CVE-2023-30585 - Node.js MSI Installer Vulnerability on Windows Systems

A critical vulnerability, under the identifier CVE-2023-30585, has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability has been found to emerge during the repair operation and makes it possible for malicious entities to create arbitrary folders in unintended and potentially harmful locations.

Exploit Details

The vulnerability is triggered during the repair operation, where the "msiexec.exe" process, running under the NT AUTHORITY\SYSTEM context, attempts to read the %USERPROFILE% environment variable from the current user's registry.

The issue arise when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, the "msiexec.exe" process attempts to create the specified path in an unsafe manner, potentially leading to the creation of arbitrary folders in arbitrary locations.

The severity of this vulnerability is heightened by the fact that the %USERPROFILE% environment variable in the Windows registry can be modified by standard (or "non-privileged") users. Consequently, unprivileged actors, including malicious entities or trojans, can manipulate the environment variable key to deceive the privileged "msiexec.exe" process. This manipulation can result in the creation of folders in unintended and potentially malicious locations.

Affected Systems

This vulnerability specifically affects Windows users who install Node.js using the .msi installer. Users who opt for other installation methods are not affected by this particular issue.

For illustration purposes, here is a simplified code snippet of the vulnerability

reg_entry = ReadRegistry(%USERPROFILE%)
if IsValidPath(reg_entry) == false {
    CreateFolderSecurely(reg_entry)
} else {
    CreateFolderInsecurely(reg_entry) // This is the unsafe operation
}

Original References

1. Node.js official website: https://nodejs.org/
2. Node.js GitHub repository: https://github.com/nodejs/node
3. CVE details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30585

Conclusion

It is crucial for Windows users who install Node.js using the .msi installer to be aware of this vulnerability and take any necessary precautions to protect their systems. The Node.js development team has been apprised of the issue and is expected to release patches addressing the vulnerability. In the meantime, users can explore alternative installation methods, such as using package managers or downloading the .zip archive, to avoid the risk of exploitation.

Timeline

Published on: 11/28/2023 02:15:42 UTC
Last modified on: 12/02/2023 04:39:59 UTC