Skip to content

Privilege escalation and unauthenticated system access via clipboard error dialog

High
seanbudd published GHSA-h7pp-6jqw-g3pj Jan 29, 2024

Package

No package listed

Affected versions

< 2023.3.2

Patched versions

2023.3.2

Description

Summary

Type of issue: Privilege escalation. Bypass login, system access to run/install files
Impact of the issue: Arbitrary code execution, unauthorised access.

By pressing NVDA+control+v and control+v in the UAC window, it is possible to access a series of windows dialogs that eventually allow arbitrary execution of code, including installing software, bypassing UAC.

Patch commit(s)

Note: this fix, included in 2023.3.2, is only tested on Windows 8.1, Windows 10 and Windows 11. 2023.3 is the last NVDA version to work with Windows 7, and is considered insecure.

64e6413

Limitations

NVDA must be allowed to run on secure screens.

Technical details

An OpenClipboard error dialog is raised from Windows natively when attempting to paste on the secure screen.
NVDA settings allows access to a text edit field from the secure screen.
Access to a text edit field causes the clipboard event to be handled with an error dialog instead of failing silently.
This error dialog allows system access.

Proof of concept

  1. NVDA 2023.3 Installed with "enable on sign-in screen" enabled
  2. On the sign on screen or at a UAC prompt:
  3. Use NVDA+control+v to open the voice settings dialog
  4. Press control+v
    • Result: able to bring up an NVDA error window with a save file prompt.
    • Expected: not allowed to save file.
  5. Click Save
  6. In File Name: Type *.*
  7. Browse Local Disk
    • Result: able to browse around all folders/files
    • Result: Able to run .exe and install files

Indicators of compromise

Unknown

Workarounds

Disable running NVDA on secure screens.

Timeline

  • NV Access notified: 2024/1/6
  • NV Access reproduced: 2024/1/9
  • Security advisory raised: 2024/1/9
  • Patch passes internal testing: 2024/1/11
  • Incomplete Fix 1 released in 2023.3.1: 2024/1/15
  • Issues with Fix 1 discovered: 2024/1/15
  • Final Fix 2 released in 2023.3.2: 2024/1/22
    • Note: this fix is only tested on Windows 8.1, Windows 10 and Windows 11. 2023.3 is the last NVDA version to work with Windows 7, and is considered insecure.

For more information

If you have any questions or comments about this advisory:

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE ID

No known CVE

Weaknesses

No CWEs

Credits