Local Privilege Escalation in Cloudflare WARP Installer (Windows)

Vulnerability

A privilege escalation vulnerability exists in the installer (MSI) of Cloudflare WARP Client for Windows versions up to and including 2022.12.582.0. During the repair process, the installer creates a hardlink in the ProgramData folder. An attacker can forge the destination of this hardlink, or (in versions up to 2022.5.309.0) create mount points from the same folder, to redirect the installer's file operations to arbitrary locations protected by SYSTEM [2].

Exploitation

To exploit this vulnerability, an attacker must already have local access to the Windows system. No additional authentication or user interaction is required beyond initiating the installer repair process. The attacker creates a hardlink or mount point in the ProgramData folder that points to a SYSTEM-protected file. When the installer repair runs, it follows the hardlink and overwrites the targeted system file with content controlled by the attacker [2].

Impact

A successful attack allows the attacker to overwrite arbitrary SYSTEM-protected files, leading to escalation of privileges from a local non-administrator context to SYSTEM. The attacker can replace critical system binaries or configuration files, potentially achieving persistent code execution at the highest privilege level [2].

Mitigation

Cloudflare released a fixed installer in WARP Client version 2023.3.381.0. Users should upgrade to this version or later and delete any older installer executables from their systems. The WARP Client itself is not vulnerable, only the installer binary [2].