{"vuid":"VU#208577","idnumber":"208577","name":"Chocolatey Boxstarter is vulnerable to privilege escalation due to weak ACLs","keywords":null,"overview":"### Overview\r\nChocolatey Boxstarter fails to properly set ACLs, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges.\r\n\r\n### Description\r\n**CVE-2020-15264**\r\n\r\nThe Chocolatey Boxstarter installer fails to set a secure access-control list (ACL) on the `C:\\ProgramData\\Boxstarter` directory, which is added to the system-wide PATH environment variable. A privilege escalation vulnerability is introduced since any location in the system-wide PATH environment variable may be used to load code that runs with privileges.\r\n\r\n### Impact\r\nBy placing a specially-crafted DLL file in the `C:\\ProgramData\\Boxstarter` directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Boxstarter software installed. See [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001/) for more details.\r\n\r\n### Solution\r\n####Apply an update\r\n\r\nThis vulnerability is addressed in Chocolatey Boxstarter version 2.13.0. Please see the [security advisory](https://github.com/chocolatey/boxstarter/security/advisories/GHSA-rpgx-h675-r3jf) for more details.\r\n\r\n### Acknowledgements\r\nThis vulnerability was reported by Will Dormann of the CERT/CC.\r\n\r\nThis document was written by Will Dormann.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://github.com/chocolatey/boxstarter/security/advisories/GHSA-rpgx-h675-r3jf","https://attack.mitre.org/techniques/T1574/001/"],"cveids":["CVE-2020-15264"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2020-10-22T15:46:39.762322Z","publicdate":"2020-10-20T00:00:00Z","datefirstpublished":"2020-10-22T15:46:39.777274Z","dateupdated":"2020-11-09T21:30:42.466057Z","revision":2,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":29}