Date: June 2024
Summary
A new vulnerability, CVE-2023-30585, has been discovered in the Node.js .msi Windows installer. This bug specifically impacts users who perform a repair operation on Node.js using the standard MSI (.msi) package. The flaw allows any regular user on the computer to trick the system into creating folders in unexpected—and potentially unwelcome—locations by abusing an environment variable.
Let’s walk through what this bug is, how it works, relevant code examples, and defenses, all in simple terms.
What’s the Issue?
Whenever you "repair" a Node.js installation via the Windows installer, the process that does the work (msiexec.exe) runs as a *superuser* (technically, the SYSTEM user). One of the things it does during repair is read the %USERPROFILE% environment variable—normally a reference to paths like C:\Users\username.
Here’s the catch:
Regular users can go into the Windows registry and *modify* their own %USERPROFILE% value to point… anywhere. If the folder they point to doesn’t exist, the repair process will actually create it as the SYSTEM user.
This means a crafty, non-admin user or malicious program could have SYSTEM blindly create folders in critical or protected locations!
Why This is Dangerous
- Arbitrary Folder Creation: An unprivileged user could create folders wherever SYSTEM has write access (in practice, this is a lot of places).
- Worm or Trojan Activity: Malware could use this to prepare hidden folders in weird places, or mess with sensitive directories.
- Component Abuse: Later exploitation might go further, depending on what the folder structure is used for by other processes.
Step-by-step
1. User or Malware Edits the Registry
Change the value of %USERPROFILE% to an unusual or risky place, such as C:\Windows\System32\testfolder.
2. Initiate Node.js Installer Repair
Launch the repair action via Node.js's .msi installer.
3. SYSTEM Reads the Malicious Path
When msiexec.exe reads %USERPROFILE%, it finds C:\Windows\System32\testfolder.
4. SYSTEM Creates the Folder
Since the folder doesn’t exist, SYSTEM creates it.
5. Further Abuse Possible
Attacker now has a SYSTEM-created folder in a sensitive location, which could be a foothold for further shenanigans.
The %USERPROFILE% variable is stored at
HKEY_CURRENT_USER\Volatile Environment
PowerShell Example
# Change USERPROFILE to a dangerous location
Set-ItemProperty -Path "HKCU:\Volatile Environment" -Name "USERPROFILE" -Value "C:\Windows\System32\testfolder"
After running the above as a regular user, trigger a Repair operation in Node.js MSI, and watch as C:\Windows\System32\testfolder is created—even though only SYSTEM can normally create things there.
Restrict Repair Operations: Only trusted users should perform installer repairs.
3. Clear/Validate Environment Variables: After suspicious activity, review the registry for weird %USERPROFILE% values.
4. Patch When Available: Check Node.js security advisories and update as soon as a fix is shipped.
Original References
- Node.js Security Release: April 2024
- CVE-2023-30585 Entry (Mitre/NVD)
- Node.js Advisory *(actual link may vary)*
Final Thoughts
CVE-2023-30585 is a textbook example of how environment variables and installer "helper" accounts in Windows can be abused. Even though SYSTEM is supposed to have full control, crafty users can trick it into setting up folders in dangerous places just by tampering with one registry key. Always pay attention when a privileged process uses or trusts settings from a regular user—and avoid repair operations unless you know what’s been configured.
If you run Node.js on Windows, check your version, apply patches, and keep an eye on your environment variables!
*Stay safe—keep your installs patched, and your user variables clean!*
Timeline
Published on: 11/28/2023 02:15:42 UTC
Last modified on: 12/02/2023 04:39:59 UTC