ZeroTierOne for windows local privilege escalation because of incorrect directory privilege in zerotier/zerotierone

Valid

Reported on

Apr 9th 2022


Description

When administrators install zerotierone for windows, it will install ZeroTierOneService, the ImagePath of it is C:\ProgramData\ZeroTier\One\zerotier-one_x64.exe,however, the permission of C:\ProgramData\ZeroTier\One\ is incorrect, an attacker with low privilege can get system privilege by this vuln.

Proof of Concept

When administrators install zerotierone for windows, it will install ZeroTierOneService, the ImagePath of it is C:\ProgramData\ZeroTier\One\zerotier-one_x64.exe.

info1

However,the permission of C:\ProgramData\ZeroTier\One\ is incorrect, all Users have write permission of C:\ProgramData\ZeroTier\One and its subdirectories.

info2

When ZeroTierOneService starts, it will try to load some dlls under C:\ProgramData\ZeroTier\One.

info3

So an attacker with low privilege can exploit it and gain a system privilege by dll hijacking because of ZeroTierOneService running as SYSTEM.

Impact

Local Privilege Escalation

We are processing your report and will contact the zerotier/zerotierone team within 24 hours. a month ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago
We have contacted a member of the zerotier/zerotierone team and are waiting to hear back a month ago
Sean OMeara
a month ago

Maintainer


Hello! We have shipped a fix for this in 1.8.8 and will be releasing a blog post about it shortly.

Sean OMeara
a month ago

Maintainer


Is there a time frame for disclosure and CVE publication?

Sean OMeara validated this vulnerability a month ago
ycdxsb has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sean OMeara confirmed that a fix has been merged on ffb444 a month ago
The fix bounty has been dropped
Sean OMeara
a month ago

Maintainer


Just wanted to drop a note saying "thank you" for the report. This is a really cool platform. Cheers!

Sean OMeara
a month ago

Maintainer


https://www.zerotier.com/2022/04/11/zerotier-for-windows-local-privilege-escalation/

Jamie Slome
24 days ago

Admin


@Sean - thanks for the work here! Happy to hear you had a positive experience on the platform. We are releasing some updates today to the platform which will give the maintainer and researcher better insight into the CVE status of the report :)

to join this conversation