ZeroTierOne for windows local privilege escalation because of incorrect directory privilege in zerotier/zerotierone
Reported on
Apr 9th 2022
Description
When administrators install zerotierone for windows, it will install ZeroTierOneService, the ImagePath of it is C:\ProgramData\ZeroTier\One\zerotier-one_x64.exe,however, the permission of C:\ProgramData\ZeroTier\One\ is incorrect, an attacker with low privilege can get system privilege by this vuln.
Proof of Concept
When administrators install zerotierone for windows, it will install ZeroTierOneService, the ImagePath of it is C:\ProgramData\ZeroTier\One\zerotier-one_x64.exe.
However,the permission of C:\ProgramData\ZeroTier\One\ is incorrect, all Users have write permission of C:\ProgramData\ZeroTier\One and its subdirectories.
When ZeroTierOneService starts, it will try to load some dlls under C:\ProgramData\ZeroTier\One.
So an attacker with low privilege can exploit it and gain a system privilege by dll hijacking because of ZeroTierOneService running as SYSTEM.
Impact
Local Privilege Escalation
SECURITY.md
2 years ago
Hello! We have shipped a fix for this in 1.8.8 and will be releasing a blog post about it shortly.
Is there a time frame for disclosure and CVE publication?
Just wanted to drop a note saying "thank you" for the report. This is a really cool platform. Cheers!
https://www.zerotier.com/2022/04/11/zerotier-for-windows-local-privilege-escalation/
@Sean - thanks for the work here! Happy to hear you had a positive experience on the platform. We are releasing some updates today to the platform which will give the maintainer and researcher better insight into the CVE status of the report :)