Vulnerability Summary

Signal Desktop v1.29 on Windows is vulnerable to an elevation of privilege vulnerability. During the startup the application will execute the c:\node_modules\.bin\wmic.exe binary if it exists. By default on Windows, low privileged users have the privilege to create folders under root level drives. A low privileged user can create a malicious wmic.exe which will be executed every time Signal Desktop starts by any user of the system. The malicious binary is executed in the background without the users knowledge. This is an example of horizontal privilege escalation.

The vulnerability has been patched in v1.29.1 in commit 2da39c which was released 12/17/2019. Kudos to the Signal security team for fixing in less than two weeks! Unfortunately, at this time the they do not feel this warrants an advisory or CVE so the vulnerability was silently fixed. 12/24/2019 Update: Mitre assigned CVE-2019-19954

Steps To Reproduce

In a cmd window

mkdir c:\node_modules\.bin
copy c:\windows\system32\calc.exe c:\node_modules\.bin\wmic.exe

Now any user that opens Signal, the Windows calculator will be popped.

PoC

Timeline

• 2019-12-05: Report sent to Signal security team
• 2019-12-11: Reached out to Signal to verify report was received
• 2019-12-16: Signal acknowledges report
• 2019-12-17: Signal v1.29.1 released
• 2019-12-18: Published this blog post
• 2019-12-24: MITRE assigned CVE-2019-19954

References

• Commit: 2da39c
• Vulnerable version: https://updates.signal.org/desktop/signal-desktop-win-1.29.0.exe