嗯,用户让我总结一下这篇文章的内容,控制在一百个字以内,而且不需要用“文章内容总结”或者“这篇文章”这样的开头。直接写描述就行。 首先,我得仔细阅读文章内容。文章讲的是Foxit PDF Editor通过微软商店安装时存在一个权限提升漏洞。低权限用户可以在安装过程中替换文件,导致意外的权限提升。 接下来,确认一下关键点:漏洞类型是CWE-427,CVSSv3评分8.8,影响版本是2025.2.0.33046。攻击者可以将恶意文件放在临时目录中,安装程序运行时会执行这个恶意文件,从而获得高权限。 然后,我需要把这些信息浓缩到100字以内。要确保涵盖漏洞的存在、影响、原因以及可能的攻击方式。 可能会遇到的问题是信息太多,如何在有限的字数内准确传达所有关键点。需要选择最重要的部分:漏洞名称、影响、原因(搜索路径未受信任)、攻击者如何利用以及结果(权限提升)。 最后,组织语言,确保流畅且符合要求。 </think> Foxit PDF Editor通过微软商店安装时存在权限提升漏洞。低权限用户可替换安装文件,导致恶意代码以高权限运行。该漏洞源于未受信任路径的可执行文件搜索问题。 2025-12-19 00:0:1 Author: talosintelligence.com(查看原文) 阅读量:0 收藏
SUMMARY
A privilege escalation vulnerability exists during the installation of Foxit PDF Editor via the Microsoft Store. A low-privilege user can replace files during the installation process, which may result in unintended elevation of privileges.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Foxit PDF Editor 2025.2.0.33046
PRODUCT URLS
Foxit PDF Editor - https://www.foxit.com/pdf-editor/
CVSSv3 SCORE
8.8 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE
CWE-427 - Uncontrolled Search Path Element
DETAILS
Foxit PDF Editor is a lightweight and easy-to-use program for working with PDF files. It allows opening, reading, and editing PDFs. Text, images, and comments can be added, as well as highlighting or marking up important information in a PDF. It can also combine multiple files into one PDF, split a large PDF into smaller parts, and protect documents with passwords. Foxit PDF Editor is an all-in-one PDF solution built for business.
Foxit PDF Editor is vulnerable to a privilege escalation issue when installed via the Microsoft Store application. When a user attempts to install Foxit PDF Editor, the following events occur in the background:
-
WindowsPackageManagerServer.exedownloads and runsFoxitPDFEditor20252_L10N_Setup_MSStore_x64.exe.8:06:52.1846888 AM WindowsPackageManagerServer.exe 5084 CreateFile C:\Users\dev\AppData\Local\Temp\WinGet\XPDNZD76FP5JR7.2025.2.0.33046\FoxitPDFEditor20252_L10N_Setup_MSStore_x64.exe Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a NAME NOT FOUND Medium [..] 8:09:18.9276165 AM WindowsPackageManagerServer.exe 5084 SetRenameInformationFile C:\Users\dev\AppData\Local\Temp\WinGet\XPDNZD76FP5JR7.2025.2.0.33046\bcf4a9a5fb30716b9fedee7afd36e062b7eb50ec02bf0239d41717fae12f4627 ReplaceIfExists: True, FileName: C:\Users\dev\AppData\Local\Temp\WinGet\XPDNZD76FP5JR7.2025.2.0.33046\FoxitPDFEditor20252_L10N_Setup_MSStore_x64.exe SUCCESS Medium FoxitPDFEditor20252_L10N_Setup_MSStore_x64.exeexits if launched withMedium Integrityprivileges.-
WindowsPackageManagerServer.exeattempts to launch the executable as aHigh Integrityprocess. Once permission is granted, the newFoxitPDFEditor20252_L10N_Setup_MSStore_x64.exeprocess runs withHigh Integrityprivileges.8:09:54.0428068 AM WindowsPackageManagerServer.exe 5084 Process Create C:\Users\dev\AppData\Local\Temp\WinGet\XPDNZD76FP5JR7.2025.2.0.33046\FoxitPDFEditor20252_L10N_Setup_MSStore_x64.exe PID: 6644, Command line: "C:\Users\dev\AppData\Local\Temp\WinGet\XPDNZD76FP5JR7.2025.2.0.33046\FoxitPDFEditor20252_L10N_Setup_MSStore_x64.exe" /quiet SUCCESS Medium 8:09:54.0429218 AM FoxitPDFEditor20252_L10N_Setup_MSStore_x64.exe 6644 Process Start Parent PID: 5084, Command line: "C:\Users\dev\AppData\Local\Temp\WinGet\XPDNZD76FP5JR7.2025.2.0.33046\FoxitPDFEditor20252_L10N_Setup_MSStore_x64.exe" /quiet, Current directory: C:\Windows\system32\, Environment: [...] 8:09:54.0429389 AM FoxitPDFEditor20252_L10N_Setup_MSStore_x64.exe 6644 Thread Create Thread ID: 8308 SUCCESS High -
This elevated process runs
msiexec.exewithHigh Integrityto complete the installation of the application.8:10:11.3724098 AM FoxitPDFEditor20252_L10N_Setup_MSStore_x64.exe 6644 CreateFile C:\Users\dev\AppData\Local\Temp\WinGet\XPDNZD76FP5JR7.2025.2.0.33046\msiexec.exe Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a NAME NOT FOUND High
The vulnerability exists because the executable image search is not restricted to trusted paths. In this case %TEMP%\WinGet\<Random>.<Version> is writable by a standard user. An attacker with user privileges can exploit this by placing a malicious file named msiexec.exe in that folder. When the installer attempts to run msiexec.exe, it will execute the attacker-controlled file instead, with High Integrity privilege.
8:52:07.9945181 AM C:\Users\dev\AppData\Local\Temp\WinGet\XPDNZD76FP5JR7.2025.2.0.33046\msiexec.exe msiexec.exe 9876 Process Start SUCCESS Parent PID: 7652, Command line: msiexec /i "C:\ProgramData\Package Cache\{CA7B7BF5-754E-11F0-B87B-54BF64A63C26}v2025.2.0.33046\Setup.msi" /qn /norestart ASSTBALL_SHOW=1 DESKTOP_SHORTCUT=1 WIN8TILE=1 EXE_INSTALL=1 PACKAGENAMEUID="FoxitPDFEditor20252_L10N_Setup_MSStore_x64.exe" NO_CACHE_PACKAGE=1, Current directory: C:\Windows\system32\, Environment: [..]
8:52:07.9945319 AM C:\Users\dev\AppData\Local\Temp\WinGet\XPDNZD76FP5JR7.2025.2.0.33046\msiexec.exe msiexec.exe 9876 Thread Create SUCCESS Thread ID: 3888 High
8:52:08.0198070 AM C:\Users\dev\AppData\Local\Temp\WinGet\XPDNZD76FP5JR7.2025.2.0.33046\msiexec.exe msiexec.exe 9876 Load Image C:\Users\dev\AppData\Local\Temp\WinGet\XPDNZD76FP5JR7.2025.2.0.33046\msiexec.exe SUCCESS Image Base: 0x7ff625c30000, Image Size: 0x2b000 High
In this case, the exploit registers a service that escalates privileges from High Integrity to System.
TIMELINE
2025-09-23 - Vendor Disclosure
2025-12-19 - Vendor Patch Release
2025-12-19 - Public Release
Discovered by KPC of Cisco Talos.
如有侵权请联系:admin#unsafe.sh