Summary
The report formatting dialog can be used to open a shell with system privileges on secure screens
This means an unauthenticated user can execute arbitrary code with system privileges.
Patch commit(s)
9823556
Limitations
None
Technical details
Proof of concept
- On the sign on screen or at a UAC prompt
- Use
NVDA+control+v to open the voice settings dialog
- Press
NVDA+f twice to open the formatting dialog
- Press
ctrl+p to open the print dialog
- Select something that lets you print to a file (Microsoft Print to PDF will work)
- Open a shell from the file dialog
Indicators of compromise
Unknown
Workarounds
None
Timeline
- Reported late October 2022
- Fix released in 2022.3.2 in November 2022
For more information
If you have any questions or comments about this advisory:
tspivey Analyst
Summary
The report formatting dialog can be used to open a shell with system privileges on secure screens
This means an unauthenticated user can execute arbitrary code with system privileges.
Patch commit(s)
9823556
Limitations
None
Technical details
Proof of concept
NVDA+control+vto open the voice settings dialogNVDA+ftwice to open the formatting dialogctrl+pto open the print dialogIndicators of compromise
Unknown
Workarounds
None
Timeline
For more information
If you have any questions or comments about this advisory: