This flaw allows an attacker, in the form of a privileged user to create a malicious wmic.exe which will be executed every time Signal Desktop starts by any user of the system
Jukebox 25 Dec 2019 0
Securityresearcher and penetrationtester, Rich Mirch, recently discovered a vulnerability in an update released by Signal for Windows on December 17th, 2019. On his personal blog he wrote,
Signal desktop v1.29 on windows is vulnerable to an elevation of privilege vulnerability. During the startup the application will execute the c:\node_modules\.bin\wmic.exe binary if it exists. By default on Windows, low privileged users have the privilege to create folders under root level drives. A low privileged user can create a malicious wmic.exe which will be executed every time Signal Desktop starts by any user of the system. The malicious binary is executed in the background without the users knowledge. This is an example of horizontal privilege escalation.
He then went on to state:
The vulnerability has been patched in v1.29.1 in commit 2da39c which was released 12/17/2019. Kudos to the signal security team for fixing in less than two weeks! Unfortunately, at the same time they do not feel this warrants an advisory or CVE so the vulnerability was silently fixed.
This is not the first time the Signal application has faced challenges in terms of exploits and vulnerabilities, however for a company that touts the privacy horn as part of their operations, there have been many flaws that potentially open up users to code-injection attacks, exposing them to malware and many others.
Usually these issues are handled with an advisory and a patch to render the flaw useless, however since this was brought to the attention of the leaders and technical personnel of Signal, there is yet some intervention to be made, though they have been known to be timely in sorting these issues in the past.
Some security researchers however, believe and have shared the sentiment that rolling out patches alone without informing users of the possible risk they have been exposed to is shady behavior and Signal needs to be more accountable to their user base.
We hope to update soon if there’s any additional information from the developers of Signal themselves concerning this flaw.