- Test Studio - Windows installer component v18 (and older)
In Telerik Test Studio versions v2023.3.1115 and older, it is possible for a bad actor, who already has preexisting access to the Windows user’s local account, to gain elevated permissions using the legacy installer.
During initial installation of Test Studio, the user must always approve the UAC prompt for the installer to obtain elevated permissions to complete the installation. However, if the product has already been installed, the installer could be abused to execute commands at a higher privilege than the current user.
Update Test Studio to the latest version, v2023.3.1330 (or later). Installing the update will replace the legacy installer, removing the avenue of attack.
- We would like to thank the Lockheed Martin Red Team for their professionalism, completeness, and responsible disclosure.
- This issue does not affect Test Studio itself; it is specific to the Windows installer only.
- This does not affect other avenues of installation; NuGet packages, manual installation, or loose DLLs.
- Viability: In order to perform this attack, it is required that:
- The attacker must already have gained access to your system via some other method.
- The product must have been installed using the legacy Windows installer.
In Test Studio versions prior to v2023.3.1330, a privilege elevation vulnerability has been identified in the applications installer component. In an environment where an existing Test Studio install is present, a lower privileged user has the ability to manipulate the installation package to elevate their privileges on the underlying operating system.
Discoverer Credit: HackerOne - Lockheed Martin Red Team