############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Chrome Updater on Windows # Vendor: Google # CSNC ID: CSNC-2024-002 # CVE ID: CVE-2024-7023 # Subject: COM Session Moniker EoP # Risk: Moderate # Effect: Elevation of Privilege # Author: Sylvain Heiniger # Date: 27.08.2024 # ############################################################# Introduction ------------ The Google Updater COM service under Windows exposes COM interfaces and does not verify the caller properly. This can be abused by a low-privileged user to execute code in another user's session which can lead to Elevation of Privilege. Affected -------- Vulnerable: * GoogleUpdater Version: 126.0.6462.0 Not vulnerable: * GoogleUpdater Versions 128.0.6537.0 and higher Not tested: * Other products based on Omaha * Lower versions Technical Description --------------------- This technique was described by James Forshaw: https://bugs.chromium.org/p/project-zero/issues/detail?id=1021 https://bugs.chromium.org/p/project-zero/issues/detail?id=1683 By using session moniker (https://learn.microsoft.com/en-us/windows/win32/termserv/using-a-session-moniker), one can execute the LaunchCmdLine method through the IProcessLauncher interface (with IID ABC01078-F197-4B0B-ADBC-CFE684B39C82) of the GoogleUpdate. ProcessLauncher COM Class (with CLSID ABC01078-F197-4B0B-ADBC-CFE684B39C82). More details can be found on our blog [2]. Workaround / Fix ---------------- Update to the latest version of Google Chrome. Timeline -------- 2024-05-16: Discovery by Sylvain Heiniger 2024-05-21: Initial vendor notification 2024-05-22: Initial vendor response 2024-05-22: Release of fixed Version / Patch 2024-08-27: Coordinated public disclosure date 2024-09-24: Assigned CVE-2024-7023 References ---------- [1] https://issues.chromium.org/issues/341803763 [2] https://blog.compass-security.com/2024/10/com-cross-session-activation/