{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/briefcase/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Briefcase"],"_cs_severities":["high"],"_cs_tags":["briefcase","privilege-escalation","windows","msi"],"_cs_type":"advisory","_cs_vendors":["BeeWare"],"content_html":"\u003cp\u003eThe Briefcase application, a tool used for converting Python projects into standalone executables, contains a vulnerability in versions 0.3.0 through 0.3.25. When creating Windows MSI installers for \u0026quot;All Users\u0026quot; (per-machine) installations, the generated installer creates a directory that inherits the permissions of its parent. This insecure permission inheritance allows a low-privilege, authenticated user to potentially modify or replace the installed application binaries. If an administrator later executes these compromised binaries, they would run with elevated privileges, leading to a privilege escalation. The vulnerability stems from the WXS file template used during the MSI creation process. Patches have been released in Briefcase versions 0.3.26, 0.4.0, and 0.4.1 which update the WXS templates used during project creation to correct the insecure directory permissions. This vulnerability was reported as beeware/briefcase#2759 and assigned CVE-2026-33430.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer uses Briefcase (versions 0.3.0 - 0.3.25) to create a Windows MSI installer for a Python project intended to be installed for \u0026quot;All Users\u0026quot; (per-machine).\u003c/li\u003e\n\u003cli\u003eThe MSI installer is executed, creating a directory (e.g., within \u003ccode\u003eC:\\Program Files\\\u003c/code\u003e) for the application binaries. Due to the vulnerable WXS template, this directory inherits insecure permissions from its parent directory.\u003c/li\u003e\n\u003cli\u003eA low-privilege, authenticated user identifies the insecurely permissioned directory created by the MSI installer.\u003c/li\u003e\n\u003cli\u003eThe attacker replaces a legitimate application binary (e.g., \u003ccode\u003eapp.exe\u003c/code\u003e) within the directory with a malicious executable.\u003c/li\u003e\n\u003cli\u003eAn administrator or privileged user executes the compromised application binary (\u003ccode\u003eapp.exe\u003c/code\u003e) directly or indirectly (e.g., via a scheduled task or shortcut).\u003c/li\u003e\n\u003cli\u003eThe malicious executable runs with the elevated privileges of the user who executed it.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions with elevated privileges, such as installing malware, creating new accounts, or modifying system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistent access and control over the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a low-privilege user to gain elevated privileges on a Windows system. The insecure directory permissions created during installation allow malicious users to replace legitimate application binaries with malicious ones. This can lead to complete system compromise, data theft, or denial of service. The vulnerability affects any application built with vulnerable versions of Briefcase and installed for all users on a Windows system. If the compromised application is critical to business operations, the impact could be significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Briefcase to version 0.3.26, 0.4.0, or 0.4.1, or later and rebuild the affected Windows MSI installers. This will ensure that the updated WXS templates are used, correcting the insecure directory permissions (beeware/briefcase-windows-app-template#86, beeware/briefcase-windows-VisualStudio-template#85).\u003c/li\u003e\n\u003cli\u003eFor existing Briefcase projects, apply the change from beeware/briefcase-windows-app-template#86 to the .wxs file.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for execution of binaries from within \u003ccode\u003eC:\\Program Files\\\u003c/code\u003e or \u003ccode\u003eC:\\Program Files (x86)\\\u003c/code\u003e that do not match expected application signatures or have been recently modified, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview existing installations of applications built with Briefcase versions 0.3.0 - 0.3.25 for insecure directory permissions and remediate by reinstalling the application with an updated installer or manually correcting the permissions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-24-briefcase-privesc/","summary":"Briefcase versions 0.3.0 to 0.3.25 create an insecure directory during Windows MSI installer creation, leading to potential privilege escalation by allowing low-privilege users to modify binaries that may be executed by administrators.","title":"Briefcase MSI Installer Privilege Escalation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-24-briefcase-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed - Briefcase","version":"https://jsonfeed.org/version/1.1"}