in locally and monitor software update activities!
If you’re reading this and haven’t updated Chrome: go do it now.
*This breakdown is exclusive to you: feel free to share with your IT friends or use it as a case study in security awareness sessions. Questions? Ask in the comments!*
Timeline
Published on: 05/30/2023 22:15:00 UTC
Last modified on: 06/02/2023 14:59:00 UTC