<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Briefcase - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/briefcase/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 24 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/briefcase/feed.xml" rel="self" type="application/rss+xml"/><item><title>Briefcase MSI Installer Privilege Escalation Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-24-briefcase-privesc/</link><pubDate>Wed, 24 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-24-briefcase-privesc/</guid><description>Briefcase versions 0.3.0 to 0.3.25 create an insecure directory during Windows MSI installer creation, leading to potential privilege escalation by allowing low-privilege users to modify binaries that may be executed by administrators.</description><content:encoded><![CDATA[<p>The Briefcase application, a tool used for converting Python projects into standalone executables, contains a vulnerability in versions 0.3.0 through 0.3.25. When creating Windows MSI installers for &quot;All Users&quot; (per-machine) installations, the generated installer creates a directory that inherits the permissions of its parent. This insecure permission inheritance allows a low-privilege, authenticated user to potentially modify or replace the installed application binaries. If an administrator later executes these compromised binaries, they would run with elevated privileges, leading to a privilege escalation. The vulnerability stems from the WXS file template used during the MSI creation process. Patches have been released in Briefcase versions 0.3.26, 0.4.0, and 0.4.1 which update the WXS templates used during project creation to correct the insecure directory permissions. This vulnerability was reported as beeware/briefcase#2759 and assigned CVE-2026-33430.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A developer uses Briefcase (versions 0.3.0 - 0.3.25) to create a Windows MSI installer for a Python project intended to be installed for &quot;All Users&quot; (per-machine).</li>
<li>The MSI installer is executed, creating a directory (e.g., within <code>C:\Program Files\</code>) for the application binaries. Due to the vulnerable WXS template, this directory inherits insecure permissions from its parent directory.</li>
<li>A low-privilege, authenticated user identifies the insecurely permissioned directory created by the MSI installer.</li>
<li>The attacker replaces a legitimate application binary (e.g., <code>app.exe</code>) within the directory with a malicious executable.</li>
<li>An administrator or privileged user executes the compromised application binary (<code>app.exe</code>) directly or indirectly (e.g., via a scheduled task or shortcut).</li>
<li>The malicious executable runs with the elevated privileges of the user who executed it.</li>
<li>The attacker performs malicious actions with elevated privileges, such as installing malware, creating new accounts, or modifying system configurations.</li>
<li>The attacker achieves persistent access and control over the compromised system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows a low-privilege user to gain elevated privileges on a Windows system. The insecure directory permissions created during installation allow malicious users to replace legitimate application binaries with malicious ones. This can lead to complete system compromise, data theft, or denial of service. The vulnerability affects any application built with vulnerable versions of Briefcase and installed for all users on a Windows system. If the compromised application is critical to business operations, the impact could be significant.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Briefcase to version 0.3.26, 0.4.0, or 0.4.1, or later and rebuild the affected Windows MSI installers. This will ensure that the updated WXS templates are used, correcting the insecure directory permissions (beeware/briefcase-windows-app-template#86, beeware/briefcase-windows-VisualStudio-template#85).</li>
<li>For existing Briefcase projects, apply the change from beeware/briefcase-windows-app-template#86 to the .wxs file.</li>
<li>Monitor process creation events for execution of binaries from within <code>C:\Program Files\</code> or <code>C:\Program Files (x86)\</code> that do not match expected application signatures or have been recently modified, using the provided Sigma rule.</li>
<li>Review existing installations of applications built with Briefcase versions 0.3.0 - 0.3.25 for insecure directory permissions and remediate by reinstalling the application with an updated installer or manually correcting the permissions.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>briefcase</category><category>privilege-escalation</category><category>windows</category><category>msi</category></item></channel></rss>