Site icon API Security Blog

Parsec Remote Desktop App is prone to a local elevation of privilege due to a logical flaw in its code integrity verification process

### Overview

Parsec updater for Windows was prone to a local privilege escalation vulnerability, this vulnerability allowed a local user with Parsec access to gain NT_AUTHORITY/SYSTEM privileges.

### Description

The vulnerability is a time-of-check time–of-use (TOCTOU) vulnerability. There existed a small window between verifying the signature and integrity of the update DLL and the execution of DLL main.

By exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user as described in CVE-2023-37250.

**CVE-2023-37250** The application launches DLLs from a User owned directory. Since the user owns both the DLL file and the directory, it is possible to (successfully) attempt tricking Parsec into loading an unsigned/arbitrary DLL file and execute its DllMain() method with SYSTEM privileges, creating a Local Privilege Escalation vulnerability.

### Impact

By exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user.

### Solution

The vulnerability applies to a “Per User” installation as opposed to a “Shared User”. There is an update that has been made available. To force an update, you can either completely quit, and re-open the application several times until the loader is updated (by confirming in the logs). Or you can download a special installer that only updates the files inside of the program files that can be downloaded from https://builds.parsec.app/package/parsec-update-executables.exe.

### Acknowledgements

Thanks to the reporter, Julian Horoszkiewicz.This document was written by Timur Snoke.

### Vendor Information

287122

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

### Parsec Affected

Notified: 2023-05-23 Updated: 2023-08-16

**Statement Date: June 15, 2023**

**CVE-2023-37250**| Affected
—|—

#### Vendor Statement

We have not received a statement from the vendor.

### References

*
*

### Other Information

**CVE IDs:** | [CVE-2023-37250 ]()
—|—
**API URL: ** | VINCE JSON | CSAF
**Date Public:** | 2023-08-16
**Date First Published:** | 2023-08-16
**Date Last Updated: ** | 2023-08-16 16:18 UTC
**Document Revision: ** | 1Read More

Exit mobile version